Slashdot Mirror
MySpace Worm Creator Sentenced
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
Stop writing malicious scripts.
The dangers of knowledge trigger emotional distress in human beings.
I'm curious what exactly paying restitution entails in this case, as there was no actual damage. The only thing I can imagine is paying the wages of the people who went into to remove him as a friend from all the people who were affected by the hack, and maybe the wages of the people who were analyzing what was going on.
I realize the sentence but... how can this be enforced? For how much time?
Let's face it, a company selling a service should have a team who knows more than the customers do about the details of that service. If that were the norm, security vulnerabilities would be found before exploits came out.
Banned from using the Internet? Is that like the opposite of house arrest?
Space game using normal deck of cards: http://BattleCards.org
"The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."
AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.
Here's a better article
Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.
Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.
P.S. of the 3 articles on Google News submitter picked the least informative one.
[Fuck Beta]
o0t!
The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.
From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.
laws have to be changed ASAP. They were created before anyone in the goverment has seen what a computer or "an internet" is and are not just not fit for the real computer world today. Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??
Do not. Touch. Down.
Clearly, disclosing security vulnerabilities doesn't pay.
The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.
That's the same as house arrest.
The dangers of knowledge trigger emotional distress in human beings.
Clearly, disclosing security vulnerabilities doesn't pay
The moral of this story is that if you do the right thing and inform those affected then you risk personal liability, charges, fees and so on...
Instead, you should just sell the exploit to the highest bidders (probably hackers employed by the Russian mob). He could have gotten a few thousand for it no problem (and as an extra added bonus, no probation!).
DJ kRYPT's Free MP3s!
The world would be a better place if Microsoft programmers had computer restrictions put in place to prevent them from having written the software to facilitate cyber-crime on a global scale.
if his primary income comes from internet related activities ( no , not scamming ), will the state be responsible for feeding him?
Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.
http://uncyclopedia.org/wiki/Banned_from_the_Inter net
:-P
he's not from detroit is he?
I'd like to think that if someone managed to release a script onto
// MD_Update(&m,buf,j);
The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.
So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them? Let them and their customers suffer. It sucks that their customers will suffer, but if their customers suffer, then perhaps (unlikely, I know, but still) they will suffer too. And for having such a simultaneously naive and arrogant attitude, they deserve to suffer.
Instead, if the target in question is running open source software, inform the author(s) of said software about the security vulnerability. Include a fix if you can. They'll be far more grateful for your effort than any of these piece of shit corporations will.
The end result? Open source software gets fixed, because vulnerabilities get reported to those who can do something about it, and closed-source software remains vulnerable. That gives open source software even more of an advantage than it already has, thanks to the blind arrogance of the corporate idiots who would prefer to harm the messenger rather than fix their own problems.
Sounds like a win-win deal to me!
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).
It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.
It also means not using a bank ATM card.
Or digital cable TV.
Or the self-serve scanners at the local Wallyworld, since they're connected to a local server, which is in turn connected to the net at large.
Or any pre-paid gift card/cash card, since they're validated via the net.
Or a speedpass to pay for his gas. Same problem - accessing the net to validate.
So, if he gets a job writing spam, is he legal?
"It won't pay until the blame is shifted to the real culprits: managers who hire the least competent possible technical people."
So in other words it's OK to treat others however you want because they're not as smart as you are. Let's say they did have the uber team and he still managed to exploit them? Who would you blame then? When will people stop blaming others for their own actions? When hell freezes over.
Yes, because the judgement is obviously meant to be interpreted by a literal-minded nerd.
Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.
And this is something to be thankful for, because where would we go if people obeyed the letter of the law (or judgement) instead of their perceived spirit ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
If I was going to be tried and sentenced for a felony, I'd want the satisfaction of having replaced all user images with goatse.
Samy is a true hacker, he is my hero.
Yes. Damn Bill Gates and his wife for giving all that money to AIDS research! Somebody think of all they lives he's damaged by doing so.
He did not 'disclose a vulnerability'. He wrote a script that exploited it. It wasn't a script that was designed as a proof of concept that did nothing. It was a script added him to tons of people's friends list and put a phrase in their profile.
Banning someone from the Internet is a stupid punishment. And perhaps the whole thing was a bit harsh. IMHO, this was a prank that deserved the equivalent of the punishment you get for disorderly conduct or vandalism, not for a really serious crime.
But, this is not punishing someone for exposing a vulnerability. This is punishing someone for exploiting it. Those are different things. The wording of the article really annoys me because there are people who are punished merely for exposing a vulnerability and this makes it seem like when they complain about this they're just crying wolf.
Need a Python, C++, Unix, Linux develop
WTF are you talking about? This guy wrote is worm. He didn't disclose any sort of vulnerability. Unless by disclose, you mean he exploited it. That is like saying a guy who writes a Windows virus that wipes out millions of hard drives world wide is not at fault, Microsoft it for leaving that vulnerability in there.
Look, this is like tons of other cases, Gary McKinnon, Adrien Lamo and others. If you are breaking a rule or the law, do not expect leniency, regardless if you meant good or ill. Claiming that you were doing it just to demonstrate something is not a defense. If that is the case a valid breaking and entering excuse would be "I was just showing these people their locks didn't work".
RonB
It is human nature to take shortcuts in thinking.
He's been acting a little strange since he failed the screen test for Brokeback Mountain... cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
How can you get banned from the internet, it's not like it's a tangible object like being banned from the shopping mall.
He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.
I hate sigs.
This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.
Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.
In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.
This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.
I guess you don't value other people's time. Time spent cleaning up their profile. Bandwidth wasted on this stupid little look-at-me script.
Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.
Simple formula.
The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.
I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.
In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.
Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).
Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.
If you liked this thought maybe you would find my blog nice too:
I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.
We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?
Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"
Vote monkeys into Congress. They are cheaper and more trustworthy.
Since when is exploiting the vulnerability considered disclosing it? Sure you can argue something more malicious could have been done, but that is bogus. You can't just decided to exploit a vulnerability because it doesn't do any damage. That's like saying I could open everyone's door in my condo complex because I found out the key they gave me was a master key. So who exactly did he disclose this vulnerability to again? He deserves what he got. I think MySpace could have definitely went another route but they didn't. Sucks for him.
He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.
He got probation, so no jail time. Jeff Skilling of Enron fame got 24 years in prison. Andrew Fastow got 10 years.
Poor Sammy had his 1st Ammendment Rights violated. The publication of a worm that was never deployed is just a publication, and by constitutional right, Congress can make no law banning it (free press), and the Judicial system can cite no law that convicts him.
If I knew Sammy personally, I'd say he should call one of those constitutional legal groups and ask them to help him make an appeal.
Just my $0.02 USD.
Whenever I hear of people getting in trouble for exposing security holes, I always think of how in England (and many feudal societies, I'm sure) in the days of yore physicians could be executed for telling royalty just how sick they were. "Your Majesty, you are going to die" was considered a death threat. "hey myspace, your shit is broken" seems to yield a similar response, minus the gallows. As a previous poster said, (to paraphrase) "just because my house isn't %100 percent secure doesn't mean you should break into it to prove it." While I agree, how can one prove that there is a hole in a system's security without breaking into it? Perhaps an email just saying "hey, you left this port open and these lines of code are weak..." or something would suffice, but something tells me that would be a EULA violation.
There is more to science than physics!
www.iomalfunction.blogspot.com
Somebody found a shallow pocket upon which to levy an impossible fine. Somebody else said that there was no damage actually done, and that all he really did was point out a problem to the folks that could painlessly correct that problem. Namely the folks that ran the problem entity. Maybe an older wiser hacker in the future...maybe many of them will take a lesson from this and give these solutions not to the so called white hat snakes, as they will show no apprecitation and only bite the hands that attempt to help them. Rather they will seek out their friendly local ..President and his oil company; and it punishes those who would enforce the law...look at the two federal officers in prison for hindering the international cocaine trade by shooting a 'valuable' dope smuggler in the butt. Even Hitler wrote that: ..."where treason prospers, the fall of the state will be swift and sure!".
black hats and real malware writers and give it to them....or sell it to them...serripititiously in bars and internet cafes all over the world. This also sends a signal to the world hacker community that our IT structure has a fatal flaw, and that is it is willing to eat its good children while rewarding its bad children. In other societies this is not done. That it is done in ours due to our own stupid laws will mean that the enemies of the United States will win every battle and in the end drive the American self flagellators from internet space. This disease is in Europe as well. As can be seen in the last fifty years, the classical 'west', Europe and America, is on its way down. Societies on thier way down tend to have self defeating polieies that typically benefit a tiny minority of its citizens, reflecting basic and unnatural distributions of wealth and benefits in those unstable societies. Think of a pyramid like those of Egypt. They have stood for twelve thousand years. The Egyptians built them with a little help, but Khufu and Khafri and his like at his time only painted the walls. The point is they are stable. Now turn them upside down and see how long they stand. Such is western economics now. We have become a society that rewards crime....look at our Vice
A COMPUTER uses the internet, he uses the computer
Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?
Does he simply have to ask someone else to enter things in order not to "use" the internet?
If he shares his computer with his roommate, and the computer updates the definitions of the firewall he installed, who's using the internet? if it asks for confirmation? if he presses the "update definitions now" button?
When the good and neutral are being punished for bringing attention to what needs attention... It's just not worth it to be honest and true.
The ignorent may not listen but the dark market understands. The dark side is seductive.
Ah yes, the old "throw a brick through a car window and blame it on the window manufacturer" argument. Samy didn't just identify an exploit, he actively exploited it, and even made it self replicating. That's a little bit more than "disclosing", don't you think? Considering that he effectively took down myspace, and probably cost them quite a bit in lost advertising revenue, I think he got off pretty easily.
Personally I really like the idea of community service sentences as punishment for internet crimes. They didn't cause physical damage, but they hurt the internet community by wasting people's time and bandwidth. Now he can pay it back by helping the real community.
IANAL and I have never been on probation.
....
However what I think this means is the following for three years
must meet with his probation office once a week
may have to take a drug test on a regular basis (even if has never taken drugs)
gets his finger prints on record and the conviction.
aggrees not to use the internet for other than business purposes.
community service
The probation officer has the right to inspect the browser cache and files on any computer he has access to.
The bigest deal is that if he does something nasty on the internet he gets real prison time. (in theory)
Oh and the ban from the internet is for a time period that was not disclosed to the press. I would be quite shocked if it was not disclosed to him or if it ran longer than three years. And I am sure they mean volentary personal use of the web and email
and he can probably get permission from his officer to do specific things on the web if needed like change his address with the DMV....
I think the sentence is fair based on the idea that he release the expliot before warning myspace.
Yes he had poor judgement in creating a worm that did no evil. He should have created one that did very bad things and then he would have been on his gaurd and not have gotten caught. His poor judgement was telling a bully his fly was open and not thinking the bully would blame him for it.
Stop writing scripts. Someone could deem them "malicious" and you're history. Just don't write any. To be on the safe side, do not engage in witchcraft practicing like IT, OSes etc. Leave dangerous experiments to professionals. It already takes a lot of time for them to manage their trade on bigger projects, so it's not for you anyway, you miserable kiddie.
Which brings us to an analogous point, stop playing scientist, too. The government has extensive facilities to determinate current trends in climate behaviour change. Alarmist declarations which negatively impact sales by some of our respected oil industries will be considered criminal activity, for them deprive such noble corporations from their hard earned profits.
Unfortunately, people won't get this, therefore I'm forced to explain the joke: it's sarcasm.
The poster said that exposing the vulnerability didn't pay. Now, while I think banned from the Internet (yeah, however THAT works) is extreme, keep in mind he didn't just disclose the vulnerability - exploited it. Had he just exposed it - and was mindful to disclose it first to MySpace - I'd feel more sympathy toward the guy.
Clearly, disclosing security vulnerabilities doesn't pay.
Ummm, nice slant on that summary. Exploiting security vulnerabilities before disclosing them is an entirely different matter. This kid isn't anybody's hero for explaining about the hole after it had already been fixed, what was that supposed to have served anyhow?
In all fairness, Samy is still allowed to use the internet for work reasons.
He never used it in his spare time because he was always too busy being a sexy man picking up women with his hot body.
We love you Samy!
- #L
by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)
If he had only knew about proxy servers :(...
and didn't put his name everywhere
so can he use a computer and have IT use the internet? if not, id like to know how i could just "use the internet" without a device to do it for me, as i still don't have the rj45 jack implanted in the back of my skull yet :(
Noone writes jokes in base 13!
In the same vein ... he uses computers, they use the internet.
Think the judge would buy it?
The summary has "Clearly, disclosing security vulnerabilities doesn't pay." but clearly that is a typo and should be "Clearly, taking advantage of security vulnerabilities instead of reporting them may not pay."
If one of the Slashdot editors could fix that typo, please?
I think people are missing the point that--- this was a cross site javascripting exploit. It's possible he could have used it for far more malicious things than simply adding himself from one profile to the next. And we're forgetting how many hackers in China, Sudan, India, Nigeria, and the entire rest of the world whom are far out of the reach of our political jurisdiction would likely use such worms, and exploits, for personal gain. Not to mention the number of hackers here, who probably wouldn't link such an exploit to their own personal profile and essentially dump their personal information right into the hands of investigators. I doubt this 19 year old knew such a simple and stupid worm would be so pervasive--- and what he stumbled upon is a security flaw in the design of javascript, and the standard security model for web browsers today. It's like, Myspace had a gigantic red button attached to it, and was just waiting for some kid to come along and push it... And we're lucky it was a kid, who designed it to be completely benign, rather than what potential flaws like this could have led to. I think making pushing a gigantic glowing red button a felony has several effects:
#1.) Everyone who sees the gigantic glowing red button security hole, won't say shit about it (Even pointing out security holes can open you up for litigation these days). When they do, it's unlikely the hosts of will do much about it (I think it was no secret that myspace knew there were some possible script exploits and bugs in their site, they didn't do anything about it until this happened).
2.) Malicious hackers in countries outside of our political jurisdiction, or whom are experts at hiding their own personal identities, will use said red button for their own personal gain for years, while successfuly hiding it from the administrators of .
3.) A chilling effect among U.S. hackers, and security researchers, will continue to deepen, and China, and the rest of the world, outside of our idiotic computer-phobic society, will advance far beyond us in understanding the details of our own technology.
I think the punishment should fit the crime... This isn't justice. Perhaps they should order all of his friends remove themselves from his profile? Or... Perhaps they should order his personal website defaced temporarily--- and for him to then fix it.
We all want to know
Clearly, disclosing security vulnerabilities doesn't pay.
Clearly. Especially when you disclose a vulnerability by bringing a popular service to it's knees through a self-propogating script and shut it down for extended periods of time while they try to repair the problem. And for that, he doesn't get any jail time, and has to spend some weekends picking up trash by the side of the road. The raging injustice.
This does not do justice to those security researchers who actually disclose vulnerabilities and are arrested for it. This is simply a bright script kiddie who steped over a line, and was slapped on the wrist.
The ______ Agenda
I suspect that what the judgement meant to say was that he was banned from using a web browser. A classic example of how sloppy use of terminology leads to problems.
John
Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?
I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.
http://outcampaign.org/
LOL He sucks at life.
My penis has sex. I'm just attached to my penis.
No. the internet is the desination, the tool is the web browser. You cannot claim yur inocent of breaking and entering because the crowbar forced the lock open not you. You were just using the crowbar.
Using the internet for person use means he is surfing and whatever else that can be done when at his direction. Ie, calling somone in europe is the destination, it doesn't matter if the call is routed over the internet at someone elses behalf. It matters that you are calling someone and used a service other then the internet your self. But going to work and downloading the latest spec or company policy is at his employer direction, he is the tool. Going onliine and chatting withn his freinds is at his direction and his problem.
One rule for Sony and one rule for Samy...
Sony screwed up lots of computers too. But all they had to do was pay some fine that's just a small percent of Sony's profit.
Yes he could have fought this further in court but when my $fighting > $settlement there's only one move to take. Plus if he went to jail then who would I go to Chipotles with?
-- botsex is {grep;touch;strip;unzip;head;mount}
Experiment with your own system, not other peoples'?
You've never studied law, have you?
Let them have their blissfully naive fantasy that they're invulnerable.
They do not want this fantasy; they want their customers to have this fantasy.
The visible big vault and security guards in an old fashioned bank were always for show. Modern banks dispense with them because the public no longer demands them.
KFG
If you ever find yourself in front of a judge, I suggest turning the geek mode off. It will help keep you out of the slammer for contempt.
what law did he break?
God Be Gone
1. He can't read /.
2. He can't surf for pr0n.
One is cruel. Both are inhuman.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
Finally some common sense and well thought out reasoning in a thread primarily plagued by idiots. Regretfully /. has not blessed me with moderator points today, so I can only offer you kudos.
Perfect is the enemy of done.
Isn't a script kiddie someone who launches other peoples' exploits that are discoverable against targets?
I don't like what this guy did, but it was clever and certainly not someone a script kiddie can do. Here's his explanation of his worm and how it worked. Clearly it took a lot of original effort and thought to do it.
D
I have mod points this weekend, but I can't use them in this article like I want to. I want to mod the summary "-5 Written by a biased and ignorant twit."
Tell me...if someone broke in to your house, sat in your living room for a bit, and then left, but didn't take or damage anything, would you decide he was informing you of a security problem and pat him on the back and let him go?
The stupid bastard got off light. If you can't do the time, don't do the crime.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
My brother got busted and put on probation. It really depends on where and when and what you were doing to get yourself arrested.
He had monthly meetings with the probation officer, each time he had to pay the officer some $60 or so for the officer's time. Meetings were specifically scheduled during school hours by an asshat judge (because the only thing better for a society than a delinquent is a delinquent who fails out of school). He was not allowed out of the county. If he had been arrested for any reason his probation would have put him in jail, even if it turned out he was innocent or was just picked up by an asshole officer (something Houston appears to have several of, given the number of people arrested for "resisting arrest" but nothing else... what arrest were they supposedly resisting?). Getting so much as a speeding ticket would have had his license revoked (he gave the red sportscar he had been driving to our mother, who was pulled over twice by the same cop who apologized to her because her car "looked fast" [read: he thought it was driven by some little boy he could push around]).
Even with all of this, I think my brother would agree that it was superior to spending time in jail.
I mean if you tell them there is a vulnerability and they ignore it, and if you show them, you go to jail and pay huge fines, might as well sell the idea, pocket the cash and move on.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Revenge is a bitch.
I would find a way to take them down hard and hurt them bad. Jail me for pointing out a problem? That wouldn't fly.
---- Booth was a patriot ----
Though other posters have alluded to this, I'm going to come right out and state:
I think being banned from the internet falls under "Cruel and unusual punishment".
Although currently, many products and services still have a "physical world" work around, e.g., snail mailing your bill, subscribing to a magazine, enrolling in college and college classes, interacting with a bank account, some services do not, e.g., Slashdot, e-mail.
In present times, one can live without the internet (yes, yes, I know, but it's true!), but one will be greatly inconvenienced at the very least. Perhaps though, sometime in the not so distant future (10-20 years), one will not be able to fully operate in society without internet access.
This doesn't really address who is responsible for determining if the convicted person is using an internet enabled device, e.g., Tivo, Wii, PS3, cell phone, for terms of violating parole. They very well should have just banned him from using anything that uses electricity, takes batteries, etc.; Just absurd.
At any rate, this case helps further a dangerous and unjust precedent, such as used against Mitnick and countless others.
Yes, he was being an nuisance. Yes, he should get community service. No, he should not be banned from the internet.
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt. (When catapults are outlawed, only outlaws will
>
He didn't sell it to the correct people.
The Russian mafia might have been interested.
I first read it as "Space Worm Creator". I was thinking, "Oh shit, B sci-fi nightmares are coming true.
Table-ized A.I.
I didn't RTFA, but it seems from the various interpretations of the probation terms given here on Slashdot that the article didn't have the actual probation terms given as written by the court. If I'm wrong, ignore this comment; but if I'm right, then everyone ought to just be quiet about how to interpret terms that nobody here has read.
Their punishment is probably less.
The Internet is most definitely not the destination. The Internet is the means by which the data are transferred from various web sites to the user's web browser. The Internet is used for many other purposes as well - it conveys e-mail (although it's not the only method by which e-mail can reach its destination); it carries telephone calls; it carries hordes of other types of data.
Thank you for demonstrating so comprehensively how accurate I was in my assessment.
by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)
Then all he has to do is convince the judge of this. But the judge might be more spitefully inclide to then to also ban ATMs, Phones ect.. except for business purposes.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
Don't you remember AOL? The runner-up would be any currently employed at the Whitehouse.
Besides, Myspace is evil anyway.
This sig no verb.
AIDS has already been invented. The best he can do is use his lawyers to magically patent someone else's prior art.
Help stamp out iliturcy.
30 kids jump three girls and break one girl's face in 12 locations. her eye is messed up and she'll have surgery that will require her to be vertical for every moment of the next 3 months.
w ww.dailybreeze.com/news/articles/5533226.html+long +beach+beatings+sentence&hl=en&ct=clnk&cd=1&gl=us& client=firefox-a
http://72.14.253.104/search?q=cache:FYu26JgQc58J:
the 4 sentences given to date don't appear to be as severe as this guy's sentence.
the injustice system is broken.
more sentences will be issued next week - expect more injustice...
Can he call up a friend and ask them to Google something, and read back the results?
Caveat Emptor is not a business model.
This would be rather hard to enforce, unlike some other 'banning' sentences.
---- Booth was a patriot ----
Try again. The article was quite clear - this is a ban from accessing the Internet, not the web.
The Internet is much more than just a bunch of www addresses.
As for those who say its safe to ignore what was written because it wasn't the "real intent of the judge" - consider all the people who are convicted of assault with a deadly weapon because they used running shoes (the "deadly weapon") to kick someone. http://www.legalwritingprep.com/Cases/Burglary/Mum mey.htm
[17:23] * Samy has been banned from teh Internets (Connection reset by court)
"Can he call up a friend and ask them to Google something, and read back the results?"
Not if he or his friend is using VoIP :-)
Seriously, a ban on all net access would have been no big deal 20 years ago ... today its far-reaching.
That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. [...] To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's
I have no idea what this guy's motivations were. I do know that holding the people who break in responsible isn't working. The only thing that works is to hold the people responsible who can actually make the system secure, and that's companies like MySpace. "Holding responsible" means imposing stiff penalties on them for subjecting their users to crappy, insecure, risky software. As a side effect, people like this should go free.
If we continue with the current approach, letting companies point the finger at teenagers, our data and our software will never be secure.
It seems, however, that creating security vulnerabilities does pay. Why, companies like MySpace and Microsoft can always shift the blame on some teenager or "computer error" or a careless employee.
Unlike physical security, making a computer system secure against teenage hackers is not rocket science. This vulnerability was clearly a MySpace screwup, and they should be held responsible and pay the price for it. That principle may not be so important when it comes to MySpace (because there is little of value there), but it becomes of paramount importance when it's your bank or your hospital.
People who offer commercial services using software should be responsible for the safety and security properties of that software. And in order to prevent those companies from blame-shifting, the people breaking in should be held responsible only if they demonstrably attempted to commit a real-world crime other than simply breaking into the computer system.
So creditcard companies that use the internet do so on thier behalf. The boss that does the same and gives you the printout of slashdot did it on his behalf. When you do the same on you behalf, it becomes a problem if you were him. It isn't that confusing at all.
Yeah, good luck enforcing that.
Where the hell is the punishment for the corporations that are "losing" private data of their customers because idiot employee's are allowed to take home unencrypted laptops? Or backup tapes just disappear. Oh wait yeah, they have money to defend themselves and those big biz fat cats are all fuckin' pals anyway. This country sucks now
No sig for you!!
I know Samy personally and he is one of the smartest and most level-headed individuals I know. This is the case where a joke went a bit awry but it could have happened to any of us. He specifically made sure he wasn't malicious in what he did but the side effect over overwhelming MySpace's server was unintended.
This is no different from the Morris worm. The sad fact is that he got prosecuted whereas the hundreds of botnet operators overseas and here in the US continue to wreak the real havoc on networks and infrastructure totally immune from prosecution.
Samy got caught because he put his name on what he did. It's sad that that is the only basis for prosecution of computer crimes in this country. The good guys at the FBI and USSS don't have enough clue helping them to bring in the real criminals.
-david
# Hack the planet, it's important.
No, because you don't get to be a judge if you're an autistic fucktard with an overly literal interpretation of everything that lands in your docket. Grow the fuck up.
comma
"Um, how was what he did criminal? The MySpace interface to the world allowed this. Just because MySpace did not like it? It is not like he went on someone else's property uninvited. Did he delete any data? Did he see he any data he was not supposed to see?"
If we're going to go with a "property" analogy then yes, he was invited to every building in the city. Then he spraypainted a wall with graffiti and moved on. Sure, 3 years might seem a bit much for vandalism, but then there were SO many buldings to clean up.
3 years of probation and 3 months community service? That's a slap on the wrist, and he should just suck it up and be happy he got off lightly.
When non-criminals stop writing worms, only criminals will write worms.
My friend says he got fired from a company for 'critisizing' security flaws that let you change any user's passwords in the last version of Drupal (not the current version)
The company, markerseven.com, fired him without pay and he was just trying to get them to upgrade their software
"Clearly, disclosing security vulnerabilities doesn't pay."
He exploited the flaw before disclosing it. If he had just told myspace then there probably would not have been a problem. What you are really saying here is "Commiting a crime and then owning up to it doesn't pay". Well, duhh.
ClosedSource: It's not possible to create a large software product that is 100% unexploitable.
Schraegstrichpunkt: Nonsense. You're only saying that because no one ever has.
Yes, I'm putting words in your mouth, but one doesn't always need a theorem to recognize truth. If you turn out to be right like Wesley and you've created a non-exploitable software product, let us know. In the mean time, watch out for those ROUS's er, I mean bugs.
You can make exactly the same argument about being banned from driving, especially in rural areas with little or no public transport. For me, this falls firmly in the "can't do the time, don't do the crime" category - people who abuse things to do stupid things and make a nuisance or danger of themselves should use access to those things for a period of time.
It's official. Most of you are morons.
"asshat judge" - "asshole officer" "(something Houston appears to have several of)"
Who's to say if the AC who wrote this and his brother were also "assholes", and for this he was arrested? Seems according to the writer, there are a lot of assholes where he lives.
A weary traveler arrived at the city gates, and asked of the gatekeeper, "What manner of people live in this city? The gate keeper replied with a question, "What manner of people live in the place you come from?". The traveler replied, "They are good people". The gate keeper said "You'll find the same sort here".
A while later, another traveler approached the city gates, and called out to the gatekeeper - "What manner of people live in your city?". As before, the gatekeeper replied with the question "What are they like where you come from? "They are all assholes" he replied. The gatekeeper responded "You'll find the same sort here".
Know what I'm sayin'?
At this rate, you'll have hookers giving you hummers at gunpoint in no time.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Despite all that you've said about what it means to be banned from the internet, there's really only two people's opinion's that matter:
1. The Judge
2. His Probation Officer
My understanding of "banned from the internet" essentially means no IRC, no e-mail, no IM, no social networking, no WWW, no online games, no gopher, no browsing the internet at the library, no internet anything over the cellphone, etc etc etc, unless it is in the course of his job.
I imagine he'd have to ask his PO's permission to use something like Skype, Ventrillio or x-box live, but otheriwse, your assertions about ATMs, speedpass, self-checkout aisles etc are all irrelevant & I don't know why you keep bringing it up.
The point of the internet banhammer is to punish him for releasing the worm. If he manages to do it again, but from an ATM or over VOIP, i imagine he'll go straight to jail if they find out.
Judges aren't stupid & this isn't the first time someone has been banned from the internet
[Fuck Beta]
o0t!
This question has come up time and time again on Slashdot. Bottom line: If you see a vulnerability, and you do nothing, you have no risks. If you see it and you disclose it, you risk huge legal fees, conviction, etc, and THERE IS NO REWARD FOR IT! You gain NOTHING. The only reason to disclose it is out of ego, and that doesn't get you very far in life. I once disclosed a vulnerability, and it was stupid of me to do it. I should have left it alone. Fortunately almost nothing happened to me (I was very very lucky), but this was an earlier time. Now there is no sympathy from anyone, so just DON'T!
I swear there should be a mandatory 1-semester CS class, called something like "computer science in the real world: the business and life realities of being in the software biz". Teach programmers not to trust businesspeople, teach them that business partners are not friends, teach them that the FBI is not your friend, teach them to say nothing to law enforcement people in general, teach them that disclosing vulnerabilities is always a mistake, teach them not to care what happens to other people, teach them to focus on money and their careers, etc. These simple facts should be tattooed in your brain if you work in the software biz.
Ok frankly this guy is a dumb ass. Sure he was clever enough to find an exploit but obviously not clever enough to test it in a way that couldn't be traced back to him. This guy wasn't disclosing security bugs this guy was doing something he thought would be "cool" After all being able to have a T-shirt made up that says "I hacked myspace" would have to be one of the greatest achievements anyone could do with their life. If this guy was a D&D character he'd have moderately high intelligence and very low wisdom
Or does there seem to be something inherently funny about the phrase "banned from the internet"?
It's like an international grounding!
There is a difference between impossible, and has not been done yet. Are you actually disputing that?
In any case, it doesn't matter. You don't see them often, because they tend to be more expensive than your typical off-the-shelf software, but unexploitable, non-trivial software systems do exist. A popular example is qmail. Yes, it has bugs, and is suffering tremendous bit rot, but it's a nice example of how to design a large software system to be resistant to remote exploitation in the face of implementation flaws.
The trick is to limit the number of points where the system can fail in an exploitable manner, and to build the system so that exploitable bugs will cause frequent and obvious failures (and therefore never find their way into releases).
You're taking the notion that all non-trivial software has flaws---something I would agree with---and generalizing it to say that all non-trivial software has remotely-exploitable security holes.
http://outcampaign.org/
"There is a difference between impossible, and has not been done yet. Are you actually disputing that?"
I'm saying that having multiple teams trying very hard to do something and all failing is much better evidence of the task being impossible than possible. Do you dispute that?
"but unexploitable, non-trivial software systems do exist. A popular example is qmail."
I'm not sure that qmail could be described as large ( I never said "non-trivial"), but a little research indicates that exploits have been reported.
"You're taking the notion that all non-trivial software has flaws---something I would agree with---and generalizing it to say that all non-trivial software has remotely-exploitable security holes."
I guess you're assuming that while all non-trivial software has flaws, the security related parts of the program can be immune somehow. If one can't eliminate all the bugs from the those parts of the programs unrelated to security, what evidence is there that they can be totally eliminated from those that are?
...MySpace is my hero
I actually knew Samy. Sucks that all his internets are belong to the court system.
remind me how one would impose a ban on the internet when it can be accessed all around the world, wirelessly to boot? why not just say no computers or cellphones...heck, say no more electronics. but seriously, the only way to enforce it would be to have a guard with a shotgun handcuffed to him at all times... 0.o oh well, "do the crime; do the time",i guess.
remember- if the world didnt suck, we would all fall off!
Absolutely. Having multiple teams trying very hard to create powered human flight all failing is was not evidence of its impossibility, and it isn't here either. A bunch of people doing the wrong thing doesn't have any effect on someone doing the right thing. If anything, it makes it more likely that somebody will discover what the right thing is, because they have lots of knowledge of what doesn't work.
The fact remains that computers are deterministic machines that only do what they're programmed to do. If you don't program them to have specific mechanisms of being remotely exploitable, they won't be.
I'm not sure that qmail could be described as large ( I never said "non-trivial"), but a little research indicates that exploits have been reported.What exploits are those?
I guess you're assuming that while all non-trivial software has flaws, the security related parts of the program can be immune somehow. If one can't eliminate all the bugs from the those parts of the programs unrelated to security, what evidence is there that they can be totally eliminated from those that are?http://outcampaign.org/
One of the reasons for these "toys" is to let the person get an idea of how dangerous they are and respect other weapons. Usualy they are thought of as toys but are really weapng. they are effective as hunting weapons and unless intentionaly used in a dangerous way, the accidents cause less damage then say a
On the tennis shoes, Yep, I can also see those as being used as a tool to do serious bodily harm. But that would depend on the reasoning for selecting them in the first place. If he wore them because they fit good and had them on at the time of the asault then no go on the dangerous weapon. But if he wore them because he could kick harder wearing them or because the cleats would cause more damage then definatly a deadly weapon.
I remeber a time when I wouldn't go into a bar without my work boots on. The exact reasoning was because they had steal toes, were stiff enough to convey all the force of a kick and offered good traction and support for the ankle if I needed it. In other words, I planned on stomping someone to death if anyone screwed with me. I specificly chose to wear the boots because it offered what I percieved as an advantage to a fighting situation. but that does't go to this situation. I read the article at a couple of different sites. It is a little more detailed there and specificly state that he can use a computer but can onle use a computer and access the internet for work relate reasons.
I have also read the article posted by submission It apears the one the submitter posted lacks some information. However, which one is more corect,we won't know for a while. I guess this is were our differences are comming from and if you read the other articles about this, you will probably think a little different. It might not mean you agree with me but you will see a different side of it. Take a look at them. I linked to them above and they definatly add a different perspective.
That being said, and if the rulling/judgment/penalty was "no internet at all" and not how the other two articles describe it, then I would agree with you. However, I find it dificult to fault him if Sprint uses the internet to route calls and he is just calling the theator to see the show time even under a strict interpretation of "no internet at all".
That post was too funny to be a troll. it was obviously not serious, and facitious on many levels. Oh well, I guess I have a bit of karma to burn. But seriously that was lame. Come to think of it many people here are lame. We need to work on applying the lameness filter to mods, and general readers of the site. When you attempt to access slashdot it does an ajax request to search google for things you've done on the web and evaluates a lameness quotient. Too many postings on anime sites, and your're banned for life. Now attempting to access slashdot will result in a custom 500 error message ERROR 555 User too lame to access site! we know who you are and we don't want you here .... ever. Go somewhere else, or just wait and this page will redirect you to a known exploit site. Unfortuantly we've determined that the owners of the botnet will make better use of your computer online than you have. May God have mercy upon your soul, but we have no such divine patience.
Well.. maybe. Or Maybe not. But Definitely not sort of.
using them is another
Giving IE users a taste of their own medicine since 2005 - http://pods.-is-a-geek.net/
The guy obviously knows what he's doing with respect to computing, so I doubt he'd have problems hiding traces of his browsing activity from his probation officer. Hell, there's a feature in Safari (Private Browsing) designed exactly to hide all traces of your browsing activity.
And let's face it, cops aren't exactly computer geniuses either. If he just used Internet Explorer for his legitimate stuff and Firefox for the illegal stuff, he'd probably effectively hide his activity. Since, you know, Internet Explorer is "the Internet".
The poster to whom I was replying argued that the sentence did not prevent the use of the Internet provided it was indirect. I was just pointing out the flaw in his argument - it can equally well be applied to justifying the use of a web browser. It's a standard logical technique called Reductio Ad Absurdum, or RAA. You demonstrate that either an assumption or an inference is flawed by pointing out that, if correct, it leads inevitably to a false conclusion. If you ever find yourself in front of a judge, I suggest turning the geek mode off. It will help keep you out of the slammer for contempt. You clearly have no concept of how lawyers work. They thoroughly out-geek geeks when it comes to analysing and relying on precisely what was said rather than what was meant. In this case it's pretty clear that the judgement doesn't say what it meant to say, because of sloppy use of language. Unfortunately, what it meant to say doesn't matter - what matters is what it does actually say.
"What exploits are those?"
Google it yourself and find out. In my view if qmail has ever had a hole, it hasn't met the criteria.
As far as your bullet points go, equal care could (and has) been done for other types of software that ended up with bugs anyway.
But don't forget the context of this discussion which is whether the criminal or the software writer is responsible for creating an exploit.
I'm your master, you're my slave.
And I get to change the terms and conditions anytime I like.
Have a nice day!
P.S. Only the last sentence of the summary is really a troll, that little tickle that got you to post in this thread. The rest of it is debatable, so here we are.
./'ers into a frothing mess. It worked ;-)
It worked, eh? While I did make a mistake RE: wording ("litigation" and "target"), I think the summary achieved the intended effect. The rest of the summary was objective news, the last line was to get
To give you a RL example, publishing a paper about the vulnerability of locks with master keys (yep, one actually exists) is OK. Using that knowledge to break into every office in the building and vandalize it, is _not_ ok. The former is disclosing a vulnerability, the latter is breaking and entering. There is no law against the former, but there _are_ laws against the latter in any country.
Or in a similar vein:
- writing about what the limits of Kevlar vests are, is ok, shooting a SWAT trooper is not ok
- notifying a bank about a blind spot with their camera layout is ok, using that to rob the bank is not ok
- notifying a company about a vulnerability in their proxy or mail server software is ok, using that to add your name to all their internal mailing lists is industrial espionage, among other charges that you'll face
Etc.
And it seems to me disingenuous (and retarded) bullshit at its finest to pretend that a case that was purely about the latter, is somehow punishing the former.
Here's a fun concept: The fact that you know a vulnerability doesn't automatically entitle it to use it at other people's expense, and that use does _not_ count as just disclosing a vulnerability. The idea that with great knowledge or power comes great responsibility to abuse it, simply isn't recognizd by any RL code of laws.
Here's another fun concept: RL security, which is where we got those laws and legal concepts from, is _not_ based on some nerdy wild-west notion that if something isn't 100% secure then it's fair game for anyone who can break in. RL security is based simply on the law. You may know how to break into something, but we'll throw your sorry ass in jail if you actually do.
There are a lot of people who know how to steal your car or house. Yes, it's not secure. A brick through the window works just nicely. And everyone on the street knows it. But if they actually break in, we're gonna throw them in jail. _That_ is the deterrent and security factor.
It's just not feasible and it makes no economic sense to demand that everyone builds their house as a bunker, with bulletproof windows and a vault-like steel door. And then someone comes around with a bazooka, so better stand guard with your shotgun 24 hours a day. 'Cause you know, if they do break in, it was just showing that you didn't have enough security. It just doesn't work that way, and doesn't scale. It's cheaper for society as a whole to have a few cops and judges.
And I fail to see anything wrong with extending that concept to computers too. No, hi-tech as IT may be, you _don't_ automatically have a right to cause damage if you can. You may think that society owes you some great power for your being so nerdy and smart, but it actually doesn't owe you jack squat. Certainly not a right to be above the law. It doesn't work that way in any other domain, so I fail to see why IT would automatically be different. We don't give a top surgeon (and that's a very smart guy too) a right to murder, so I fail to see why we'd give a computer nerd a right to break into other people's computers.
A polar bear is a cartesian bear after a coordinate transform.
Reduce, reuse, cycle
"No, because you don't get to be a judge if you're an autistic fucktard with an overly literal interpretation of everything that lands in your docket. Grow the fuck up."
This is an American court we're talking about. You can be a judge in the US with NO special qualifications beyond some well-connected friends.
http://www.uscourts.gov/understand03/content_5_0.h tml
So even YOU could in theory become a judge. Just brown-nose Mr. Chimp.
Go read the description of the attack. He used MySpace as a host for content which would have been harmless CSS were it not misinterpreted as Javascript by a buggy Internet Explorer, causing the compromised client to post a new copy of the malicious code. It's not MySpace's fault that IE has bugs. They were spammed, not exploited.
I don't like MySpace either, but that's no reason to speak falsely about what happened.
In general, it is safe and legal to kill your children. -- POSIX Programmer's Guide
P.S. of the 3 articles on Google News submitter picked the least informative one.
/. blurb to be the most inaccurate, least informative, least clear and to have one paragraph per page when the whole thing is only 1k long.
Are you kidding? This is the "nerd" site that links to the Wall Street Journal for tech news when a far clearer, more informative, and less inaccurate article is on Security Focus (or sometimes even Highlights for Children) and to Fox (FOX!!!!!111ONEONEONE!!!!) for science news when you can get a far clearer, more informative, and less inaccurate article damned near anwhere else.
You can always count on an article linked from a
I never RTFA. I just go to Google News and find a less clueless FA. Then link to it from a comment so can keep excellent karma (and post comments like this anonymously).
Slashdot's strength is in its readership and moderating system. Its biggest weakness is its "editors".
I've known Samy for a few years and I'm glad to see that all of this was finally finished....(minus the community service, and all that other bullshit.) ;)
Just glad to see that he's not going to be behind bars for any period of time. Fuck you Myspace, and fuck your lame admins, users (DOH, i'm one of them..) and all the companies that shove their ad's down our throats just by trying to view their page. Find something better to do than run a very brilliant coder through legal hell and back because you cant man up to the fact that your coders/admins don't know what they are doing. His worm was put out there AFTER it was patched/or patch provided. Hmm.....Who's fault is it now that everything was exploited? I used firefox when I learned about the worm from Samy.....Never got me
If you still search on google, for the string 'and most of all, samy in my hero' on myspace.com theres TONS of people who still haven't changed the code in their 'hero's portion..
You go Samy! - And most of all, Samy in my Hero!!
you and your friend are gay
What, this? That's not a remotely-exploitable security hole. It's not even a DoS hole, because a separate qmail-smtpd gets run by tcpserver for each connection. You claim that qmail has remotely-exploitable security holes. Again, I ask you for evidence.
As far as your bullet points go, equal care could (and has) been done for other types of software that ended up with bugs anyway.You can do formal analysis of software the size of, say, OpenOffice.org? You claim it has been done. Again, evidence? Not that it would refute my argument, because other people doing it wrong does not preclude someone from doing it right.
But don't forget the context of this discussion which is whether the criminal or the software writer is responsible for creating an exploit.You made a strong statement ("X is impossible") backed by a bogus claim. I called you on it, and now you're saying that it doesn't matter---that you're right anyway? I'm not convinced.
http://outcampaign.org/
OK. I can't prove my claim that it's impossible. You claimed that qmail has no exploits. Prove it.
I'm reading through these comments and I'm thinking "Either a bunch of dumb kids are logged into /. or else common sense is severely lacking in the IT community at large."
As a hacker/security professional (and no I ain't no white hat) this is what I'm seeing:
"The author of Samy was bad and got punished. Don't be bad and you won't get punished."
Have the sheep really bought into the whole post-9/11 Fascism that deeply?
Let's see if the audience can handle a few simple truths:
Commercial vendors (and MySpace isn't a vendor, but they use commercial products) have absolutely zero interest in fixing security vulnerabilities. That's just simple business, kids, because security vulnerabilities cost money to fix, and businesses are in business to make, not to spend, money.
Security holes are out there, and unless you think that burying your head in the sand a la Southpark is a strategy then you have to realize that curious and intelligent people are going to find those holes.
Hackers/security professionals/intelligent kids are not going to stop being hackers/security professionals/intelligent kids just because you don't like it/are scared of it/are too ignorant to deal with it.
I swear reading this stuff has upset my insides. All the years I've been in the scene and I still cannot figure out why there are so many ostriches with no ability to reason.
BTW the analogy to the Morris worm is nowhere near accurate. The worm damn near crippled the 'Net (BITD), Morris Jr. *was* charged, and only the fact that his dad worked @ NSA saved him from doing time. BTW Morris is the original. FWIW Kevin Mitnick (Hi Kevin) went through more, got less out of it, and he was almost an entire generation after Morris.
How about we hand out medals and jobs to the intelligent researchers who *don't* maliciously exploit the holes that they find, instead of vilifying them and punishing them? Of course, that would require the people at companies like MySpace to get a clue, and something tells me that that's too much to ask from them.
Curse Sir Tim Burners-Lee for eternity for allowing all the plebes onto what used to be a pretty k3wl computer network.
=;^)
Even your list goes well beyond what many people think of when they think "Internet."
There are a lot of people who still think "Internet" means "Internet Explorer"
Quick question to put it all into context: Can you even buy a cell phone or laptop that *doesn't* have internet connectivity (browser, email, IM, etc) built in? The internet is getting hard to avoid nowadays ...
There are several other articles on this and the only one linked to in the submision was also the only one who described the internet ban as an all inclusing flat out internet ban. All the other sotries sais soething to the effect that he couldn't use a computer and the internet but presented it in the way any typicle user would use the internet. Thye didn't present it as if he couldn't use anything that uses the internet, just that he couldn't use it.
Now the destination was a figurative expresion describing th intent of the person. It wasn't ment to include using going to www.slashdot.org, it as ment to describe the reasons he was accessing the internet. So when you look at an intent of an action, you need a begining a path to acomplish it and a final expected outcome. Using the internet as the destination or final outcome is perfectly fine in this situation even though he might have been wanting to download some package using FTP or something. In this case, he is intending to use the internet were is he is intnding to use a credit card and the CC comapny uses the internet he is intending to use a credit card and not the internet. (even if yhe suspected the CC copany of useing the internet). Same with an ATM machine or a telephone call.
I'm not sure why this needs to be more dificult then it is. Or why people canno understand the basic principle of who it using what for what reason.