A good start to the New Year; a gentle reminder that the 50% of the population bearing XY chromosomes are not all feral youth, tattooed along the neckline, engaged in abusive behaviour towards repressed females. Some of them are mighty useful members of the world population.
Don’t expect this story to feature heavily in the main stream media. ‘Jack’ doesn’t appear to have fathered 14 children, isn’t on the dole, hasn’t stabbed anyone; he’s a student – and perish the thought, isn’t out demonstrating against the ‘cuts’, hasn’t thrown a fire extinguisher off any buildings, nor has he been unfairly targeted by our Police.
He’s bright, hard working, and responsible. What could possibly be interesting about Jack you wonder?
Jack Jenkins is a final year business studies and IT student at Aberystwyth University. Back in October 2012, Jack was quietly learning how to do data flow diagrams, how to put information together. He was part of a group of students engaged in a project to dream up and evaluate a business plan for a new mobile app. A lot of the work had to be done in their spare time – not a popular notion amongst students. They learnt how to evaluate risk, security issues and privacy concerns. They looked at how other companies do just that.
Come Christmas, they all went home; to party and relax. To forget everything they had been taught, pausing only to ‘revise’ two hours before their exams. Not Jack though. He went on poking and prodding into on-line products, working out how they were constructed.
Which is how he came to be looking at Facebook on New Years Eve. Not to announce where he would be getting drunk, or how many girls he expected to have draped around his neck – but how they had constructed their new app – the Facebook ‘Midnight Delivery‘ app. Hey! The mighty Facebook; the world dominating example of how to construct a useful app – built by experts in the business. Surely Jack could learn something from them?
Indeed he did! He learnt that they had missed that all important October lecture on evaluating security risks…
With a minimum of prodding and poking, for Facebook had used sequential IDs, Jack was able to access messages and personal photographs that other Facebook users had sent to Facebook for delivery to named recipients at midnight. Not only to access them, but to delete some of them too.
He sat down and wrote a blog post, detailing exactly how this had occurred and sent it to Facebook. It was clear and concise, a perfect example of how to present information.
Facebook took notice and removed the app from their site. Jack was perfectly correct – they did have a massive security flaw in their work.
It’s just as well that Jack didn’t follow the example of his fellow welshman, Steven Nott.
14 years ago, yes, I did say 14 years ago, Steven discovered that Vodophone had sent all their new mobile phones out of the factory with the same password to access messages. 1234. Steven was so concerned about this that he contacted The Sun newspaper and News International to inform them of this security flaw. They were fascinated, invited Steven up to their offices to show them how this worked. They never published the story. They did publish a string of stories that appear to have been gained by accessing private voicemail messages using the code 1234…
An event now known as Hackgate, which has just cost us £2 million quid, and hundreds of decent journalists their jobs.
Jack had the wit to send his blog post to The Verge, and in turn the story was picked up by The Los Angeles Times. The mighty Facebook had been humbled by a British student, and forced to go back to the drawing board and rework their app. Belatedly, The Guardian picked up on the story – only in their technology section. It seems the story was only of interest to geeks concerned with Facebook’s security flaws.
Now if Jack had had the wit to drunkenly swing off the Cenotaph, or flog his virginity for $780,000, he could have had his picture on the front page of every newspaper…
“British student still hard at work on New Years Eve” just doesn’t cut it. He was still beavering away last night answering my e-mails.
If you’ve got the time folks, send the young man an e-mail; congratulate him. Offer him a job come next June if you are in a position to; there aren’t too many Jack Jenkins around.
[email protected] is the address you want.
Well done Jack! If you’ve got a hangover this morning, you deserve it.