Twitter Gets Slammed By the StalkDaily XSS Worm

CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."

author found. Now what?

[Ritz_Just_Ritz]

So the StalkDaily fellow admitted to creating the worm. Now what?

To hire or to jail, that is the question

[BadAnalogyGuy]

A 17 year old is old enough to understand the ramifications of his actions to a reasonable extent. He no doubt understood that releasing a worm like that would be met with an unfavorable reaction. But he did it anyway. In this sense, he is a potential menace to the Internet.

However, he is still in his formative years. His abilities could be nurtured in productive directions and we could have the next Edward Dijkstra in the making.

So do we punish him and turn him to the Dark Side? Or do we show him love and respect and turn him? There is still good in him. I can feel it.

Re:To hire or to jail, that is the question

Those aren't mutually exclusive. Convict him in juve or even adult court, the damage was minimal so give him a suspended sentence plus probation. As part of his probation require him to continue his education &/or participate in legal work activities. As part of his sentence have him forfeit his domain name as the fruits of a criminal enterprise.

However, remember one thing. This is the age where there are almost unlimited legal, productive outlets for young programmers and computer enthusiasts. This kid chose a "blackhat" route. He did so for his own pecuniary gain. These aren't signs of someone just mistakenly screwing around. There's always hope for reform, but don't paint this kid out to be one of the good ones who just stumbled - he's not.

Re:To hire or to jail, that is the question

[SuperNothing307]

No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.

Re:To hire or to jail, that is the question

So if a 17-year-old obtains access to a system that the owner doesn't want him to have, we should disband his entire company.

But if a major corporation's product is designed to install a rootkit on every system the product is inserted into we should...do nothing?

I think I'm ready to understand the finer points of that Iraq video game now.

Re:To hire or to jail, that is the question

[rs79]

I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.

Tweet this, bitch.

Re:To hire or to jail, that is the question

[thefringthing]

It's "Edsger", isn't it?

Re:To hire or to jail, that is the question

If you don't like the fucking annoying tweets, nobody is forcing you to read them. Just like slashdot.

Re:To hire or to jail, that is the question

[moderatorrater]

RT: @rs79 "I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.

Tweet this, bitch."

Re:To hire or to jail, that is the question

Who the fuck is Edward Dijkstra?

You mean Edsger W. Dijkstra maybe?

Re:To hire or to jail, that is the question

[macbuzz01]

i can't, its over the character limit.

Re:To hire or to jail, that is the question

He is neither all that intelligent nor innocent.

From the second link:

that he created Stalk Daily from "boredom" and because he "needed a way to make money."

Also from the second link:

He wrote, "I decided if I had site that followed the same functionality and simplicity as one of the most known sites on the web at the time then it would receive a lot of hits."

Basically, this person is at best an amoral copycat.

Re:To hire or to jail, that is the question

Edward? Oh, boy.

Re:To hire or to jail, that is the question

[Xaoswolf]

There is still good in him. I can feel it. Correct, but we need to wait until after he blows up a planet with his giant laser before we'll be able to bring him back to the light side...

Re:To hire or to jail, that is the question

[Quothz]

So do we punish him and turn him to the Dark Side? Or do we show him love and respect and turn him?

Ideally, a little from column A and a little from column B. Naturally he should be punished; as a society we cannot dare tolerate allowing this sort of thing. He didn't do too much damage; Twitter'll have t'spend a few bucks to undo his work, tho'.

If I had my druthers, I'd leave prison time out of his sentence, but make him pay reparations to Twitter and a small fine, shut down his site, put him on probation, and give him a large pile of community service related to programming and/or web design.

Re:To hire or to jail, that is the question

[Quothz]

Who the fuck is Edward Dijkstra? You mean Edsger W. Dijkstra maybe?

One and the same. Dijkstra published a fair bit using the first name "Edward".

Re:To hire or to jail, that is the question

Punish him for what? He didn't cause any harm. No one lost any money.

Re:To hire or to jail, that is the question

[JSG]

In English we have the verb "to twat" which may help you in your efforts to assist someone to "Tweet this, bitch".

Why does FF insist on putting a red line under "twat" - its been in the language for at least 10 years ...

Re:To hire or to jail, that is the question

[JSG]

Sorry, I should probably point out that "twat" is not a past tense of "twit".

Re:To hire or to jail, that is the question

[interested+pyro]

that sucks. Guess ill have to tweet about it being over the limit, then tweet about tweeting, then tweet about tweeting about tweeting, then tweet........

Re:To hire or to jail, that is the question

[Mozk]

No, but essentially every television news station, talk show host, and even fucking sports sideline announcer is forcing me to hear about their new Twitter page and listen to them go on to ask "What is Twitter anyway?" while their colleagues joke that they don't know either.

Re:To hire or to jail, that is the question

[jcr]

So if a 17-year-old obtains access to a system that the owner doesn't want him to have, we should disband his entire company.

But if a major corporation's product is designed to install a rootkit on every system the product is inserted into we should...do nothing?

Who said any such thing?

Sony's management should be behind bars, too.

-jcr

Re:To hire or to jail, that is the question

Punish him for what? He didn't cause any harm. No one lost any money.

Is that the only measure? If I kick you in the balls you don't lose any money either.

Re:To hire or to jail, that is the question

[somersault]

That if dependent on whether he makes any money from selling his seminal fluid.

Re:To hire or to jail, that is the question

Jail? Shouldn't it be necessary to actually do damage or cause harm before you start talking about jail?
I think it's a horrible sign that our default to reaction to any kid doing anything besides sitting quietly in his chair is to lock him up.

Re:To hire or to jail, that is the question

[cboslin]

Talk about opportunity cost

Re:To hire or to jail, that is the question

[cboslin]

Excellent analogy jcr.

Re:To hire or to jail, that is the question

[cboslin]

Either this is a very poor analogy, or you have never been hit or kicked in the balls. Anyone who plays sports and has worn a cup knows that it still hurts when you get hit or when the cup breaks, but it would be allot worse without that cup.

No harm, really, Really, REALLY!

Someone contact this persons partner, if they have one, and ask them to show them how it feels. Even if female, granted minus the cup, getting hit or kick there hurts, allot.

Bit obvious

[Toe,+The]

Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out. Or maybe it's a great way of getting a job. Depends on the legality of the worm, I suppose. :)

Re:Bit obvious

Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out. Or maybe it's a great way of getting a job. Depends on the legality of the worm, I suppose. :)

Or the legality of the site :)

Re:Bit obvious

[timholman]

Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out.

Especially when you read the Terms of Service on Mr. Mooney's own StalkDaily website, e.g.:

7. You must not modify, adapt or hack StalkDaily.com or modify another website so as to falsely imply that it is associated with StalkDaily.com.

8 You must not create or submit unwanted email to any StalkDaily members ("Spam").

9. You must not transmit any worms or viruses or any code of a destructive nature.

Talk about having a "Do as I say, not as I do" morality. At least it's refreshing to see that hypocrisy is not restricted to people over 30.

Re:Bit obvious

[Blue+Stone]

It's great publicity for his site which is similar in functionality to Twitter. I guess his idea was that users of Twitter would try it out and eventually switch.

Unfortunately the publicity also says 'I'm an unethical douchebag, (who knows what other shit I might pull)' so I imagine the take-up will be in negative numbers, if anything.

Seems like a great way to shoot himself in the foot.

Twitter's @oblique says "Honour thy error as a hidden intention". Good luck to Mr. Mooney in making that one work for him.

Re:Bit obvious

[FlyingBishop]

Actually, we had a meeting where we agreed that ToS's are by nature BS. We didn't invite anyone over 30, so I don't know if you missed the memo or just weren't invited.

Re:Bit obvious

Don't worry. Twitter has millions in the bank, and lawyers to hand. This little shit will be sued into oblivion and be flipping your burgers.

Re:Bit obvious

[shentino]

Hopefully after he gets a very PAINFUL slap on the wrist for computer trespass.

I really would like the feds/cops to nail him, even if he just gets a stern warning of some sort.

He needs arrested and charged. What he did was a crime, and he needs to be taught to back off of people's computers, preferably before he turns into a legal adult and opens himself up to BIG trouble.

Re:Bit obvious

[an+unsound+mind]

Please do RTFA.

All he did was to exploit a Twitter XSS vulnerability - he didn't touch anything but their servers.

Re:Bit obvious

[noidentity]

But he didn't hack StalkDaily.com, as his terms of service forbid! He hacked twitter.com. So he's doing just as he says. :)

Re:Bit obvious

[shentino]

That's still hacking.

Exploiters who take advantage of loopholes for their own gain should be punished.

Had this student simply reported the incident to twitter, I'd think differently.

Using it to promote his own site proves bad faith.

Re:Bit obvious

Refreshing? Like you hadn't seen it before? Where the fuck did you go to middle and high school?

Re:Bit obvious

[gringofrijolero]

...worms or viruses or any code of a destructive nature.

Is it a good worm, or a bad worm? Only bad worms are destructive

Re:Bit obvious

Talk about having a "Do as I say, not as I do" morality. At least it's refreshing to see that hypocrisy is not restricted to people over 30.

Possibly to someone under 30 it's refreshing.

And now that I have your attention, Microsoft needs you all to help buy that bridge to the pub.

Re:Bit obvious

he didn't touch anything but their servers.

Servers used by a large number of people. And he did it consciously. He should be punished.

Re:Bit obvious

[interested+pyro]

flipping your burgers.

"Hey, can I have a little bit of ketchup on the dark side and some mustard on the light side?"

Ummmm

[benjfowler]

Mikeyy described how he carried out the attack:
"I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status,

Isn't that called "criminal damage"? Now if I'm not mistaken, the police and courts tend to frown on that sort of thing.

Re:Ummmm

[BadAnalogyGuy]

Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.

If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.

Re:Ummmm

[Teun]

Ah yes TPB, but I feel you are now comparing a place with a civil justice system to a place with what often appears as a commercial justice system.

Re:Ummmm

[disbroc]

Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.

Could the same not be argued about malicious/annoying scripting language code, or any interpreted code for that matter?

If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.

Maybe its just me, but I think that depending on what country you are in the laws for what you are responsible for change quite a bit.

Re:Ummmm

[gzipped_tar]

Could the same not be argued about malicious/annoying scripting language code, or any interpreted code for that matter?

And binary code is just plain byte sequence.

Re:Ummmm

Fuckwits... XSS = Cross Site Scripting, not XML Style Sheets.

Re:Ummmm

[Dragonslicer]

Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.

Why should a person be held responsible for stabbing another person? A knife is just a piece of metal. It has no meaning unless someone uses it.

Re:Ummmm

[somersault]

If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.

Yet again living up to your nick! ;)

In this case surely the guy would also be those who upload illegal torrents to TPB, so I don't see how your defense applies.

throw the scumbag in jail

17 is old enough to be put in jail. Idiots like him are the reason viruses exist.

Re:throw the scumbag in jail

[Teun]

Idiots like him are the reason viruses exist.

Stop right there! You are infringing on a Microsoft technology.

Re:throw the scumbag in jail

Um. Twitter runs on Linux, as far as I know.

Re:throw the scumbag in jail

[Teun]

So what, Microsoft owns over 200 patents that Linux infringes upon, running unwanted scripts is just another of the same.

Re:throw the scumbag in jail

[cboslin]

Teun, great response to an obvious troll comment! Wish I had mod points, cause after I got done laughing I would mark you as insightful, certainly not the Troll as it shows now.

Thanks for the smile and the laugh!

Clearly he should be made to

[Colin+Smith]

Go and manually run anti virus software on every infected PC.

 

Re:Clearly he should be made to

[Anpheus]

Go and manually run anti virus software on every infected PC.

Not that kind of worm. It was purely a scripting attack involving javascript. No one's computers were harmed, only a bunch of twitter accounts. (Which can no doubt be fixed by patching the whole and some good SQL query to fix all the accounts in one go.)

Re:Clearly he should be made to

[FlyingBishop]

There are no infected PC's. The only thing 'infected' was people's twitter statuses, and now that the exploit was patched, there is no virus, since the code was executed by the server, not by the individual computer.

This sounds pretty harmless.

Re:Clearly he should be made to

[nneonneo]

It was XSS; the idea is that an attacker puts his JavaScript code on a page belonging to someone else. When a victim views the page, their client executes the JavaScript.

Now, in this case, we got lucky: this guy didn't try to exploit browser vulns or anything of the sort. What if, though, this thing had come to the attention of, say, a botnet operator? Combined with a browser vulnerability (the sort found at CanSecWest, for example), the botnet operator could easily have gotten several thousand more systems under his control very quickly. In fact, XSS holes are presently being used to inject malware on otherwise clean websites all the time -- the difference here is simply the visibility of Twitter as compared to most websites.

This was harmless, but it may not have been.

Re:Clearly he should be made to

No one's computers were harmed, only a bunch of twitter accounts.

So the Internet as a whole was in fact healed slightly by this worm?

Would you trust StalkDaily?

[Joao]

Seriously, would you? The developer admits to infecting people's computers and accounts in order to advertise his services, and doesn't think he did anything wrong. How can anyone trust his services then?

For starters he should be forced to take down StalkDaily. I'm sure Tweeter lawyers are looking into this right now. And for once, I agree with such a move. /not a tweeter user

Re:Would you trust StalkDaily?

Two issues with your post:
One, the dev did not infect anyone's computers. He wrote a small program, on the site, that would update the profile of anybody who saw one of the spam comments. For example, you visit a friend's page who has one of these comments (and therefore the code) and your profile is updated with a comment (and the code). The only "infection" was on the site, not the end users. Also, no accounts were hacked. Simply a case of instructing the visitor's browser to slyly update the visitor's status while looking at a different page. TFA states that there were no passwords, usernames, or anything else in the code.
Two, it's twitter.

Re:Would you trust StalkDaily?

[Allicorn]

Wait, exploiting software loopholes to circumvent authentication requirements and make changes to privileged (albeit pointless tatt) information is not "hacking" anymore? I must have missed that memo.

Two, it's "twatter". :D

Re:Would you trust StalkDaily?

Me neither. One of the kids asked me about getting an account. He tried to explain the system. All I could think was, "How freaking GAY!" Myspace all over again, right?

Gay? Really? How old are you exactly?

Re:Would you trust StalkDaily?

[Troed]

Twitter is similar to Myspace in about the same way as a frog is similar to World of Warcraft.

Yes.

Re:Would you trust StalkDaily?

[guyinthechair]

not a tweeter user

Obviously.

Re:Would you trust StalkDaily?

[Registered+Coward+v2]

Seriously, would you? The developer admits to infecting people's computers and accounts in order to advertise his services, and doesn't think he did anything wrong. How can anyone trust his services then?

For starters he should be forced to take down StalkDaily. I'm sure Tweeter lawyers are looking into this right now. And for once, I agree with such a move. /not a tweeter user

Not only that, but by admitting to what he did he makes criminal prosecution easier. Not a very smart thing to do; plus now he will be forever linked to his act for any future employer to see.

Re:Would you trust StalkDaily?

[memojuez]

According to TFA, Two instances of Malware and one instance of the Seneka Root Kit

A Malwarebytes scan comes up with three instances of malware. One is the Seneka rootkit (ouch!).

Also according to the code and analysis posted on TFA showed that the script was ran on the client side, i.e. the user's computer, that exploited an XSS exploit on Twitter's website.

I think that satisfies the definition of a Black-Hat Hack & Infecting users' PCs.

Re:Would you trust StalkDaily?

And there's frogs in Warcraft...that means there's twits on myspace! Hah! Your secret code was too simple for me! For my next trick, I'll pull a slashdot poster out of a barrel of chilled urine! Oh, what? Ohh, oh dear...he's drowned in his own frosted piss.

Re:Would you trust StalkDaily?

Parent AC here,

Unfortunately, the networkworld TFA is giving a 404 so I can't dispute the malware claim entirely, but the interview link said nothing about any software of any sort being installed. And I did acknowledge that the script was run on the client's side - "...instructing the visitor's browser to slyly update...".

I do have to dispute the blackhat part though, especially if the interview is factual - no malware involved, simply a "prank" if you will of making the viewer post a link to another site. No data was compromised, all that happened was a harmless demonstration of a flaw. I personally would consider that well in the realm of whitehat work.

Re:Would you trust StalkDaily?

"no malware involved, simply a "prank" if you will of making the viewer post a link to another site. No data was compromised, all that happened was a harmless demonstration of a flaw. I personally would consider that well in the realm of whitehat work."

Either you're the 17 year old in question, functionally retarded, or both.

Re:Would you trust StalkDaily?

The developer admits to infecting people's computers and accounts in order to advertise his services...

What do you think the submitter is doing? The firehose was spammed with this story all night long.

Re:Would you trust StalkDaily?

[kv9]

Twitter is similar to Myspace in about the same way as a frog is similar to World of Warcraft.

they're both stupid?

Re:Would you trust StalkDaily?

If you're frothing at the mouth because of some spam twitter updates, I have to wonder what you would do if a person was actually harmed by this. This was, in every literal sense of the word, harmless. Perhaps not as benign as it could have been because it was advertising a competing site, but harmless just the same.
There's basically three choices when you find something exploitable on a computer: Shut up, use it for fun, or use it to do harm. Seeing how many exploits these days get used to perpetrate identity fraud or create zombie botnets, I'm relieved to find somebody knowledgeable enough to spot problems who still has at least some honor.

Re:Would you trust StalkDaily?

Not exactly. His exploit code also sent the victims cookies back to his server. If there is a line between a spammy prank and malicious intent that is where he crossed it.

Re:Would you trust StalkDaily?

[somersault]

There's basically three choices when you find something exploitable on a computer: Shut up, use it for fun, or use it to do harm.

What about letting the site owners know about the vulnerability? Sometimes you just get ignored and open yourself up to being a suspect if that vulnerability is used, but it is still an option.. since advertising was involved, I count this as malicious rather than 'for fun'. It's like an unholy for-profit union between spam, chain mails and malware..

Re:Would you trust StalkDaily?

[somersault]

All I could think was, "How freaking GAY!" Myspace all over again, right?

I thought myspace was a traditional hangout for emo types - not much gaiety over there! If you want gay frivolity, you need Bebo or Facebook - everyone there is gay!

Re:author found. Now what?

[berend+botje]

Hang him, I'd say.

Re:author found. Now what?

[oldhack]

Buy that man a beer. :-)

I saw this.

[Aladrin]

One of the Japanese people I followed suddenly tweeted a couple lines in English about StalkDaily and I was like 'wtf?' At least now I know it wasn't them.

Re:I saw this.

[thePowerOfGrayskull]

One of the Japanese people I followed suddenly tweeted a couple lines in English about StalkDaily and I was like 'wtf?' At least now I know it wasn't them.

Heh - and now you also know that you were one of the victims. Kind of like that movie where everyone who watched a video type died. Except without the death. And the water.

Re:I saw this.

[sakdoctor]

You have used the verb "tweeted".
Ninjas have been dispatched to your location, to make sure you don't do it again.

Re:I saw this.

Ninjas have been dispatched to your location, to make sure you don't do it again.

Ninjas are already everywhere.
You could be sitting on a ninja right now and not even know it.

Re:I saw this.

[Haiyadragon]

I wonder how that face stabbing device is coming along.

Re:I saw this.

[gyrogeerloose]

It's okay--he has a band of pirates to protect him.

Re:I saw this.

[atraintocry]

It sounds better than twitted, and twat is right out.

Re:I saw this.

What about twote?

Or, just don't use the service.

Re:I saw this.

[Aladrin]

Yes, but I didn't visit the site. :) In fact, I almost removed the user from my list over it.

Brilliant name, btw.

Re:I saw this.

[Hillgiant]

Grammar Nazi Fail
http://dictionary.reference.com/cite.html?qh=tweet&ia=luna

Re:author found. Now what?

Lets go see if his hosting company (DreamHost) will do something about the domain name.

Re:author found. Now what?

So the StalkDaily fellow admitted to creating the worm. Now what?

Drop the worm into a bottle of tequilla and make him drink his own medicine?

Admitting to a felony

[phantomcircuit]

way to go boy genius enjoy jail

Re:author found. Now what?

[jrothwell97]

Drop him into the jaws of the Great Whale of Fail, while forcing him to follow Robert Scoble and Bill O'Reilly.

Re:author found. Now what?

[kirbysuperstar]

So the StalkDaily fellow admitted to creating the worm. Now what?

Stalk him. You'll know what to do when the time's right.

Ob. Penny Arcade

[slushdork]

Le Twittre - pretty much says it all...

I say GNU too, in the loo

[tepples]

No one's computers were harmed, only a bunch of twitter accounts.

Were any of these twitter accounts affected?

NoScript?

Forgive my ignorance, but is this an example of what the NoScript extension for Firefox safeguards against?

Re:NoScript?

[morgan_greywolf]

You're not ignorant. You're right. In addition, recent Firefox browsers have built-in XSS blocking.

Re:NoScript?

[wannabgeek]

Yeah right! Every time some vi comes up, people start holding NoScript as a panacea. I use NoScript so I am aware of its advantages. But it's not a cure-all. There are so many sites (twitter in this case) which simply do not work without Javascript being enabled. So most of the NoScript users who use twitter through a browser will have Javascript enabled - by white listing it in NoScript. So, no sorry, NoScript is not a protection against this one.

Sounds Like A Publicity Stunt

[Dreadneck]

FTA:

StalkDaily.com is similar in design and features to Twitter. In addition to the features of Twitter, it also allows users to upload videos and photos. Through looking at the code behind Twitter, Mikeyy was able to produce a similar site to Twitter with some additional features. "I used my past knowledge to gain an insight on how Twitter worked and outputted to a user. Although both of the sites are coded in different languages I was able to give my site the same features as Twitter, while coding some of my own."

It sounds to me like the kid was trying to promote his Twitter knockoff site, but for some reason felt the need to do so by poking a stick in Twitter's eye. Makes me think the whole thing was a juvenile cry for attention. I knew a kid like that in high school. He was smart as could be but would do anything, no matter how socially unacceptable, to get attention.

I think the kid needs counseling and guidance and not a jail sentence.

Re:Sounds Like A Publicity Stunt

Yes, let's continue taking criminals, claiming they're not just that, and sending them for 'councelling' instead of prison. On tax dollars, of course. Certainly, the 'going easy on criminals' aspect of current society has been going far better than the alternative lately.

Re:Sounds Like A Publicity Stunt

[Dreadneck]

Right. Let's send him to jail and complete his criminal education on the taxpayer's dime. He's obviously not hardcore yet, but we'll get him there. Jail is definitely the best option for a 17 yr. old who wrote a spam script.

Re:Sounds Like A Publicity Stunt

[Tanstai]

FTA:

I think the kid needs counseling and guidance and not a jail sentence.

No, he needs counseling, guidance AND a jail sentence. The kid is 17, and you want to just TALK to him about how he FEELS about what he did...what bull$41t! And to all the "putting him jail will make him a hardcore criminal". PLEASE! Lets see some stats on that. Give him 180 days in JAIL (I.E. Not prison), and 5 years with no access to a computer/phone/etc.

Re:Sounds Like A Publicity Stunt

[steve9983]

Yes, let's continue taking criminals, claiming they're not just that, and sending them for 'councelling' instead of prison. On tax dollars, of course. Certainly, the 'going easy on criminals' aspect of current society has been going far better than the alternative lately.

It's cheaper to counsel someone than it is to imprison them... and when you're done the person is a productive member of society, instead of a hardened criminal.

Re:Sounds Like A Publicity Stunt

[robogymnast]

Yes, let's continue taking criminals, claiming they're not just that, and sending them for 'councelling' instead of prison. On tax dollars, of course. Certainly, the 'going easy on criminals' aspect of current society has been going far better than the alternative lately.

I don't know what "going easy on criminals aspect" you are talking about, I have yet to see ANY attempts at real rehabilitation for criminals.

The difference between paying for clinics and rehabilitation and paying for prisons and guards is that at the end, clinics attempt to help you with whatever issues caused you to break the law so you can return to society. Prisons just build more cells because they know you will be coming back in a few years. Some people can't be helped, but believe it or not, most people would rather have a productive life and obey the law than rot in a cell.

Re:author found. Now what?

[morgan_greywolf]

I tried, but they closed down the Microsoft Pub.

Great Plan

[basementman]

So this kid is apparently trying to launch his own version of Twitter at StalkDaily. To do this he launches a worm infecting Twitter users to drive traffic to his site, and then admits to it. Great way to build good will with your users.

Just so everyone knows, most teenage nerds are this stupid/unethical.

Re:Great Plan

[KillerBob]

Any publicity is good publicity. While I don't really care about either site, I hadn't even heard of StalkDaily before this.

Re:Great Plan

[Nazlfrag]

It's hardly good publicity for StalkDaily. Sure, I'll remember it, but only as a place to avoid. Still, he's now made a name for himself for better or worse and gotten his 15 mins of fame. Whether he can turn that into something good is doubtful though.

Re:Great Plan

[jcr]

Just so everyone knows, most teenage nerds are this stupid/unethical.

That's a rather broad brush you're waving around there, sport.

-jcr

Twitter Slammed by a Worm?

Is this why we haven't seen him or his sockpuppets post on /. here recently?

Samy is my hero

[The+Real+Toad+King]

This sounds almost exactly like the Samy worm to me.

Re:Samy is my hero

[SnowZero]

From Wikipedia:

Samy Kamkar entered a plea agreement, on January 31, 2007, to a felony charge. The action resulted in Kamkar being sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.

It sounds like Mikeyy will get at least that much, and possibly much more; IIRC Samy had claimed that his virus was just supposed to be for his friends, while Mikeyy has already gone on record saying that he did it for commercial gain. That was a daft move, which he will realize as those words are trotted out over and over in his trial.

The XSS FAQ

[mrkitty]

The Cross-site Scripting FAQ http://www.cgisecurity.com/xss-faq.html

I know what to do

Hot grits! In the pants!

Re:author found. Now what?

[fuzzyfuzzyfungus]

From TFA:

âoeI am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.â

Every inch of this quotation just makes you want to beat the kid. I bet he has an annoying voice, too.

Mod parent up (funny)

[shentino]

nt

Formatively Challenged?

[Robert+Chapin]

It takes a certain level of stupidity to "start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website." His probation should require an ethics tutor.

So?

[spartacus_prime]

From the looks of TFS, this only caused people to tweet about StalkDaily, but didn't cause any substantial issues with Twitter itself. You can blame the kid for writing the script, but should you blame him for the dozens of idiots who clicked on an unknown link in hopes of gaining more followers (and a larger e-peen)?

Re:author found. Now what?

Does the boredom part strike anyone else as hilarious?

This guy is obviously a r0d3nt. While every self-respecting hacker I know will admit to emotional malaise/burn-out/whatever, actual boredom is considered a sign of low intelligence.

The guy is an amoral scumbag; however...

[93+Escort+Wagon]

I must admit that part of me smiled when I thought about how this might turn a few people off regarding Twitter. What an absurd waste of time and resources Tweeting is...

<aside>If I ever have to have surgery, and I find out that the surgical team was tweeting during the procedure - I'm going to sue them for negligence. PAY ATTENTION TO YOUR JOB DAMMIT!!</aside>

No, okay, he did something awful. Really. Yeah, he did. Any beneficial side effect wasn't by design.

Maybe I'll buy him a beer after he gets out of prison, though.

Spell Twitter

[wfstanle]

Remember, you can't spell "Twitter" without using the word "twit".

Worm...?

[JimboFBX]

I'm no virus expert but isn't this mis-use of the term "worm"? I thought worms (as a computer virus) was any virus that would back-door your system without any action on your part other than being on an unprotected machine that is on a network that features the worm. If you have to view an infected profile to get your twitter account infected that doesn't seem like a worm to me.

Re:author found. Now what?

[Ihmhi]

Don't worry, the Linux pub is better. The beer is free, and you can get a copy of the beer's recipe anytime you like!

Yes it's Twitter. But should that matter?

[JimMcc]

I tend to agree that Twitter is a waste of bandwidth. But that doesn't mean the offense should be taken any less seriously.

To paraphrase:
Then they came for the Twitters.
I did not speak out;
I was not a Twitter.
... and we all know how that ends.

What if this had been inflicted against Slashdot? Everybody would be up in arms about it. You should defend Twitter as you would want others to defend any website which is meaningful to you.

Re:author found. Now what?

Yeah, but if you ask for a beer the bartender calls you a N00B and if you ask what beers are available he tells you to RTFMenu.

This article is binspam!

Look how many times the asshole submitted it to get past the downmods in the firehose. What, is twitter the new apple? This place has become an ad house, little more! Fuck twitter! Slshdot's twitter is better reading. You suck!

Re:author found. Now what?

Every inch of this quotation just makes you want to beat the kid. I bet he has an annoying voice, too.

Sounds like the routine ego-maniacal rantings I see in the discussion portion of every article here on /.

Does that mean we all should be beaten because we have annoying voices as well?

That is why we need Google

that is why we need secure, reliable google twitter.

Re:author found. Now what?

[interested+pyro]

cut out his tongue!

block Twitter?

[Benjamin_Wright]

For many employers, a virus like StalkDaily is an additional reason to block Twitter. -Ben

Re:block Twitter?

[cboslin]

For many employers, a virus like StalkDaily is an additional reason to block Twitter. -Ben

For many IT professionals, a company that blocks Twitter, Facebook, MySpace or any other social media site is not who they would want to work for in the first place.

Such a company does not want their employees to have a balanced life in and out of the work environment. (Sad when a typical usage might be a quick text message to verify after work plans, which is definitely faster and more efficient than multiple phone calls.) With companies attempting to race pay to the bottom in this economy, proficient IT professionals who still command decent rates are being allot more selective.

Such a backward-wrong-thinking company probably uses Waterfall/RUP instead of Agile/Scrum. Such a company if using Agile/Scrum probably sets too high a velocity that just burns out and drains their employees. As such a company is definitely short-sighted.

Best of all, in a year or two when the economy rebounds, not only are the out-of-date-policy companies going to lose their best people, chances are the companies who understand the need to balance work - family - fun will have innovated beyond them anyway. Primarily thanks to having employees that genuinely enjoy the work that typically comes with a better work environment. As they are getting all the best talent with decent work ethics and standards.

History shows us that people will rise your expectations. Which of the two companies mentioned above has the more positive and forward thinking management team? Yet another Duh moment.

Intelligent and forward thinking companies quickly highlight managers that practice out-of-date expensive (do you know how much your company loses when a poor manager causes a good employee to churn?) suffocating policies and procedures that make the work feel like, well work. Such managers should be moved to a non-management position where they can do no harm to the company, but still something productive, just not with people. Instead such a backward thinking company only promotes these backward thinking expensive managers that ultimately cost the business more than they bring in.

So what comes around goes around.

Re:author found. Now what?

[Mozk]

The beer is free

Free as in speech, or free as in... beer?

Re:author found. Now what?

[jcr]

I think Twitter can get a pretty hefty judgement against him for actual damages, and file charges for several hundred thousand counts of unauthorized use of property, too. An hour in jail per offense should have him occupied until he needs a walker to get around.

-jcr

yes, s/he should have said:

[vaporland]

"twitted"

Damn my twitter account was also infected

[kokoko1]

Yesterday I was wondering who the hell start following me on Twitter, as I am also using twitter application on facebook the same message also appear on facebook :( Anyhow its nice to see 17 year old kid can make PITA especially for those $$ companies.

Re:author found. Now what?

[Plutonite]

Well you've clearly had too much of it, so it must be as in beer, innit?

Yes, NoScript

[Giorgio+Maone]

You're wrong, NoScript DOES give protection against this attack. The malicious code comes from the mikeyylolz.uuuq.com, which is not in your NoScript whitelist even if you're using twitter.com with scripts allowed.

Please check http://hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript/