I’m glad I don’t take things personally.  I am also a firm believer in the phrase “no good deed goes unpunished”.  I decided to post in both the CrackBerry Forums and BlackBerryForums communities that I’d released the program called Kisses.  It would appear, however, that the fact that I had designed both PhoneSnoop and Kisses seemed to strike a nerve with the members of both forums.  CrackBerry has deleted the post I made.  The thread on the BlackBerryForums, however, is still alive and kicking. If you have some time to waste, head on down there and have a read.

The thread demonstrates some of the ways in which people formulate opinions and it highlighted something very important; to me at least.  Its a trait that I have seen with so many developers of applications as well.  It would appear to me that people are always looking to “play” within a certain set of distinct boundaries.

I’ll give you an example of a web application developer.  In one banking application I tested, I was able to do a “negative transfer”.  It worked like this, if Alice were to transfer -$1000 to Bob, the logic of the application made Bob do a transfer of $1000 to Alice.  So by Alice initiating a negative transfer, she was able to pull money out of Bob’s account.  When confronted with this, the developer simply stated “yes, but a user is not supposed to do this.”  Well of course he’s not supposed to do this, but isn’t it your job as a developer to check for it?  An attacker is not going to play nice; he’s going to find any way he can to own you.  If he can’t hack your systems, he’ll come at you with a knife or a gun.  To him, the end goal is getting what he wants.  He’s not going to stop doing something just because “a user is not supposed to do this”.

If you take the case of what happened in the forums above, it seems very similar.  Here goes:

The forum users and moderators that did reply, seem to be under the impression that just because I released PhoneSnoop, I am trying to infect them by pushing Kisses (in their minds a malicious app) as a cure.  So to me, at least, it appears that their “boundary” or “sandbox” is the fact that I should have released one or the other but not both.  I’ll cover why this is not a very sound way of thinking later, but first, some fun.  Here are some of the things said in the forum post if you didn’t bother reading the whole thing.

• I was asked if now that I had raised awareness how long I will make PhoneSnoop available for.
• I was compared to a fox guarding a hen house
• I was compared to a pharmaceutical company
• I was wished with “Kisses of death”
• I was threatened with being sent back to Sri Lanka in a box.
• I was called a lovely set of names ranging from “super-spy”, “spy-master” and compared with mid-eastern terrorists
• I asked for donations to help get my hands of copies of FlexiSpy and MobileSpy (mostly because I was writing Kisses for free and was not in a position to pay over $200 for them) and thanks to some members of the phone community out there, I was able to get my hands on copies.  I was questioned as to why I asked for donations and they stated that even free anti-virus product companies don’t ask for donations.
• One of them thinks my Kim Jong Il avatar (taken from Team America; very apt in this case I must say ) on my twitter page makes me look very shady.

So I now am going to dub these wonderful people who are protectors of the BlackBerry community as Team BlackBerryForums.

I have to admit, though, that I respect them very much.  The are very dedicated and I hope that most of what they say comes from some place inside them where they want to protect other users.  For this, yes, I have to bow down and say that I’m impressed.

Right, now onto the reason why this sort of behavior is not very helpful.  First, I really don’t care if users don’t download and use my Kisses application.  I put it up there, because I wanted to give something back to users for free to help them protect themselves.  This was my only intention.

By making it appear to other users that I am evil because I wrote PhoneSnoop and now I’m writing Kisses, Team BlackBerryForums are not being helpful to their users.  Its like in Green Eggs and Ham – a pre-conceived notion before investigating things further. It would have been far more helpful to their users if they had verified things first before seemingly writing off the app as spyware.  To their credit, however, they did ask a lot of questions.  CrackBerry Forums just shut down the thread.  If they had researched what I presented in the Hack In The Box security conference, they would known that there are far more creative ways of infecting BlackBerry users.  I tried to stress this point in my replies, but I guess their minds were already made up.

Lets hypothetically take the situation where I am someone evil and my only job is to spy on BlackBerry users.  I think I would have a far better chance of being stealthy.  I would certainly not highlight the fact that I can bug peoples phones and I surely would not release a proof-of-concept application.  This removes the element of stealth from my plan.  This is how I would do it, again, hypothetically.

I think Team BlackBerryForums believes that by releasing a proof-of-concept tool makes me a terrorist of sorts.  They seem to think that nothing I do from now on can be trusted and is not well-intentioned.  Now I can see how they would think that.  But surely, they should be aware that if I had a serious need to read people’s email or tap their phone calls, I would find a way to do it?  And do it quietly?

Looking at my latest log file, I have 489 distinct downloads of Kisses.  I have had numerous emails from people asking me to support older versions of their BlackBerries and I have had lots of emails thanking me for releasing the free app.  I’m very happy that some people out there perceive the app as useful.  I think that’s enough for me.  So for the sake of those people out there, I will continue to develop Kisses and release it.  A big thanks go out to you guys.