Yahoo mail worm author merely job hunting
A person claiming to be the author of Monday's Yamanner worm that targeted an unpatched vulnerability in Yahoo's mail application has contacted several security vendors, asking them for a job.
The security industry collectively told him to get lost.
In addition to the rule that you don't negotiate with terrorists, the author doesn't provide any proof that he crafted the worm. If he was merely out to show off his programming skills, he could have written a proof of concept worm and inform the proper authorities.
By setting his creation loose, he effectively ran over a child with his car to demonstrate a design flaw, and only then contacted the manufacturer about the issue.
-------------
Subject: I have written JS/Yamanner@MM Worm
Hello
I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).
…
Finally I should mention that I don’t like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.
----------
I have two problems with this. The first problem I have with this is obvious, some idiot thinking he could get a job this way. The second, not so obvious, is why none of these companies lured the guy in to have him arrested. Duh! How stupid (on both accounts) can you get?