MySpace Worm Creator Sentenced

Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."

Idea

[mfh]

Stop writing malicious scripts.

Re:

[LiquidCoooled]

but Samy is my hero!

Re:Idea

[rblancarte]

Only because he wrote a script to make him your hero.

RonB

Re:

[BruceCage]

cmon everybody let's send him an email to cheer the poor guy up! Oh wait...

Re:Idea

[tomhudson]

"Stop writing malicious scripts."

1. Crack sites, get caught and punished
2. Get job as internet security consultant
3. PROFIT!

The whole "It takes a thief to catch a thief" thing. Hey, it worked for Kevin Mitnick ... [kevinmitnick.com]

Re:

[Yvanhoe]

Man, this is soooooo 20th century !

Re:Idea

[jZnat]

Mitnick went through a lot of shit before he got to where he is now...

A much better (and safer) idea

[Anonymous Coward]

Stop writing scripts. Someone could deem them "malicious" and you're history. Just don't write any. To be on the safe side, do not engage in witchcraft practicing like IT, OSes etc. Leave dangerous experiments to professionals. It already takes a lot of time for them to manage their trade on bigger projects, so it's not for you anyway, you miserable kiddie.

Which brings us to an analogous point, stop playing scientist, too. The government has extensive facilities to determinate current trends in climate behaviour change. Alarmist declarations which negatively impact sales by some of our respected oil industries will be considered criminal activity, for them deprive such noble corporations from their hard earned profits.

Unfortunately, people won't get this, therefore I'm forced to explain the joke: it's sarcasm.

Re:Idea

[jamshid]

It's insane that he is getting in this much trouble, myspace should instead be thanking him for making their site more secure.

His explanation of how he overcame a series of lame myspace.com attempts at security (http://fast.info/myspace/) should be mandatory reading for anyone writing a web application.

Re:

[MyLongNickName]

Yeah. And banks should thank Bonnie and Clyde for making their banks more secure.

Re:Idea

[daviddennis]

I can tell you that before I saw his account of the situation [namb.la], I wanted to let anyone do anything they wanted on my fledgling social networking site [amazing.com]. I agree, this account is required readng for anyone wanting to create a community site.

What he did and how much time and effort he was willing to put into it shocked the heck out of me and caused me to put very strong anti-JavaScript code into my site. I didn't want to do it because I wish we could have given people the freedom to be creative in that arena. But after I saw what he did I felt I had no choice.

That being said, the reality is that he did an enormous amount of damage. He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.

From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.

Not that I really think he will avoid using the Internet for social purposes no matter what the courts say. And I really don't think probation or community service seems like that heavy a punishment for someone who deliberately disrupted a service, however disliked in some quarters, that many people rely on.

Samy and people like him make it a difficult, miserable and thankless task to create services that hopefuly will do nice things for people. They make people like me waste our time trying to figure out how to restrict things, when we'd much rather produce fun features people will use and enjoy. Samy's account made me laugh, but it also made me furious that human nature is so pointlessly destructive.

I hope the sentence deters people from doing similar things.

I wonder how much he had to pay Myspace. Does anyone know?

D

Re:

[daviddennis]

A little context might be useful.

I grew up when the Incompatible Timesharing System was running at MIT and anyone could log on to it by just making up an account. There were no passwords or restrictions. Ordinary users could spy on other people's terminals, and all files were public. Anyone could delete anyone else's files.

But they didn't, because there was an atmosphere of mutual respect that is tragically gone from computing today.

In the late 1970s, about when I left that environment, the administratio

Oh flippin' please

[Moraelin]

There is a fundamental rule of human nature at play here, and it needs to be acknowledged: no one, not even those hiding behind the veil of a corporation, enjoys being embarrassed in public. Exposing a website's flaws may ultimately make it a better website. Just don't expect them to thank you for it.

Oh flippin' please... There's a difference between disclosing a vulnerability properly and actually exploiting it to your own ends.

To give you a RL example, publishing a paper about the vulnerability of locks

Re:Idea

[0xdeadbeef]

Stop writing malicious scripts.

Indeed. When you discover an exploit, you should sell it to the highest bidder. It keeps your hands clean, and it punishes the people who would otherwise punish you.

Re:Idea

[legirons]

"Stop writing malicious scripts."

Sony only got fined $175 maximum per incident [slashdot.org], and they didn't get banned from the internet

Restitution?

[jfenwick]

I'm curious what exactly paying restitution entails in this case, as there was no actual damage. The only thing I can imagine is paying the wages of the people who went into to remove him as a friend from all the people who were affected by the hack, and maybe the wages of the people who were analyzing what was going on.

Re:Restitution?

[BasharTeg]

Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. We're just glad he's staying out of prison. Everything else is a secondary concern.

Re:

[Zen]

On one hand I feel really sorry for the guy. He didn't exactly get the whole book thrown at him, but being that young and knowing that something bad is going to happen to you for months and not being able to do anything except wait and see what the Judge says has got to be pure torture. On the other hand, using a flaw in somebody else's code to do something that benefits you (however hilarious and non physically damaging it is) is just ludicrous. If he stopped to think about it for just one minute he wou

Re:

[arth1]

The restitution was probably the cost of patching the vulnerability.

That doesn't seem fair. They would have had to patch the vulnerability anyhow once they discovered it themselves, wouldn't they?
The cost of the whole episode less the cost of patching the vulnerability seems more fair.

Re:

[wile_e_wonka]

I totally agree with you. I just don't think that's the way it went--Courts are presided over by Judges, who are very old white guys that don't really understand this stuff. (I'm a law clerk for two judges; watching these guys try to check their email makes my day every time I see it) "The internet is not a truck...The internet is a series of tubes" speech makes sense to them.

Re:

[SnowZero]

He has to tell one million people "I am not your hero."

Re:

[jfengel]

Can he do it by leaving kudos on their myspace page?

Re:Restitution?

[sxtxixtxcxh]

that'd take forever! maybe he could whip up some sort of script...

Re:Restitution?

[eck011219]

You've answered your own question -- that's where the expense is.

More to the point, things like this statement (from the original post) get under my skin:

Clearly, disclosing security vulnerabilities doesn't pay.

That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. Instead, he pasted his name all over the place (I thought he was nineteen -- that sounds more like the actions of a nine year old). To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's [wikipedia.org] a security consultant. He didn't really hurt anything and clearly disclosed some problems with palace security procedures, but that wasn't his reason for doing it.

You can't commit a crime and then claim you were simply displaying a flaw in the system. "But your honor, I was simply showing my friend here how lax he was about avoiding punches to the face!"

Re:

[Zen]

I couldn't agree more. The 'slant' on this story is completely ludicrous. He never intended to disclose a security vulnerability. The completely ethical crackers that disclose their work send the information to the company who owns the product and tell them that if it is not patched in a reasonable amount of time that they will release the information. The quasi-ethical crackers that disclose their work send it to the mailing lists as a 0-day often with working exploit code as a proof of concept. This

Re:

[Antique Geekmeister]

Why not? It worked for Robert Morris, who is now a computer science professor at MIT after writing the most destructive worm in UNIX history. Of course, Robert's father was head of the NSA, which helps you get a "stay out of jail free" card when you go to court. Look for details at http://en.wikipedia.org/wiki/Robert_Tappan_Morris [wikipedia.org].

Re:

[viking80]

You have to be careful when talking about "Criminal traspass" on a computer. I think the better allegory here is that somebody leaves all their savings in a pile in the driveway, and then somebody takes some of it. Of course it would be better to suggest to them that it is not a good idea to leave money laying in the drivway, but you can not convict someone of theft and criminal trespass unless the owner shows a decent effort to lock up the valuables.

I presume the law in this area is still immature, but i

Re:

[eck011219]

IANAL, but I seem to recall this very thing coming up somehow in the past. I think it may have been people leaving lawn chairs in their shoveled-out parking spaces -- a common (though dumb and also illegal) practice here in Chicago in the winter to "reserve" that spot for when you get home from work. They left the chairs out, the chairs were taken, and whoever took the chairs was convicted of theft. Even though the chairs were clearly not secured in any way and were, in effect, abandoned in a public street.

One rule for Sony and one rule for Samy

[TheLink]

One rule for Sony and one rule for Samy...

Sony screwed up lots of computers too. But all they had to do was pay some fine that's just a small percent of Sony's profit.

How can anybody be banned from internet?

[andres32a]

I realize the sentence but... how can this be enforced? For how much time?

Re:

[Lazerf4rt]

It's not even as simple as being banned from the Internet. He's "banned from using the Internet for personal reasons for an unknown period of time". Basically, as long as nobody sees him on MySpace for a little while, he'll probably be fine.

I'm sure the whole sentence was handed down just to send a public message: Don't fuck with MySpace. They have a heavily vested interest in being online every minute of the day, and don't want to be taken down for 5 minutes.

Re:How can anybody be banned from internet?

[CHacker]

But why wouldn't I want to fuck with MySpace? Where else on the net could I find a bigger group of clueless individuals to mess with?

Re:

[riff420]

Oh, the irony. Look around, buddy. You're there already.

Re:How can anybody be banned from internet?

[TubeSteak]

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.

Samy is on probation.
He now has a probation officer.
If Samy violates the terms of his probation, he can go to jail.
This is how they enforce the internets banhammer.

If Samy leaves the country, much less leaves the state, he has violated the terms of his probation and probably goes to jail. If Samy downloads movies on his cellphone, for non-work related reasons, he has violated the terms of his probation and could go to jail.

Being banned from the internet is no different than being banned from driving, or from going into [place of business] or going near schools, or from possessing [item X], etc.

Judges have this type of power and use it frequently.

Banned from internet == banned from using phones

[tomhudson]

A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).

It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.

It also means not using a bank ATM card.

Or digital cable TV.

Or the self-serve scanners at the local Wallyworld, since they're connected to

Re:Banned from internet == banned from using phone

[Goaway]

Yes, because the judgement is obviously meant to be interpreted by a literal-minded nerd.

Re:Banned from internet == banned from using phone

[Night Goat]

Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.

Re:

[Yvanhoe]

And this is something to be thankful for, because where would we go if people obeyed the letter of the law (or judgement) instead of their perceived spirit ?

Re:

[maxwells_deamon]

IANAL and I have never been on probation.

However what I think this means is the following for three years

must meet with his probation office once a week
may have to take a drug test on a regular basis (even if has never taken drugs)
gets his finger prints on record and the conviction.
aggrees not to use the internet for other than business purposes.
community service ....

The probation officer has the right to inspect the browser cache and files on any computer he has access to.

The bigest deal is that if he does

Re:

[Stormx2]

A COMPUTER uses the internet, he uses the computer

Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?

Does he simply have to ask someone else to enter thi

Re:

[Loie]

by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)

Re:

[tomhudson]

In the same vein ... he uses computers, they use the internet.

Think the judge would buy it?

Re:

[johnw]

Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.

By the same argument, he can use a web browser. It uses the Internet to fetch his pages; he uses the web browser.

I suspect that what the judgement meant to say was that he was banned from using a web browser. A classic example of how sloppy use of terminology leads to problems.

John

Two things are obvious

[cicho]

1. He can't read /.
2. He can't surf for pr0n.

One is cruel. Both are inhuman.

Re:

[westlake]

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.

It's called violation of parole. You do not leave the country. You do not carry a web-enabled cell phone.

Re:

[DarkVader]

Realistically? You can't. It's unenforceable, and it's unconstitutional.

The right to freedom of speech doesn't include a "due process" weasel out clause, it's a right no matter what else you do.

In the 21st century, it's like banning someone from publishing a newspaper, which no court would ever consider being able to get away with.

Re:

[SnowZero]

Realistically? You can't. It's unenforceable, and it's unconstitutional.

While it's true that it will be difficult to enforce, how on earth is it "unconstitutional"? Where, exactly, in the constitution does it guarantee a "right to use the internet"?

The right to freedom of speech doesn't include a "due process" weasel out clause, it's a right no matter what else you do.

No. Rights are regularly removed when you break the law. Life, liberty, and property can all be taken away for crimes, provided that the

Re:

[Original Replica]

he is banned from accessing the internet for personal reasons for an unknown amount of time"

"Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. "

Are the details of his sentence being kept secret for personal reasons or is there some sort of "secret punishment" clause in the patriot act that extends to script kiddies? If justice is being served here, why would the details need to be secret?

"disclosing security vulnerabilities doesn't pay"

[mangu]

It won't pay until the blame is shifted to the real culprits: managers who hire the least competent possible technical people.

Let's face it, a company selling a service should have a team who knows more than the customers do about the details of that service. If that were the norm, security vulnerabilities would be found before exploits came out.

Re:"disclosing security vulnerabilities doesn't pa

[rblancarte]

WTF are you talking about? This guy wrote is worm. He didn't disclose any sort of vulnerability. Unless by disclose, you mean he exploited it. That is like saying a guy who writes a Windows virus that wipes out millions of hard drives world wide is not at fault, Microsoft it for leaving that vulnerability in there.

Look, this is like tons of other cases, Gary McKinnon [wikipedia.org], Adrien Lamo [wikipedia.org] and others. If you are breaking a rule or the law, do not expect leniency, regardless if you meant good or ill. Claiming th

Re:"disclosing security vulnerabilities doesn't pa

[SnowZero]

Ah yes, the old "throw a brick through a car window and blame it on the window manufacturer" argument. Samy didn't just identify an exploit, he actively exploited it, and even made it self replicating. That's a little bit more than "disclosing", don't you think? Considering that he effectively took down myspace, and probably cost them quite a bit in lost advertising revenue, I think he got off pretty easily.

Personally I really like the idea of community service sentences as punishment for internet crimes

Re:

[mangu]

it's OK to treat others however you want because they're not as smart as you are

No, it's not OK. But if you are in a position of responsibility you should get the smartest people you can to protect your customers.

What if your bank manager told you, "sorry, your money has been stolen, but, of course, we have nothing to do with that, don't blame me for the criminal's action".

In a perfect world, there would be no burglars. No thieves or murderers. But this world is not perfect, and you should learn to live wi

Re:

[rblancarte]

I agree that there is some level responsibility of the site operators. I think your bank example is a really good one. But at the same time, just because the bank made a mistake, doesn't mean that the burglar who robbed the bank can get off scott-free.

RonB

Re:disclosing arrogance doesn't pay

[Teun]

A nice example of how to deal with friendly hacker/crackers in an adult way is in the Terms and Conditions of Dutch ISP xs4all:
http://www.xs4all.nl/uk/overxs4all/voorwaarden/ind ex.php?taal=en [xs4all.nl]

4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.

The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.

Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
And the companies would gain a lot of security.

Banned from using the Internet?

[SteveFoerster]

Banned from using the Internet? Is that like the opposite of house arrest?

Summary is wrong...

[TubeSteak]

"The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."

AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.

Here's a better article [techspot.com]

Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.

Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.

P.S. of the 3 articles on Google News [google.com] submitter picked the least informative one.

Re:

[TubeSteak]

hmm, i just read the MySpace press release in the techspot comments section

"MySpace is committed to protecting our community from any abusive misuse of the site. We worked closely with the Los Angeles District Attorney's office in taking criminal action against Samy Kamkar (aka "Samy Is My Hero") for criminal activity related to launching a replicating worm attack on MySpace. We are pleased with the verdict and will continue to pursue criminal action against people who try to harm our members in any way."
..

Exactly. He's not exactly blameless.

[cgenman]

Clearly, disclosing security vulnerabilities doesn't pay.

Clearly. Especially when you disclose a vulnerability by bringing a popular service to it's knees through a self-propogating script and shut it down for extended periods of time while they try to repair the problem. And for that, he doesn't get any jail time, and has to spend some weekends picking up trash by the side of the road. The raging injustice.

This does not do justice to those security researchers who actually disclose vulnerabilities and a

Re:Exactly. He's not exactly blameless.

[daviddennis]

Isn't a script kiddie someone who launches other peoples' exploits that are discoverable against targets?

I don't like what this guy did, but it was clever and certainly not someone a script kiddie can do. Here's his explanation [namb.la] of his worm and how it worked. Clearly it took a lot of original effort and thought to do it.

D

Re:

[rblancarte]

Why did the guy end up in court? What he did was illegal. Demonstration is not an excuse.

RonB

Re:

[Jeff DeMaagd]

Did this person even report these problems through proper channels first? There is an established due diligence factor in reporting vulnerabilities. Also, if you make such a hack public, even without the source, and a more malicious person can pick it apart to add another ingredient to do significant damage. There is also a chance that this sort of thing could have caused problems if it overloaded the servers.

But Samy is my hero

[Anonymous Coward]

The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.

From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.

Missing the point

[cunamara]

Clearly, disclosing security vulnerabilities doesn't pay.

The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.

Poor Judgement

[BlueCoder]

Yes he had poor judgement in creating a worm that did no evil. He should have created one that did very bad things and then he would have been on his gaurd and not have gotten caught. His poor judgement was telling a bully his fly was open and not thinking the bully would blame him for it.

Re:

[Animaether]

"His poor judgement was telling a bully his fly was open and not thinking the bully would blame him for it."

Except that said analogy is more wrong than car analogies. But seeing as you created it...

This was more along the lines of this guy taking a piss into said bully's open fly. Then the bully obviously realizes that there's piss in his underpants, and he sure didn't put it there, so he ponders what went on.. realizes his fly was open, then traces back past events until he realizes that it was a kid who

Summary biased?

[anakin876]

Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.

Re:

[ScrewMaster]

Actually, disclosing a vulnerability does often entail creating executable code to exploit it: how else do you prove the vulnerability really exists? Actually releasing said code ... that's a different matter.

Does he need to be added to this list?

[Geek_3.3]

http://uncyclopedia.org/wiki/Banned_from_the_Inter net [uncyclopedia.org]

he's not from detroit is he? :-P

Protected from "harm"?

[kestasjk]

We are pleased with the verdict and will continue to pursue criminal action against people who try to harm our members in any way.

Protect your members from the horrors of a harmless prank by helping get one of your members three years of probation, three months of community service, pay restitution to MySpace, banned using the Internet for personal uses, and having a tarnished CV.

I'd like to think that if someone managed to release a script onto /. that added everyone as their friend the admins would bru

Report security holes only to open source authors

[kcbrown]

The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.

So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them

The wording of this article is horribly biased

[Omnifarious]

He did not 'disclose a vulnerability'. He wrote a script that exploited it. It wasn't a script that was designed as a proof of concept that did nothing. It was a script added him to tons of people's friends list and put a phrase in their profile.

Banning someone from the Internet is a stupid punishment. And perhaps the whole thing was a bit harsh. IMHO, this was a prank that deserved the equivalent of the punishment you get for disorderly conduct or vandalism, not for a really serious crime.

But, this

Understandable really...

[cliveholloway]

He's been acting a little strange since he failed the screen test [flickr.com] for Brokeback Mountain... cLive ;-)

LOL

[Raven42rac]

He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.

please explain

[nomadic]

He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.

He got probation, so no jail time. Jeff Skilling of Enron fame got 24 years in prison. Andrew Fastow got 10 years.

Re:

[Raven42rac]

Oh, oops. Maybe I meant some of those other robber barons.

No Damage?

[thedbp]

I guess you don't value other people's time. Time spent cleaning up their profile. Bandwidth wasted on this stupid little look-at-me script.

Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.

Simple formula.

Too Bad People Don't Understand Technology

[logicnazi]

The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.

I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.

In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.

Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).

Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.

Re:

[paeanblack]

I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time.

Breaking & Entering
Criminal Trespass
Burglary (even if nothing is stolen!)
Vandalism

Your little "j

Re:

[Garse Janacek]

Ah, the plague of "If we can make it into a bad analogy, then obviously it's okay."

Other people have pointed out that the physical behavior you described actually would be illegal and could have noticeable consequences. But I want to pick on the analogy itself: this was not a case of "it looked like the store was open, the door was unlocked, so I went in and messed around with things." The store did not look open. He did not enter through the front door. It was very clear that he was exploiting something

Liability

[bryan1945]

I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.

We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?

Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"

Should'a used AMP!

[Skudd]

Nah, seriously... I'm sure that the Coldfusion platform has similar abilities:

1. Delete "Sammy's" profile from the database
2. Search for all occurrences of the "malicious" code in the database and remove it
3. Return to ruining the social world

Just my $0.02 USD.

Corps like these deserve what they get

[BlueCoder]

When the good and neutral are being punished for bringing attention to what needs attention... It's just not worth it to be honest and true.

The ignorent may not listen but the dark market understands. The dark side is seductive.

He Exploited the Vulnerability

[ClubStew]

The poster said that exposing the vulnerability didn't pay. Now, while I think banned from the Internet (yeah, however THAT works) is extreme, keep in mind he didn't just disclose the vulnerability - exploited it. Had he just exposed it - and was mindful to disclose it first to MySpace - I'd feel more sympathy toward the guy.

Slanted summary

[Feanturi]

Clearly, disclosing security vulnerabilities doesn't pay.

Ummm, nice slant on that summary. Exploiting security vulnerabilities before disclosing them is an entirely different matter. This kid isn't anybody's hero for explaining about the hole after it had already been fixed, what was that supposed to have served anyhow?

Samy is my hero

[WndrBr3d]

In all fairness, Samy is still allowed to use the internet for work reasons.

He never used it in his spare time because he was always too busy being a sexy [enusbaum.com] man picking up women with his hot body [ytmnd.com].

We love you Samy!

- #L

He wouldn't have been caught...

[hellraison]

If he had only knew about proxy servers :(...
and didn't put his name everywhere

Banned from the Internet?

[Schraegstrichpunkt]

and is also banned from the Internet.

Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?

I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.

Re:

[Schraegstrichpunkt]

Does rhyme constitute sound argument?

Undisclosed amount vs fighting it

[jjshoe]

What you don't read is that Samy actually settled with Myspace, which is what they probably planned to do in the first place. They obviously wanted to make an example of him and they did. Samy was on every one's profile twice, once was his doing, and once was Tom's doing... [joel.io]

Yes he could have fought this further in court but when my $fighting > $settlement there's only one move to take. Plus if he went to jail then who would I go to Chipotles with? :(

This is why...

[dacarr]

This is why, in the real world, if you're going to do "sneaker attacks", you make absolutely positively sure you have a contract. It gives them an understanding as to what can happen, and more importantly, it covers your ass if you find something that blows up the system.

Besides, Myspace is evil anyway.

creating vulnerabilities does pay, however

[oohshiny]

It seems, however, that creating security vulnerabilities does pay. Why, companies like MySpace and Microsoft can always shift the blame on some teenager or "computer error" or a careless employee.

Unlike physical security, making a computer system secure against teenage hackers is not rocket science. This vulnerability was clearly a MySpace screwup, and they should be held responsible and pay the price for it. That principle may not be so important when it comes to MySpace (because there is little of value there), but it becomes of paramount importance when it's your bank or your hospital.

People who offer commercial services using software should be responsible for the safety and security properties of that software. And in order to prevent those companies from blame-shifting, the people breaking in should be held responsible only if they demonstrably attempted to commit a real-world crime other than simply breaking into the computer system.

I know Samy

[davidu]

I know Samy personally and he is one of the smartest and most level-headed individuals I know. This is the case where a joke went a bit awry but it could have happened to any of us. He specifically made sure he wasn't malicious in what he did but the side effect over overwhelming MySpace's server was unintended.

This is no different from the Morris worm. The sad fact is that he got prosecuted whereas the hundreds of botnet operators overseas and here in the US continue to wreak the real havoc on networks and infrastructure totally immune from prosecution.

Samy got caught because he put his name on what he did. It's sad that that is the only basis for prosecution of computer crimes in this country. The good guys at the FBI and USSS don't have enough clue helping them to bring in the real criminals.

-david

Re:The moral of this story...

[Alioth]

Sigh. He released a frikin' worm, he didn't just pick up the phone and say "Your service is vulnerable to X". He actually exploited the vulnerability. It's like instead of telling someone that the lock doesn't work on their door, you instead go in, sleep in their beds, drink their beer and rearrange their furniture. Telling them the lock doesn't work? A nice neighbourly thing. Going in and rearranging their house without their consent? Criminal trespass.

Precisely

[Sycraft-fu]

This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.

Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.

In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.

This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.

Re:

[BlueCoder]

That's not a valid analogy. When it comes to computers the concept is the thing itself. The worm didn't do anything, it's a proof of concept. It's more like posting a xerox of a key on the internet. No payload is no payload. There was no actual "use" involved. It's like trying to rob a bank with an orange water gun. It's called a bad joke.

His actual crime was embarassing people.

Re:

[Tim C]

The worm didn't do anything

I was under the impression that it:

added Samy as a friend of anyone hit by it
used computing resources without permission
required human intervention to clean up afterwards (removing the data, not just patching the hole)

Even if you discount the second two points, the first is indisputable - it had a payload. The payload wasn't malicious, but it was still a payload.

It's like trying to rob a bank with an orange water gun.

Depending on the circumstances and how you do it, that could get

Re:

[gsslay]

The moral of this story is that if you do the right thing and inform those affected then you risk personal liability, charges, fees and so on...

In what way is writing a virus to exploit a security weakness "informing those affected"?

Re:I still insist

[@madeus]

Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??

(a) I don't know of anyone who's ever been 'put away' for developing a computer virus in a lab.
(b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').

The writeup is misleading when it says:

The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.

The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.

Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.

I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).

Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.

One less guy like that on the Internet for a while is something I'd welcome too.

Re:

[@madeus]

Since when is MySpace "the real world"?

It always has been a web site,in the real world, maintained by real people who cost real money to employ to run the site and to clean up after this sort of thing, it has real advertisers and real owners too. It exists to generate money for people, it's a business.

In what way does it not exist in "the real world"?

Re:

[orgelspieler]

Actually, the article I read said that he pled guilty. You can only plead guilty to criminal actions, and according to this [techspot.com], it was "Penal Code section 502(c)(8) [ca.gov]," a felony. Specifically, he "knowingly introduces any computer contaminant into any computer, computer system, or computer network." According to (b) (10), "'Computer contaminant' means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer n