Print 21 comment(s) - last by blueeyesm.. on Aug 2 at 4:33 PM

Nicholas "Comex" Allegra perpetually outwits the engineers at Apple, the world's most profitable tech company.  (Source: Forbes)

Comex may live at home, but he still knows how to crash on Apple  (Source: New Line Cinema)
Young 19-year-old hacking whiz still enjoys free housing courtesy of mom and dad as he completes higher ed.

Depending on which stereotypes you believe in, hackers are either rich, glamorous international celebrities or glasses-wearing introverts who spend their time in their parent's basement. 

I. Hacking@Home

Renowned iPhone hacker Nicholas "Comex" Allegra seemingly falls under the latter stereotype to a degree, but it's for a good cause.  Like many young people, he's saving money living at home while he attends college.  According to a recent interview with Forbes, the 19-year-old is attending Brown University, near his home of Chappaqua, New York.

But what he lacks in age and independent living accommodations, he more than makes up for in hardware hacking skills.  Along with George "GeoHot" Hotz, he's defeated the restrictions on virtually every iOS (iPhone, iPad) release to date.

Comex's contribution is JailBreakMe, a tool which exploits errors in the iPhone source code, in order to allow the phone to authorize code not authorized by Apple, Inc. (AAPL).  This opens the door to running rejected apps, installing custom wallpapers, and more forbidden pleasures in the iOS family.

JailBreakMe relies on run-time exploits in Apple's built in apps like Safari.  Given Apple's adversarial attitude towards jailbreaking, this makes it harder to maintain, as it's much easier to patch software exploits, than boot exploits (which other jailbreak utilities like the *ra1n series from GeoHot rely on).

Still Comex has made sure that JailBreakMe frequently works on most, if not all active versions of OS X.  The young hacker is constantly combing Apple's publicly shared sources for exploits to substitute, should Apple close his tool's current route of entry.

He tells Forbes, "It feels like editing an English paper. You just go through and look for errors. I don’t know why I seem to be so effective at it."

II. Brilliance in Action

Apple's engineers have tried their hardest to defeat Comex and maintain the company's control, which Forbes characterizes as "obsessive".  They first implemented code signing, which prevents hackers like Comex from using any command that Apple doesn't use in its code.  Apple hardware hacker Dino Dai Zovi compares the process of hacking a iOS device using Apple's own signed commands to assembling a ransom note out of magazine clippings -- doable, but time consuming.

And Apple has gone to even greater lengths, of late.  It's randomized the locations of its commands in memory, forcing Comex to discover the command locations at runtime, before piecing together his jailbreak attack.  But with JailBreakMe 3, he was able discover the command locations, using an exploit in how the iOS PDF handling code processed fonts.  Apple patched the vulnerability, sending Comex back to the drawing board yet again.

Comex's fans hope JailBreakMe 4 will yet again defeat Apple's protections, but Comex first has to find another way to discover the hidden commands.

Ironically, despite Apple and its CEO Steve Jobs' disgust for jailbreaking, Comex still loves Apple and calls himself an Apple "fanboy".  He calls Google Inc.'s (GOOG) rival smart phone operating system "the enemy".  He remarks, "I guess [my hacks are] just about the challenge, more than anything else."

The young hacker earns high praise from security researchers.  Mr. Zovi comments that his skills are akin to "advanced-persistent threat" hackers, which penetrate corporations and governments on behalf of foreign intelligence agencies.  In fact, "He’s probably five years ahead of them."

Mac hacking legend and former National Security Agency researcher, Charlie Miller remarks, "I didn't think anyone would be able to do what he's done for years. Now it's been done by some kid we had never even heard of. He's totally blown me away."

III. Beating the World's Most Profitable Tech Company? Easy.  Finding an internship? Tough.

Comex first appeared several years ago on the Wii hacking scene.  He is a self-taught programmer, having begun to learn Visual Basic at the age of 9.  In high school his OS hacking began, when he discovered he couldn't save a screenshot from Super Smash Brothers on Nintendo Comp., Ltd.'s (TYO:7974) Wii console to his computer.  He figured out how to translate the proprietary format and published it and several other Wii hacks.

Still, most hadn't heard of him until his iPhone work.  He recalls, "I didn't come out of the same background as the rest of the security community. So to them I seem to have come out of nowhere."

Comex feels that jailbreaking is legal.  Currently the art resides in a gray area of the law.  Jailbreaking your own devices is technically legal thanks to the Library of Congress's Summer 2010 amendments to the Digital Millennium Copyright Act [PDF] (DMCA).  However, those amendments were ambiguous to whether releasing tools to jailbreak others' devices was legal or not.  So far three court cases have ruled it was legal, while one has ruled it illegal.

For his part, Comex has tried to legitimize jailbreaking, by publishing patches that fix the dangerous vulnerability post-jailbreak.  For example he released a patch for the PDF handling, along with JailBreakMe 3.0.

Aside from making JailBreakMe 4.0, Comex has set his sights on a new challenge -- finding an internship.  After all Comex may be able to outsmart a team of top engineers at the world's most profitable tech company, but it's as hard for him to find a good internship as the next guy.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

I can see why...
By wordsworm on 8/1/2011 7:43:06 PM , Rating: 1
no one would want to hire him.


iPhone and Mac hacker looking for work. Experience: hacking tons of crap.

Business owners would have to see him as a security risk.

RE: I can see why...
By Master Kenobi (blog) on 8/1/2011 8:38:49 PM , Rating: 5
Indeed, it is fine to show off like this but it is hardly marketable if you release tools to the general public. The hackers you never hear about end up with the nice jobs because they make it a point to find the holes, report them to the proper channels and make their connections with security companies to land high paying research/penetration jobs. It's a business savy mindset most of the younger hackers lack, as they seem to still live in the world of unicorns and rainbows.

RE: I can see why...
By someguy123 on 8/1/2011 9:56:09 PM , Rating: 4
I wouldn't say it's lacking in business mindsets, more that they generally aren't interested in working for these people in the first place.

Comex may be an exception, but there are plenty of people who do this purely as a hobby and release to the public for entertainment/acknowledgement/no particular reason.

RE: I can see why...
By 91TTZ on 8/2/2011 9:10:09 AM , Rating: 4
It's a mindset they lack? I disagree. I think they just haven't been corrupted by money yet. He's hacking for the people instead of a huge oppressive corporation.

Once he has to pay his own bills he'll have to work for a company by necessity, unless he plans on working for himself in a different field.

RE: I can see why...
By nafhan on 8/2/2011 9:37:06 AM , Rating: 5
Or... he might not be able to find a job because he's 19, hasn't finished college, and (maybe) lives in a location without a lot of available tech jobs/internships. Finding a good internship, especially now, can be difficult (really breaking into the industry in general is difficult). However, he sounds like a talented guy, and I'm sure he'll do fine long term.

RE: I can see why...
By tastyratz on 8/2/2011 11:32:24 AM , Rating: 2
You state this like it is a character flaw, I see it more a nobility. He is releasing his work and becoming known. Someone infamous for high profile hacks will surely be noticed as a pseudo celebrity in his field when applying. Individuals who TRULY do penetration testing are hardly squeaky clean, and many have a history just like him. This does not make him business savvy, he just has a more open source life.

Apple would be foolish not to hire him, but eventually I am sure they will chose to lose a lawsuit instead. They should learn from Sony and George Hotz.

RE: I can see why...
By danjw1 on 8/2/2011 12:34:13 AM , Rating: 2
That is really foolish. Big companies NEED red teams. It is the only way they will be able to avoid being the next Sony.

RE: I can see why...
By wordsworm on 8/2/2011 8:47:54 AM , Rating: 1
Or, he could be that whistle blower that no one wants in their company. You don't want someone who will hack your mainframe for kicks. etc.

I think what was said already is the gist of what he ought to have done: contacted Apple rather than humiliate and exploit them, for example.

RE: I can see why...
By geddarkstorm on 8/2/2011 1:14:34 PM , Rating: 2
Any security employee worth his/her pay can hack your mainframe for kicks. In fact, you'll probably give them free reign anyways, so they can set up the security and monitor it all in the first place. Moreover, not every company is a pile of scum ;).

He's going to be a very hot commodity once he's out of college and truly in the job pool. Talent like that can be easily put to some extremely useful tasks for anyone who knows how to manage it.

RE: I can see why...
By isayisay on 8/2/2011 11:28:34 AM , Rating: 2
"no one would want to hire him" Reeeeally?! ...time and time again the industry has hired the black hats that have hacked their systems. These folks get paid very well for good reasons.

This kid has shown deep technical knowledge and the ability to creatively problem solve.... he will do very well.

It's a new generation....
By Smartless on 8/1/2011 5:37:13 PM , Rating: 3
Kids nowadays can hack better than adults but succumb to cyberbullying. What a world.

RE: It's a new generation....
By chick0n on 8/2/2011 10:12:53 AM , Rating: 2
simply because Kids have nothing to worry about, their parents got their back(food/housing/etc). So he/she can pretty much sit in front of his/her comp for most of the day. Not to mention, it's always easier to break things than create something.

By geddarkstorm on 8/2/2011 1:15:45 PM , Rating: 2
How is this different than any generation growing through the late teens/early 20s?

grammar police
By psymn on 8/1/11, Rating: 0
RE: grammar police
By MrWho on 8/1/2011 7:21:00 PM , Rating: 1
"but another of your posts today was missing a preposition"

Talk about being picky...

RE: grammar police
By jtjoatmon on 8/1/2011 8:55:31 PM , Rating: 2
fap fap fap
pressure relieved

RE: grammar police
By rburnham on 8/2/2011 10:28:37 AM , Rating: 2
Grammar is important.

Don't fret Comex
By nyteschayde on 8/2/2011 2:52:22 AM , Rating: 3
I have worked for Google and I currently work for Netflix. If your skills are good you'll be able to everything you want. That internship will come. More than that, skipping the internship and moving on to a job may even be another route to investigate.

I don't have a degree. I am also a self taught programmer. For developers who love what they do, like me, you'll always have an edge over those who do it for money or reputation. Your code will, and does, speak for itself. Always seek and strive to improve yourself and you'll do fine.

Keep up the good work, I used your jailbreak on my iPad 2 and I greatly appreciate you putting it out there. I wish it were a boot level JB but I'm happy to just have Cydia and I couldn't do it without your help. Putting together a patch for the exploit after providing the means to use my own device as I see fit shows that you also care about the community and "doing the right thing."

Thanks again!

By punzada on 8/1/2011 5:58:32 PM , Rating: 2
This opens the door to running rejected apps, installing customer wallpapers, and more forbidden pleasures in the iOS family.

Think that's supposed to be 'custom' no? Just looking out.

By crimson117 on 8/2/2011 4:07:40 PM , Rating: 2
Brown University is in Rhode Island; it is nowhere near Chappaqua, New York.

Why hasn't...
By blueeyesm on 8/2/2011 4:33:04 PM , Rating: 2
Steve Jobs given this guy an internship (with NDAs and an agreement to stop hacking his devices)?

As in, working right under his thumb,.. literally.

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki