November 12, 2009
I enjoyed listening to Paul Ducklin on the latest Risky Business podcast that featured interviews on this iPhone “worm”. Worth a click through to Risky Business.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
Cannot argue with Paul Ducklin’s position on it. Even more so after listening to the kid on the interview. Genius or a dope? Well we know what Pat thinks.
What was up with that hero worship from Grey?
He seems so with it most times and then he comes up with that.
That kid must have thought he was some legend after talking with Riskybusiness. There was nothing new here or was I the only one who has missed something extraordinary here?
Nothing against the kid and with his interest to do things like this, he may have a good career in security. Maybe that role advertised Riskybusiness is for him.
Yeah, look I wonder if the kid had some legal advice before talking to RB or just realised the potential trouble he could be in. Who knows.
Some of Paul Ducklin’s information presented to RB (Pat) made me wonder – in reference to a few things said that Paul clarified based upon the code analysis.
Related info:
http://beastorbuddha.com/2009/02/17/fionnbharr-talking-iphone-security/
Fionn did this a long time ago at Ruxcon, spoke to Apple etc etc..
I liked Paul’s take on it. Flame me if you want. Had the kid done something new and mind-blowingly awesome, he’d probably get the same end result but with a few acks for the originality.
DD
I do respect what you have said before about Risky Business podcast but this is bullshit to the extreme. Every junior hack monkey now knows he’ll be supported by Australia’s only podcast man if they decide to hack shit and he will believe they were just cute and naive and bow to that. In this case sickeningly. Ash did this and conned him. That is embarrassing to him and the industry.
I agree as you said in your response that had it been new you could forgive but it was so nothing that you need to ask?
Big Big cred to Ducklin from Sophos. I was never a fan before but after that I am. Even after your zdnet review.
At least it was balanced. Intelligent arguement vs dumb.
I enjoyed it. Two sides presented and interesting throughout.
I too had my doubts about Ducklin. But changed my mind after sharing a cab ride with him. A major tech-head & decent bloke, a rare combo these days.
Shame, but I can’t speak as highly of the show he appeared on – Risky Business.
Now I don’t know whether its the show’s stable of so-called cyber-crime “experts” that baffle Pat with typical AFP santimonious bullshit or whether its Pat’s cutesy-matey interviewing style. But probably, its the constant nagging feeling that whenever I’ve listened to it, I find myself wondering whether it is “information” or “infomercial”.
@Fist, Pat feels with the in-crowd and tries to please that.
[content removed by site admin]
Stupidity of it is as previous post that he’d talked about it b4 and this time sounded like a stooge who had never heard about it.
Why didn’t he promote that DDs guys here did this a long time ago? Judging by the interview, it was the first he heard of it! No idea why DD here has not claimed bragging rights!
Fist, you say it well! I have no idea what that podcast represents. [content removed by site admin]
Ducklin was good and Grey’s questions just embarrassed the whole podcast and industry!
Take it for what it was. It was a good podcast. Different views debated and generating discussion. Yes, not new but not a contest either.
Interesting to read people’s thoughts on it here and elsewhere.
This was a simple case of two people having a chat; Ducklin and Grey, highlighting the differences in humanity.
[content removed by site admin]
Ducklin sounded like an intelligent person.
I have removed some content from recent responses. I ask that responses not attack people with words that will potentially cause some harm or offence to individuals. I am not censoring arguments and points of view around topics, nor that content questioning what individuals are doing or why. It’s not an exact science from my end I know and I welcome your comments.
DD
Paul Ducklin is a sweety pie!!!
How can we comment on what has been already censored? Meaning how can I tell you that you have gone too far without seeing the statements that were removed.
That is one of the problems of censorship.
Fair points Ralphy if you haven’t read material before it’s been removed.
I just need to be careful.
I don’t think the words I removed have taken anything away from the thread or the gist of people’s responses.
What does Risky Business stand for?
Maybe Ash was doing people a favour by getting people to set their passwords after all -
http://www.theregister.co.uk/2009/11/22/malicious_iphone_worm/
I don’t think this will be a big issue in Australia.. because of Ash.
Interesting logic. You really believe that? So u cool with someone testing the locks at your place and if per chance u left door unlocked for them to go in and stick Rick Astley wallpaper up? All harmless though eh?
@What?
You don’t understand the metaphor. The locks are not locked. The door is open, wide open. You were told that it was open, but you ignored it.
In any case these metaphors do nothing to prove anything either way.
All I was pointing out is that the worm (rightly or wrongly) Ash wrote did a lot for security awareness in iPhones in the same way that Slammer did and Nimda did etc etc for servers. (prior to that virus were considered a desktop problem)
Vulnerabilities exist, period. It is better that people learn from somthing that is not distructive. There are other people who have been exloiting this silently for some time, doing very malicious things – they can’t now.
How did you feel about the Chaser stunt?
Anon, Interesting analogy.
Personally, I thought the Chaser stunt was hilarious but my opinion is irrelevant in regards to the legality of it as is yours and “What’s”.
http://en.wikipedia.org/wiki/The_Chaser_APEC_pranks
They did get locked up for it and went to court…and got off. They’ll probably never do one like that again. Who knows.
In Ashley’s case, it is somewhat clear cut vs Cybercrime Act 2001. There isn’t a grey area I can see. (No pun intended Pat.:)) So again, opinions really don’t mean anything if the law is defined as it is in this case.
DD
@Drazen,
You are totally right, but I was not commenting on the law.. (as I said – ‘rightly or wrongly’). I do not condone what he did, nor would I do it myself – but the fact remains that his actions increased the security and security awareness of the iPhone platform for non-security savy users.
We are arguing different points
He’s looking down the barrel of 10 years in the big house.
NSW Crimes Amendment (Computer Crimes) Bill 2001:
308D Unauthorised modification of data with intent to cause impairment
(1) A person who:
(a) causes any unauthorised modification of data held in a computer , and
b) knows that the modification is unauthorised, and
(c) intends by the modification to impair access to, or to impair the reliability, security or operation of, any data held in a computer , or who is reckless as to any such impairment, is guilty of an offence.
Maximum penalty: Imprisonment for 10 years.
10 in the big one doesn’t sound like fun..
but are you sure you’d be able to prove intent for impairment? There was nothing malicious about this one (stupid sure, but not malicious)
(3) In this Part, “impairment” of electronic communication to or from a computer includes:
(a) the prevention of any such communication, or
(b) the impairment of any such communication on an electronic link or network used by the computer, but does not include a mere interception of any such communication.
10 years is a long time for a poorly thought out prank. I’m going to sound very cold here but the reason I was ignoring (deliberatly) the legal aspect was that I really don’t care what happens to the guy.
I care more about secuirty and promoting that than the wellbeing of some teenage smart arse, who it turns out isn’t very smart at all!
Stupidity and ignorance as a defence is not how our legal system works. (Though that could be argued in many a case). Judges ultimately decide.
I hear you Anon. But you’ll get arguments from many that a bit of good (awareness in this case) doesn’t justify illegal actions and there are also those affected by his actions who would probably like to see Ashley cop some sort of penalty for his actions.
Listening to the interview though it has been a while, I do remember that Ashley knew what he was doing (the intent was there) and it was the extent, ie; how widespread it became that surprised him. I think Paul Ducklin’s comments as I mentioned before were on the ball. Listen back to his interview and assessment of the code and what happened. Maybe not so innocent?
I’m not personally saying anything should happen to Ashley. Just taking a legal perspective in a society and industry that knows the consequences. While there have been cases brought against individuals, I expect the number will grow and guys like Ashley are playing Russian Roulette so to speak. It’s just a matter of time before they decide to make an example of a kid doing something like this again. Ashley will hopefully be lucky this time.
Anon, your argument post event does make sense but not as an incentive to others to “raise awareness”. I think we are arguing the same point to a degree…I agree.
DD
Dec,
re: intent
“or who is reckless as to any such impairment”
Re: Intent
Malice is not a proof element in the offence either.
The Legislators obviously wanted to cover the village idiot scenario, such as this one.
but doesn’t impairment mean stopping it from working, like a DoS? The wall paper doesn’t stop the device from working at all…
so is the argument that he didn’t care if it stopped it from working by righting the code? hmm, I wonder if he could produce some SDLC / use cases to demonstrate due care (lol) in testing functionality of the iPhones post compromise!
ah the wonders of the law!!
lol @ my spelling.
Leave me alone – its early and I was out last night at a Metal concert!
Dec,
does the word “impairment” imply that something must be completly disabled & can no longer work in any way?
Try running that logic by someone who is mentally or physically “impaired”. And get ready to do the bolt.
Seriously though, could a wallpaper modification (without permission) of an iphone consitute an impairment ?
I’m no legal expert, but I would strongly argue, “yes”.
Does the worms’ wallpaper or background change the iphone victim’s original wallpaper settings in any way ?
Could the removal of the worm potentially require a victim spending time (however small) and/or money to remove it ?
Does the owner of any property have a common law, or general right to not have their personal property interfered with in any way without lawful permission ?
Does the legislation attempt to quantify the magnitude of the impairment, big or small, that must be suffered by the victim ? (answer: don’t reckon!)
Good points!
One wonders if Grey’s close knit team of super-sleuth cyber cops will now do what we taxpayers pay them to do – the task of putting together a simple brief of evidence on worm-boi & placing him before the Court.
On second thoughts, perhaps Grey’s Inspector Gadget boys are too busy – media interviews with Grey & selling books about cyber crime – than to actually do anything about it? Heaven forbid, the taxpayers get what we actually paid for.
FYI to a few posters here; It’s “Gray” not “Grey”.
If you think spending time and taxpayer money to prosecute a drip like Ashley Towns is a good use of public funds and the court’s time then you really are a strange breed of cattle. What would be the point? To “send a message”?
Yeah, I’m sure the whole criminal underworld will shut down if Towns gets hauled off to magistrate’s court to be fined $100 and placed on a good behaviour bond. QUAKE IN YOUR BOOTS, CYBER-CRIMINAL SCUM!!!
Let the cops go after real crooks… there’s plenty of them.
Anon,
re your comment “Let the cops go after real crooks…there’s plenty of them.”
No doubt – “there’s plenty of them” (crooks). The pertinent question is, just how many crooks have Gray’s cyber cops actually locked up ?
They talk the talk, do they walk the walk ? (Don’t reckon!)
With all due respect Anonymous, this is such an old and flawed argument. Do you suggest we turn a blind eye to petty minor crime and therefore encourage more hackers to undertake illegal activity in the confidence that they are not going to be prosecuted? What sort of message are you supporting? Translating this into society in general would be a concern. I am sure if a small crime was perpetrated against you, you would like to know that you would be protected by the Police and that such crimes would not be ignored.
Who are these real criminals that we always hear Police should be “after”?
let this be a lesson to Ashley:
Stay Anonymous AT ALL TIMES.
http://www.sophos.com/blogs/gc/g/2009/11/26/ikee-worm-author-job-iphone-app-firm/
With the kid’s fully sik attitude, body piercings & street cred, I was thinking he was sure to land a cadet reporter gig on that Shifty Business show.
He sure has more cred than the other false pretenders there.
Risky Business is recognised as one of the leading security Podcasts out there. Many of the guests on there are leaders in the Infosec field and like all else, everyone will have opinions on things said on the program and thoughts on those people’s work and position on things. Lets not get to personal.
Yeah it certainly is one of the leading security podcasts out there. Probably *the* best, in competition with, um..ah, let me see….
…How many are there anyway ?
How do I argue with that?
Believe it or not, there’s a heap of them out there now. Maybe we should do one? Nah…no one would listen.
Will you fags stop bagging out RB, I mean that the hell is your problem. PG is the only journo that actually goes to the effort of understanding the tech, and the people and the culture.
So what if you disagree with one or two points, he is the best IT Journo we have in .Au and he deserves respect. If you have something more then create your own podcast and put it online. Then we can all be the judge…
Yep,
he certainly puts in an effort, “anon”.
Indeed, its the best efforts that paid advertising can buy.
And if advertorials are your go, and are so deserving of your respect, one suspects you’re also a big fan of like-minded jocks, like Laws or Jones.
So go forth & pay your respects, ‘anon’, its a free country. But please don’t pontificate to us about why we should also.