MySpace Worm Creator Sentenced

Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."

Summary is wrong...

[TubeSteak]

"The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."

AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.

Here's a better article [techspot.com]

Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.

Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.

P.S. of the 3 articles on Google News [google.com] submitter picked the least informative one.

Re:How can anybody be banned from internet?

[TubeSteak]

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.

Samy is on probation.
He now has a probation officer.
If Samy violates the terms of his probation, he can go to jail.
This is how they enforce the internets banhammer.

If Samy leaves the country, much less leaves the state, he has violated the terms of his probation and probably goes to jail. If Samy downloads movies on his cellphone, for non-work related reasons, he has violated the terms of his probation and could go to jail.

Being banned from the internet is no different than being banned from driving, or from going into [place of business] or going near schools, or from possessing [item X], etc.

Judges have this type of power and use it frequently.

Re:Restitution?

[Zen]

On one hand I feel really sorry for the guy. He didn't exactly get the whole book thrown at him, but being that young and knowing that something bad is going to happen to you for months and not being able to do anything except wait and see what the Judge says has got to be pure torture. On the other hand, using a flaw in somebody else's code to do something that benefits you (however hilarious and non physically damaging it is) is just ludicrous. If he stopped to think about it for just one minute he would have realized that he could never get away with it. A company that big would never sit back and let it slide when they got their butts handed to them by one guy working alone. That said, I hope he can appeal the Internet usage ban after his community service and restitution payback is finished. That's just inhumane punishment for a computer nerd like most of the people reading /. If he has no other recorded history of doing anything similar that the police can dig up, he should hopefully have a good chance at an appeal. One strike and you're out when the damage was not physical, trade secrets, or military secrets does not seem fair.

Best of luck to him!

Re:Restitution?

[Antique Geekmeister]

Why not? It worked for Robert Morris, who is now a computer science professor at MIT after writing the most destructive worm in UNIX history. Of course, Robert's father was head of the NSA, which helps you get a "stay out of jail free" card when you go to court. Look for details at http://en.wikipedia.org/wiki/Robert_Tappan_Morris [wikipedia.org].

Re:Idea

[jamshid]

It's insane that he is getting in this much trouble, myspace should instead be thanking him for making their site more secure.

His explanation of how he overcame a series of lame myspace.com attempts at security (http://fast.info/myspace/) should be mandatory reading for anyone writing a web application.

Re:The moral of this story...

[Tim C]

The worm didn't do anything

I was under the impression that it:

added Samy as a friend of anyone hit by it
used computing resources without permission
required human intervention to clean up afterwards (removing the data, not just patching the hole)

Even if you discount the second two points, the first is indisputable - it had a payload. The payload wasn't malicious, but it was still a payload.

It's like trying to rob a bank with an orange water gun.

Depending on the circumstances and how you do it, that could get you shot dead. At the very least, you'll likely be charged with something along the lines of using an imitation firearm to threaten people, attempted robbery, and if it could be demonstrated that you were convincing enough (eg you had the water pistol covered so only the shape was apparent) potentially even with armed robbery.

Don't think you might end up shot? Think again [bbc.co.uk].

Undisclosed amount vs fighting it

[jjshoe]

What you don't read is that Samy actually settled with Myspace, which is what they probably planned to do in the first place. They obviously wanted to make an example of him and they did. Samy was on every one's profile twice, once was his doing, and once was Tom's doing... [joel.io]

Yes he could have fought this further in court but when my $fighting > $settlement there's only one move to take. Plus if he went to jail then who would I go to Chipotles with? :(

Re:Idea

[jZnat]

Mitnick went through a lot of shit before he got to where he is now...

Re:Exactly. He's not exactly blameless.

[daviddennis]

Isn't a script kiddie someone who launches other peoples' exploits that are discoverable against targets?

I don't like what this guy did, but it was clever and certainly not someone a script kiddie can do. Here's his explanation [namb.la] of his worm and how it worked. Clearly it took a lot of original effort and thought to do it.

D

Re:So

[orgelspieler]

Actually, the article I read said that he pled guilty. You can only plead guilty to criminal actions, and according to this [techspot.com], it was "Penal Code section 502(c)(8) [ca.gov]," a felony. Specifically, he "knowingly introduces any computer contaminant into any computer, computer system, or computer network." According to (b) (10), "'Computer contaminant' means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information."

So the way I read that is that even if he had permission to add stuff to his profile (which clearly he did, since the changes were allowed), if the changes were not intended by the "owner of the information," then he broke this law. Pretty screwy wording, if you ask me. So basically, anytime you "modify" data in a manner not intended by the website owner, you're breaking the law (at least in California). I wonder how long before somebody uses this law to sue the RIAA for putting fake files on P2P networks?