MySpace Worm Creator Sentenced
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.
Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. We're just glad he's staying out of prison. Everything else is a secondary concern.
I couldn't agree more. The 'slant' on this story is completely ludicrous. He never intended to disclose a security vulnerability. The completely ethical crackers that disclose their work send the information to the company who owns the product and tell them that if it is not patched in a reasonable amount of time that they will release the information. The quasi-ethical crackers that disclose their work send it to the mailing lists as a 0-day often with working exploit code as a proof of concept. This guy did neither. He discovered a flaw, and used that flaw to his advantage. Yes, it was pretty funny, and it didn't actually harm anything specifically. But it did take up system resources, and it did take many hours to clean up the 'damage'. Nothing he did at that point was altruistic in nature, as the poster would like us to believe. You are not free to do anything you want on the internet. You are, for the most part, free to do anything you want to your own server running your own software on the internet. This guy did neither (he doesn't own the servers, nor the software).
A nice example of how to deal with friendly hacker/crackers in an adult way is in the Terms and Conditions of Dutch ISP xs4all:d ex.php?taal=en
http://www.xs4all.nl/uk/overxs4all/voorwaarden/in
4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.
Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
And the companies would gain a lot of security.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
I can tell you that before I saw his account of the situation, I wanted to let anyone do anything they wanted on my fledgling social networking site. I agree, this account is required readng for anyone wanting to create a community site.
What he did and how much time and effort he was willing to put into it shocked the heck out of me and caused me to put very strong anti-JavaScript code into my site. I didn't want to do it because I wish we could have given people the freedom to be creative in that arena. But after I saw what he did I felt I had no choice.
That being said, the reality is that he did an enormous amount of damage. He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.
From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.
Not that I really think he will avoid using the Internet for social purposes no matter what the courts say. And I really don't think probation or community service seems like that heavy a punishment for someone who deliberately disrupted a service, however disliked in some quarters, that many people rely on.
Samy and people like him make it a difficult, miserable and thankless task to create services that hopefuly will do nice things for people. They make people like me waste our time trying to figure out how to restrict things, when we'd much rather produce fun features people will use and enjoy. Samy's account made me laugh, but it also made me furious that human nature is so pointlessly destructive.
I hope the sentence deters people from doing similar things.
I wonder how much he had to pay Myspace. Does anyone know?
D