Slashdot Mirror
MySpace Worm Creator Sentenced
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
Stop writing malicious scripts.
The dangers of knowledge trigger emotional distress in human beings.
I'm curious what exactly paying restitution entails in this case, as there was no actual damage. The only thing I can imagine is paying the wages of the people who went into to remove him as a friend from all the people who were affected by the hack, and maybe the wages of the people who were analyzing what was going on.
I realize the sentence but... how can this be enforced? For how much time?
Banned from using the Internet? Is that like the opposite of house arrest?
Space game using normal deck of cards: http://BattleCards.org
"The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."
AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.
Here's a better article
Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.
Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.
P.S. of the 3 articles on Google News submitter picked the least informative one.
[Fuck Beta]
o0t!
The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.
From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.
Clearly, disclosing security vulnerabilities doesn't pay.
The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.
Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.
http://uncyclopedia.org/wiki/Banned_from_the_Inter net
:-P
he's not from detroit is he?
The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.
So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them? Let them and their customers suffer. It sucks that their customers will suffer, but if their customers suffer, then perhaps (unlikely, I know, but still) they will suffer too. And for having such a simultaneously naive and arrogant attitude, they deserve to suffer.
Instead, if the target in question is running open source software, inform the author(s) of said software about the security vulnerability. Include a fix if you can. They'll be far more grateful for your effort than any of these piece of shit corporations will.
The end result? Open source software gets fixed, because vulnerabilities get reported to those who can do something about it, and closed-source software remains vulnerable. That gives open source software even more of an advantage than it already has, thanks to the blind arrogance of the corporate idiots who would prefer to harm the messenger rather than fix their own problems.
Sounds like a win-win deal to me!
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).
It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.
It also means not using a bank ATM card.
Or digital cable TV.
Or the self-serve scanners at the local Wallyworld, since they're connected to a local server, which is in turn connected to the net at large.
Or any pre-paid gift card/cash card, since they're validated via the net.
Or a speedpass to pay for his gas. Same problem - accessing the net to validate.
So, if he gets a job writing spam, is he legal?
Yes, because the judgement is obviously meant to be interpreted by a literal-minded nerd.
Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.
Sigh. He released a frikin' worm, he didn't just pick up the phone and say "Your service is vulnerable to X". He actually exploited the vulnerability. It's like instead of telling someone that the lock doesn't work on their door, you instead go in, sleep in their beds, drink their beer and rearrange their furniture. Telling them the lock doesn't work? A nice neighbourly thing. Going in and rearranging their house without their consent? Criminal trespass.
Oolite: Elite-like game. For Mac, Linux and Windows
And this is something to be thankful for, because where would we go if people obeyed the letter of the law (or judgement) instead of their perceived spirit ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.
Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.
In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.
This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.
(b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').
The writeup is misleading when it says:
The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.
The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.
Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.
I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).
Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.
One less guy like that on the Internet for a while is something I'd welcome too.
I guess you don't value other people's time. Time spent cleaning up their profile. Bandwidth wasted on this stupid little look-at-me script.
Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.
Simple formula.
The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.
I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.
In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.
Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).
Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.
If you liked this thought maybe you would find my blog nice too:
I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.
We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?
Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"
Vote monkeys into Congress. They are cheaper and more trustworthy.
A COMPUTER uses the internet, he uses the computer
Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?
Does he simply have to ask someone else to enter things in order not to "use" the internet?
If he shares his computer with his roommate, and the computer updates the definitions of the firewall he installed, who's using the internet? if it asks for confirmation? if he presses the "update definitions now" button?
Stop writing scripts. Someone could deem them "malicious" and you're history. Just don't write any. To be on the safe side, do not engage in witchcraft practicing like IT, OSes etc. Leave dangerous experiments to professionals. It already takes a lot of time for them to manage their trade on bigger projects, so it's not for you anyway, you miserable kiddie.
Which brings us to an analogous point, stop playing scientist, too. The government has extensive facilities to determinate current trends in climate behaviour change. Alarmist declarations which negatively impact sales by some of our respected oil industries will be considered criminal activity, for them deprive such noble corporations from their hard earned profits.
Unfortunately, people won't get this, therefore I'm forced to explain the joke: it's sarcasm.
by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)
If he had only knew about proxy servers :(...
and didn't put his name everywhere
The worm didn't do anything
I was under the impression that it:
added Samy as a friend of anyone hit by it
used computing resources without permission
required human intervention to clean up afterwards (removing the data, not just patching the hole)
Even if you discount the second two points, the first is indisputable - it had a payload. The payload wasn't malicious, but it was still a payload.
It's like trying to rob a bank with an orange water gun.
Depending on the circumstances and how you do it, that could get you shot dead. At the very least, you'll likely be charged with something along the lines of using an imitation firearm to threaten people, attempted robbery, and if it could be demonstrated that you were convincing enough (eg you had the water pistol covered so only the shape was apparent) potentially even with armed robbery.
Don't think you might end up shot? Think again.
It's official. Most of you are morons.
Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?
I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.
http://outcampaign.org/
Woosh!
One rule for Sony and one rule for Samy...
Sony screwed up lots of computers too. But all they had to do was pay some fine that's just a small percent of Sony's profit.
Yes he could have fought this further in court but when my $fighting > $settlement there's only one move to take. Plus if he went to jail then who would I go to Chipotles with?
-- botsex is {grep;touch;strip;unzip;head;mount}
A nice example of how to deal with friendly hacker/crackers in an adult way is in the Terms and Conditions of Dutch ISP xs4all:d ex.php?taal=en
http://www.xs4all.nl/uk/overxs4all/voorwaarden/in
4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.
Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
And the companies would gain a lot of security.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
1. He can't read /.
2. He can't surf for pr0n.
One is cruel. Both are inhuman.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
Isn't a script kiddie someone who launches other peoples' exploits that are discoverable against targets?
I don't like what this guy did, but it was clever and certainly not someone a script kiddie can do. Here's his explanation of his worm and how it worked. Clearly it took a lot of original effort and thought to do it.
D
Though other posters have alluded to this, I'm going to come right out and state:
I think being banned from the internet falls under "Cruel and unusual punishment".
Although currently, many products and services still have a "physical world" work around, e.g., snail mailing your bill, subscribing to a magazine, enrolling in college and college classes, interacting with a bank account, some services do not, e.g., Slashdot, e-mail.
In present times, one can live without the internet (yes, yes, I know, but it's true!), but one will be greatly inconvenienced at the very least. Perhaps though, sometime in the not so distant future (10-20 years), one will not be able to fully operate in society without internet access.
This doesn't really address who is responsible for determining if the convicted person is using an internet enabled device, e.g., Tivo, Wii, PS3, cell phone, for terms of violating parole. They very well should have just banned him from using anything that uses electricity, takes batteries, etc.; Just absurd.
At any rate, this case helps further a dangerous and unjust precedent, such as used against Mitnick and countless others.
Yes, he was being an nuisance. Yes, he should get community service. No, he should not be banned from the internet.
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt. (When catapults are outlawed, only outlaws will
Besides, Myspace is evil anyway.
This sig no verb.
So the way I read that is that even if he had permission to add stuff to his profile (which clearly he did, since the changes were allowed), if the changes were not intended by the "owner of the information," then he broke this law. Pretty screwy wording, if you ask me. So basically, anytime you "modify" data in a manner not intended by the website owner, you're breaking the law (at least in California). I wonder how long before somebody uses this law to sue the RIAA for putting fake files on P2P networks?
It seems, however, that creating security vulnerabilities does pay. Why, companies like MySpace and Microsoft can always shift the blame on some teenager or "computer error" or a careless employee.
Unlike physical security, making a computer system secure against teenage hackers is not rocket science. This vulnerability was clearly a MySpace screwup, and they should be held responsible and pay the price for it. That principle may not be so important when it comes to MySpace (because there is little of value there), but it becomes of paramount importance when it's your bank or your hospital.
People who offer commercial services using software should be responsible for the safety and security properties of that software. And in order to prevent those companies from blame-shifting, the people breaking in should be held responsible only if they demonstrably attempted to commit a real-world crime other than simply breaking into the computer system.
I know Samy personally and he is one of the smartest and most level-headed individuals I know. This is the case where a joke went a bit awry but it could have happened to any of us. He specifically made sure he wasn't malicious in what he did but the side effect over overwhelming MySpace's server was unintended.
This is no different from the Morris worm. The sad fact is that he got prosecuted whereas the hundreds of botnet operators overseas and here in the US continue to wreak the real havoc on networks and infrastructure totally immune from prosecution.
Samy got caught because he put his name on what he did. It's sad that that is the only basis for prosecution of computer crimes in this country. The good guys at the FBI and USSS don't have enough clue helping them to bring in the real criminals.
-david
# Hack the planet, it's important.
To give you a RL example, publishing a paper about the vulnerability of locks with master keys (yep, one actually exists) is OK. Using that knowledge to break into every office in the building and vandalize it, is _not_ ok. The former is disclosing a vulnerability, the latter is breaking and entering. There is no law against the former, but there _are_ laws against the latter in any country.
Or in a similar vein:
- writing about what the limits of Kevlar vests are, is ok, shooting a SWAT trooper is not ok
- notifying a bank about a blind spot with their camera layout is ok, using that to rob the bank is not ok
- notifying a company about a vulnerability in their proxy or mail server software is ok, using that to add your name to all their internal mailing lists is industrial espionage, among other charges that you'll face
Etc.
And it seems to me disingenuous (and retarded) bullshit at its finest to pretend that a case that was purely about the latter, is somehow punishing the former.
Here's a fun concept: The fact that you know a vulnerability doesn't automatically entitle it to use it at other people's expense, and that use does _not_ count as just disclosing a vulnerability. The idea that with great knowledge or power comes great responsibility to abuse it, simply isn't recognizd by any RL code of laws.
Here's another fun concept: RL security, which is where we got those laws and legal concepts from, is _not_ based on some nerdy wild-west notion that if something isn't 100% secure then it's fair game for anyone who can break in. RL security is based simply on the law. You may know how to break into something, but we'll throw your sorry ass in jail if you actually do.
There are a lot of people who know how to steal your car or house. Yes, it's not secure. A brick through the window works just nicely. And everyone on the street knows it. But if they actually break in, we're gonna throw them in jail. _That_ is the deterrent and security factor.
It's just not feasible and it makes no economic sense to demand that everyone builds their house as a bunker, with bulletproof windows and a vault-like steel door. And then someone comes around with a bazooka, so better stand guard with your shotgun 24 hours a day. 'Cause you know, if they do break in, it was just showing that you didn't have enough security. It just doesn't work that way, and doesn't scale. It's cheaper for society as a whole to have a few cops and judges.
And I fail to see anything wrong with extending that concept to computers too. No, hi-tech as IT may be, you _don't_ automatically have a right to cause damage if you can. You may think that society owes you some great power for your being so nerdy and smart, but it actually doesn't owe you jack squat. Certainly not a right to be above the law. It doesn't work that way in any other domain, so I fail to see why IT would automatically be different. We don't give a top surgeon (and that's a very smart guy too) a right to murder, so I fail to see why we'd give a computer nerd a right to break into other people's computers.
A polar bear is a cartesian bear after a coordinate transform.