

New iPhone worm can act like botnet - allenp
http://news.bbc.co.uk/2/hi/technology/8373739.stm

======
tvon
1) They wait until the 3rd paragraph to mention that you have to have unlocked
[edit: I mean jailbroken] your phone to be at risk.

2) They wait until the 6th paragraph to mention that you need to have the
default password still enabled.

3) The content is misleading on important points: _Users who have installed
SSH and not changed the password are especially at risk._ Correct me if I'm
wrong, but they are the _only_ ones at risk. Saying they are _especially_ at
risk implies that others are at risk as well.

IIRC, the initial Astley wallpaper worm had the same requirements and was
reported just as poorly by the BBC.

I'd also like to point out that releasing SSH software that provides a
universal default password is idiotic.

Also, if I worked for Apple I might be tempted to say "this is what happens
when you leave the protective walls of the App Store". Just sayin...

~~~
weaksauce
To be fair the password comes from apple. Any of the JB apps I have seen
explicitly tell you that enabling ssh is a bad idea unless you know what you
are doing and only if you are going to change the password. Though the fact
that the app does not prompt you to change the password right then and there
is lazy at best.

~~~
tvon
Ah, I didn't realize. So the shell password already exists and is "alpine",
but the SSH app just enables SSH?

[edit, yeah, googled it and everything...]

------
tptacek
There is no technical journalism worse than mainstream lay writing about
"malware". The ratio of killer hooks to real insight is just too crazy to
write good stories. I'm not sure I've _ever_ read a good mainstream piece
about a virus, worm, or botnet.

------
pohl
Now we see the upside of a careful app approval process.

~~~
orangecat
This has nothing to do with the app approval process. If anything, it shows
the "benefit" of locking down hardware so you can't run server processes.
Exactly the same thing can and has happened with Macs allowing SSH logins with
weak passwords.

~~~
tvon
Well, it's not so much about weak passwords as it's about a single password
being default across all installations of the app. I can't think of any
instance of that happening with Macs but I haven't been using Macs for more
than a few years so it may have happened "before my time". The point is
though, it's arguable that (if background process were allowed and the same
level of system access was allowed) such a configuration would never have
passed the App Store approval process.

Granted, I don't know of any apps that have been rejected because of password
related security concerns, but I also can't think of any apps that have a
standard, universal default password. It's honestly such a wildly
irresponsible thing to do I'm surprised it happened at all on any platform
without some kind of community uprising involving pitchforks and torches.

[edit: apparently the password is already on the account in all iPhones, the
SSH app just enables SSH and that user account. Still bad and still some level
of irresponsibility, but not quite as bad as I thought, and still no way
anything like this would make it through the App store approval process.]

