
Meet Comex, The 19-Year-Old iPhone Uber-Hacker Who Keeps Outsmarting Apple - rjim86
http://blogs.forbes.com/andygreenberg/2011/08/01/meet-comex-the-iphone-uber-hacker-who-keeps-outsmarting-apple/
======
Skroob
So much misinformation. Apple "rushed to patch the security opening" because
IT'S A SECURITY FLAW that allows unrestricted code execution via a website.
That's a pretty huge problem; shouldn't it be fixed right away?

"After Allegra released JailbreakMe 2 last year, Apple upped its game another
notch, randomizing the location of code in memory so that hackers can’t even
locate commands to hijack them." Another security method, and one that some
people ripped on Apple for not including for so long. Now they put it in and
it's a paranoid response to stop jailbreakers?

Listen, there's no legal issue with jailbreaking. That issue has been settled,
as much as it can be without a lawsuit and a court ruling. But Apple is under
no obligation to make it easy, or to leave gaping security holes for jailbreak
tools to waltz through. We need to stop acting like Apple is persecuting
jailbreakers, when what they're really doing is fixing security holes.

~~~
jokermatt999
It's a difficult problem to explain in a typical narrative journalism style.
Patching security is a good thing, yes. Being able to do what you want with
your own phone, The Man be damned is also a good thing. Now, try to present
both sides in a catchy article written for general audiences about a member of
the jailbreak community.

------
drcube
I have no clue how there is even a question about the legality of using your
own hardware for whatever you want. I could "crash cell phone towers" with my
car, but that doesn't give Ford the right to weld my hood shut. Seriously, how
is this acceptable to anyone?

~~~
thematt
I would venture to say that the people who make the laws don't understand
technology in the least. Think about your average parent or grandparent who
equates AOL (or the Internet Explorer icon) to being "the internet". Now try
to get them to understand a concept like jailbreaking, it's a daunting
prospect, technology is emerging and changing at a rate faster than they can
possibly comprehend. Society is asking them to make judgement calls about
something they're not the least bit qualified to...and yet they're doing it
anyways.

------
daimyoyo
Jailbreakme is an amazingly elegant tool. Although I seriously doubt they
will, Apple should definitely hire him. His products show that he understands
design as well as anyone on their payroll now. That combined with his obvious
coding skills make him the ideal Apple engineer.

~~~
conradev
> 'His products show that he understands design as well as anyone on their
> payroll now.'

He designed none of the interface.

> '... his obvious coding skills ...'

A lot of the time, a person's coding skills are judged by how readable their
code is, and how well they utilize SCM. Also, to be an Apple engineer you want
extensive experience with Objective-C. <https://github.com/comex/star_>

Now I don't mean to say comex is a bad programmer at all, the stuff he writes
is amazing, I just feel like he wouldn't make a good Apple engineer.

~~~
Xuzz
He didn't design the interface (Apple did; it's a clone of the App Store, and
I guess I designed some of the iPad UI), but he did work very hard to ensure
that the user experience was great. There was quite a bit of discussion about
that, even: comex spent months porting unionfs for little benefit (right now)
than being able to install Cydia without rebooting, so it could look like an
App Store installation.

~~~
conradev
Good point.

------
delinka
The kind of control Apple seeks (to what purpose is irrelevant) is doomed to
fail. You simple cannot control a device once it's in the possession of an
'adversary' (which in this context seems to be the owner of the device).

Once the attacker (again, the owner of the phone who wants to jailbreak) has
possession of the phone, he has complete control over it. I wonder if Apple
has this internal posture that they should make appearances of caring about
jailbreaking (for the benefit of the carriers and their contracts) but
actually it's not such a big deal.

~~~
gte910h
You assume apple overly cares about jailbreaking. I feel they wish it were
impossible, but knowing that it isn't, just want to make it difficult enough
'normal people' don't do it and start breaking things on the phone and not
understand their jailbreaking is what broke things.

Hell, their AT&T contract was probably the only reason they got super up in
arms about it anyhow.

The reason Apple closes the security loopholes is _that they are security
loopholes_. It's not some sort of arms race. It's securing their platform.

Notice they have a pretty effective iBooks test for Jailbroken devices, but
they don't deploy it widely, etc. I think they're at peace with the JB
community as sort of a free research lab for them (hell, on device 3rd party
apps came from the JB community first!) and use them to fix security holes in
their platform as they are revealed.

~~~
rsynnott
> Notice they have a pretty effective iBooks test

Well, it's not that effective; it was worked around within days of showing up.
Interestingly, to my knowledge, Google's similar check to prevent rooted
devices playing movie rentals hasn't been worked around yet.

------
torstesu
One of the strongest job applications I've seen. I guess he can put up Forbes
as one of his references now.

------
peterb
He is looking for an internship. Hello, Apple, hire him already.

~~~
catch23
If Apple hires him, that will be the last time you see a jailbreak tool come
from him.

~~~
saurik
Depending on what they hire him for, it could also be the last time you see a
jailbreak tool from anyone ;P.

~~~
dmooray
For someone like you very familiar with the jailbreak community I find the
lack of trust very disturbing :)

~~~
saurik
I am also very familiar with comex ;P.

~~~
js4all
Sure. And maybe we will see another story about alternative appstores some
time later. ;)

------
alanh
Ugh. “Obsessive control”? _“Obsessive”?_ It’s a (very smart and seemingly
unbeatable) strategy to limit user actions on these devices to known-safe
actions, to prevent users from e.g. changing how the system itself works. It
keeps down things like: User confusion, malware potential, customer support,
third-party developer testing (heterogenous devices), etc.

I hate when bullshit business rags ascribe a quality like “obsession” (with
the connotation of OCD or some sort of mental imbalance) to a booming business
like Apple. As if they know better in this matter, despite the way Apple’s
competitors in the market are making crazy little money in comparison…

------
throw_me_away
The kid goes to my school; we're both in the CS department. I met him once,
and I saw him around the department a lot while he was still here. I don't
know him, but from what I've seen, it's no surprise he hasn't found an
internship: the kid is incredibly anti-social. Not to mention that being
dismissive of other people in your first year isn't exactly the best way to
build up connections.

Before I saw this article, I honestly had no idea he was Comex. I could tell
he was brilliant, but that's pretty awesome.

~~~
grimtrigger
I don't think you should levy anonymous attacks on peoples personalities

------
rimantas

      JailbreakMe’s sophistication is on par with that of Stuxnet
    

No kidding…

~~~
Apocryphon
It sounded like sensationalistic hyperbole when I read it. Is the code really
that good?

------
testinghello
> (He agreed to speak after Forbes‘ poking around Twitter, > Facebook and the
> Brown Directory revealed his name.) B

this is the most important part of the story

~~~
canistr
Agreed. It's strange that people get all up in arms when the government does
this for suspects and yet when some random journalists start snooping around,
trying to dig dirt up on you, and blackmails you to write a story (and then
proceed to make money from said story), nobody seems to care. Ridiculous.
Forbes should be chastised for this.

~~~
saurik
For the record, I spoke to this reporter for a couple hours, and even had him
tell me exactly how he got comex's name (which I did not actually know).

He plays it up in that quote from his article, but it turns out getting the
name was /trivial/: comex had a public Facebook account, in his real name,
using one of his standard usernames. It is actually likely that he got the
name before he even realized it was supposed to be "secret".

In fact, I even joked "fair enough; you know, I've never actually looked, but
for all I know his personal domain name is registered to his home address by
his mother or something": it turns out it literally is.

(It should also be noted that comex has agreed to talk to reporters before,
such as for an article published by Reuters.)

~~~
Vexenon
His name also shows up in a few of his GitHub repositories, so it's not like
they used illegitimate tactics to uncover his real identity that was already
somewhat public.

Forbes shouldn't be chastised over releasing his name, and anyone who thinks
that blackmail or anything of the sort played a role is just being silly.

