Jailbreakme is an amazingly elegant tool. Although I seriously doubt they will, Apple should definitely hire him. His products show that he understands design as well as anyone on their payroll now. That combined with his obvious coding skills make him the ideal Apple engineer.
I never understand this sentiment. Jailbreak tools thrive on the knowledge that there's always another flaw out there waiting to be discovered. How would comex rid Apple's entire development process of error?
Plus, if he jailbreaks devices because he believes people should be free to do with their hardware as they please why on earth would he effectively join the dark side?
> "why on earth would he effectively join the dark side?"
Money.
> "How would comex rid Apple's entire development process of error?"
It wouldn't - but finding exploits and security holes isn't a matter of course. There aren't altogether that many people who have the talents for it, much less the ability to package it into a coherent tool that normal joes can actually download and use.
I have a feeling that there are few enough people who fit this description that Apple can effectively buy them all out.
> How would comex rid Apple's entire development process of error?
That's why I hedged with "temporarily". If he's the best that's working on jailbreaking now, just taking him off that project would already help. And asking him to work to secure phones would be a great help, too - he could spot potential vulnerabilities before they're shipped.
This won't make the iPhone into a space-shuttle, but it will make jailbreaking harder, perhaps significantly so.
> Plus, if he jailbreaks devices because he believes people should be free to do with their hardware as they please why on earth would he effectively join the dark side?
They'll drive a dump-truck full of money up to his house. Or maybe there's something else he values more than the belief in free hardware.
Recent history proves that Apple is not capable of solving the jail breaking problems with their current security organization. If they were, then their Operating Systems wouldn't be broken so quickly.
I think the issue is not their security team, who seem to do quite a good job securing iOS (which I'd consider one of, if not the most, secure consumer operating systems out there). The issue is that securing an OS is hard. It's hard to make it that someone with physical access to the device cannot just run code on it, which is what jailbreaking (in its purest form, on iOS devices) is.
Arbitrary code execution is different than requiring physical access to the device. The JailbreakMe site could have run malicious code and it could have spread itself and run without the user knowing.
I was talking about the majority of jailbreaks, not JailbreakMe. Most jailbreaks are done at the low-level bootloader level, which does require physical access to the device (as well as pressing a bunch of buttons in a certain way); and even that doesn't get you access to the keychain or anything it protects.
Also, even if JailbreakMe was malicious (or somebody used the same code or exploits in a malicious way), it could not "spread itself": it was a browser exploit (although it would be possible to run without the user knowing).
> Also, even if JailbreakMe was malicious (or somebody used the same code or exploits in a malicious way), it could not "spread itself": it was a browser exploit (although it would be possible to run without the user knowing).
It could certainly spread. Maybe it could SMS a link to a malicious download to your most frequently contacted contacts? Being able to run arbitrary code on a device that knows how to contact all your friends certainly introduces some vectors for attack.
It's a font-based exploit, not PDF. The particular implementation on JailbreakMe used a PDF, but it could easily work in @font-face with CSS on any webpage (or, as we did on JailbreakMe, just hiding an <iframe> to the PDF).
I'm not sure hiring a cracker like Comex is an easy decision for any big corporation, especially for a company as tidy as Apple. Thanks to him they're probably spending big bucks on legal fees and losing valuable sleeping hours reviewing those exploits (which is a good thing anyway). Not to mention PR headaches he has caused. OTOH, Comex work helps boost iPhone sales among techies. I know people who chose Apple over Android just because they could jailbreak it.
It probably wouldn't be an easy decision for Comex either... I recall that hacker that turned down Sony's offer. What could happen to your hacker freedom once you're at your employer's mercy? And if you leave Apple someday, forget about jailbreaking any other Apple device for as long as you live due NDA's and all the legal stuff he would have sign.
> 'His products show that he understands design as well as anyone on their payroll now.'
He designed none of the interface.
> '... his obvious coding skills ...'
A lot of the time, a person's coding skills are judged by how readable their code is, and how well they utilize SCM. Also, to be an Apple engineer you want extensive experience with Objective-C.
https://github.com/comex/star_
Now I don't mean to say comex is a bad programmer at all, the stuff he writes is amazing, I just feel like he wouldn't make a good Apple engineer.
He didn't design the interface (Apple did; it's a clone of the App Store, and I guess I designed some of the iPad UI), but he did work very hard to ensure that the user experience was great. There was quite a bit of discussion about that, even: comex spent months porting unionfs for little benefit (right now) than being able to install Cydia without rebooting, so it could look like an App Store installation.
It's worth mentioning that geohot was, by no means, a fabulous programmer - sure, he's done a lot of great reverse engineering and security work, but if you look at his code, it was both advanced and sloppy. However, Facebook hired him to work on product development, even though he's known to not be much of a programmer.
Comex may not fit the profile of an Apple engineer, but I think he'd still do a damn good job as one.
Who cares about design or coding skills? Apple should hire him to help improve security, if only by doing what he does right now and sending results back to another team at Apple!
