Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

MySpace Worm Creator Sentenced

Posted by CmdrTaco on Sun Feb 04, 2007 11:27 AM
from the wear-the-hat-and-sit-in-the-corner dept.
Security Government The Courts News
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
+ -
story

Related Stories

[+] Cross-Site Scripting Worm Floods MySpace 321 comments
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

MySpace Worm Creator Sentenced 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Idea (Score:4, Insightful)

    by mfh (56) on Sunday February 04 2007, @11:29AM (#17881120) Journal
    Stop writing malicious scripts.

    • Re:Idea (Score:5, Insightful)

      by tomhudson (43916) <hudson.videotron@ca> on Sunday February 04 2007, @11:48AM (#17881236) Journal

      "Stop writing malicious scripts."

      1. Crack sites, get caught and punished
      2. Get job as internet security consultant
      3. PROFIT!

      The whole "It takes a thief to catch a thief" thing. Hey, it worked for Kevin Mitnick ... [kevinmitnick.com]

    • A much better (and safer) idea (Score:5, Funny)

      by Anonymous Coward on Sunday February 04 2007, @01:18PM (#17881774)
      Stop writing scripts. Someone could deem them "malicious" and you're history. Just don't write any. To be on the safe side, do not engage in witchcraft practicing like IT, OSes etc. Leave dangerous experiments to professionals. It already takes a lot of time for them to manage their trade on bigger projects, so it's not for you anyway, you miserable kiddie.

      Which brings us to an analogous point, stop playing scientist, too. The government has extensive facilities to determinate current trends in climate behaviour change. Alarmist declarations which negatively impact sales by some of our respected oil industries will be considered criminal activity, for them deprive such noble corporations from their hard earned profits.

      Unfortunately, people won't get this, therefore I'm forced to explain the joke: it's sarcasm.

    • Re:Idea (Score:5, Informative)

      by jamshid (140925) on Sunday February 04 2007, @01:38PM (#17881902)
      It's insane that he is getting in this much trouble, myspace should instead be thanking him for making their site more secure.

      His explanation of how he overcame a series of lame myspace.com attempts at security (http://fast.info/myspace/) should be mandatory reading for anyone writing a web application.

    • Re:Idea (Score:5, Insightful)

      by legirons (809082) on Sunday February 04 2007, @02:03PM (#17882024)
      "Stop writing malicious scripts."

      Sony only got fined $175 maximum per incident [slashdot.org], and they didn't get banned from the internet

  • How can anybody be banned from internet? (Score:4, Insightful)

    by andres32a (448314) on Sunday February 04 2007, @11:35AM (#17881156) Homepage
    I realize the sentence but... how can this be enforced? For how much time?
  • Banned from using the Internet? Is that like the opposite of house arrest?

  • Summary is wrong... (Score:5, Informative)

    by TubeSteak (669689) on Sunday February 04 2007, @11:40AM (#17881188) Journal
    "The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."

    AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.

    Here's a better article [techspot.com]

    Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.

    Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.

    P.S. of the 3 articles on Google News [google.com] submitter picked the least informative one.

  • But Samy is my hero (Score:5, Insightful)

    by Anonymous Coward on Sunday February 04 2007, @11:45AM (#17881212)
    The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.

    From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.

  • Missing the point (Score:5, Insightful)

    by cunamara (937584) on Sunday February 04 2007, @11:48AM (#17881234) Homepage

    Clearly, disclosing security vulnerabilities doesn't pay.

    The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.

  • Summary biased? (Score:5, Interesting)

    by anakin876 (612770) <anakin876 AT hotmail DOT com> on Sunday February 04 2007, @11:54AM (#17881276)
    Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.
  • The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.

    I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.

    In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.

    Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).

    Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.

  • Liability (Score:5, Insightful)

    by bryan1945 (301828) on Sunday February 04 2007, @12:48PM (#17881566) Journal
    I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.

    We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?

    Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"

    • Re:The moral of this story... (Score:5, Insightful)

      by Alioth (221270) <dyls@alioth.net> on Sunday February 04 2007, @12:12PM (#17881368) Homepage Journal
      Sigh. He released a frikin' worm, he didn't just pick up the phone and say "Your service is vulnerable to X". He actually exploited the vulnerability. It's like instead of telling someone that the lock doesn't work on their door, you instead go in, sleep in their beds, drink their beer and rearrange their furniture. Telling them the lock doesn't work? A nice neighbourly thing. Going in and rearranging their house without their consent? Criminal trespass.

      • Precisely (Score:5, Insightful)

        by Sycraft-fu (314770) on Sunday February 04 2007, @12:42PM (#17881532)
        This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.

        Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.

        In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.

        This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.

    • Re:Restitution? (Score:5, Interesting)

      by BasharTeg (71923) on Sunday February 04 2007, @12:15PM (#17881384) Homepage
      Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. We're just glad he's staying out of prison. Everything else is a secondary concern.

    • Re:Restitution? (Score:5, Insightful)

      by eck011219 (851729) on Sunday February 04 2007, @12:24PM (#17881422)
      You've answered your own question -- that's where the expense is.

      More to the point, things like this statement (from the original post) get under my skin:

      Clearly, disclosing security vulnerabilities doesn't pay.

      That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. Instead, he pasted his name all over the place (I thought he was nineteen -- that sounds more like the actions of a nine year old). To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's [wikipedia.org] a security consultant. He didn't really hurt anything and clearly disclosed some problems with palace security procedures, but that wasn't his reason for doing it.

      You can't commit a crime and then claim you were simply displaying a flaw in the system. "But your honor, I was simply showing my friend here how lax he was about avoiding punches to the face!"

    • Re:I still insist (Score:5, Insightful)

      by @madeus (24818) <slashdot_24818@mac.com> on Sunday February 04 2007, @12:44PM (#17881538)

      Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??
      (a) I don't know of anyone who's ever been 'put away' for developing a computer virus in a lab.
      (b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').

      The writeup is misleading when it says:

      The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.

      The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.

      Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.

      I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).

      Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.

      One less guy like that on the Internet for a while is something I'd welcome too.

          • Re:disclosing arrogance doesn't pay (Score:5, Interesting)

            by Teun (17872) on Sunday February 04 2007, @02:46PM (#17882256) Homepage
            A nice example of how to deal with friendly hacker/crackers in an adult way is in the Terms and Conditions of Dutch ISP xs4all:
            http://www.xs4all.nl/uk/overxs4all/voorwaarden/ind ex.php?taal=en [xs4all.nl]

            4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.

            The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.

            Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
            And the companies would gain a lot of security.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.