MySpace Worm Creator Sentenced 387
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
Idea (Score:4, Insightful)
Restitution? (Score:3, Insightful)
How can anybody be banned from internet? (Score:4, Insightful)
But Samy is my hero (Score:5, Insightful)
From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.
Missing the point (Score:5, Insightful)
Clearly, disclosing security vulnerabilities doesn't pay.
The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.
Re:Idea (Score:5, Insightful)
"Stop writing malicious scripts."
The whole "It takes a thief to catch a thief" thing. Hey, it worked for Kevin Mitnick ... [kevinmitnick.com]
Report security holes only to open source authors (Score:2, Insightful)
The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.
So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them? Let them and their customers suffer. It sucks that their customers will suffer, but if their customers suffer, then perhaps (unlikely, I know, but still) they will suffer too. And for having such a simultaneously naive and arrogant attitude, they deserve to suffer.
Instead, if the target in question is running open source software, inform the author(s) of said software about the security vulnerability. Include a fix if you can. They'll be far more grateful for your effort than any of these piece of shit corporations will.
The end result? Open source software gets fixed, because vulnerabilities get reported to those who can do something about it, and closed-source software remains vulnerable. That gives open source software even more of an advantage than it already has, thanks to the blind arrogance of the corporate idiots who would prefer to harm the messenger rather than fix their own problems.
Sounds like a win-win deal to me!
Banned from internet == banned from using phones (Score:3, Insightful)
A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).
It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.
It also means not using a bank ATM card.
Or digital cable TV.
Or the self-serve scanners at the local Wallyworld, since they're connected to a local server, which is in turn connected to the net at large.
Or any pre-paid gift card/cash card, since they're validated via the net.
Or a speedpass to pay for his gas. Same problem - accessing the net to validate.
So, if he gets a job writing spam, is he legal?
Re:Banned from internet == banned from using phone (Score:5, Insightful)
Re:The moral of this story... (Score:5, Insightful)
Re:Banned from internet == banned from using phone (Score:3, Insightful)
Re:Restitution? (Score:5, Insightful)
More to the point, things like this statement (from the original post) get under my skin:
Clearly, disclosing security vulnerabilities doesn't pay.
That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. Instead, he pasted his name all over the place (I thought he was nineteen -- that sounds more like the actions of a nine year old). To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's [wikipedia.org] a security consultant. He didn't really hurt anything and clearly disclosed some problems with palace security procedures, but that wasn't his reason for doing it.
You can't commit a crime and then claim you were simply displaying a flaw in the system. "But your honor, I was simply showing my friend here how lax he was about avoiding punches to the face!"
Precisely (Score:5, Insightful)
Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.
In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.
This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.
Re:I still insist (Score:5, Insightful)
(b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').
The writeup is misleading when it says:
The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.
The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.
Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.
I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).
Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.
One less guy like that on the Internet for a while is something I'd welcome too.
No Damage? (Score:3, Insightful)
Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.
Simple formula.
Too Bad People Don't Understand Technology (Score:5, Insightful)
I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.
In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.
Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).
Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.
Liability (Score:5, Insightful)
We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?
Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"
Re:Banned from internet == banned from using phone (Score:2, Insightful)
He wouldn't have been caught... (Score:2, Insightful)
and didn't put his name everywhere
Re:Idea (Score:4, Insightful)
Indeed. When you discover an exploit, you should sell it to the highest bidder. It keeps your hands clean, and it punishes the people who would otherwise punish you.
Re:Idea (Score:5, Insightful)
Sony only got fined $175 maximum per incident [slashdot.org], and they didn't get banned from the internet
Banned from the Internet!? (Score:1, Insightful)
Re:Idea (Score:3, Insightful)
Banned from internet--Cruel and unusual punishment (Score:2, Insightful)
I think being banned from the internet falls under "Cruel and unusual punishment".
Although currently, many products and services still have a "physical world" work around, e.g., snail mailing your bill, subscribing to a magazine, enrolling in college and college classes, interacting with a bank account, some services do not, e.g., Slashdot, e-mail.
In present times, one can live without the internet (yes, yes, I know, but it's true!), but one will be greatly inconvenienced at the very least. Perhaps though, sometime in the not so distant future (10-20 years), one will not be able to fully operate in society without internet access.
This doesn't really address who is responsible for determining if the convicted person is using an internet enabled device, e.g., Tivo, Wii, PS3, cell phone, for terms of violating parole. They very well should have just banned him from using anything that uses electricity, takes batteries, etc.; Just absurd.
At any rate, this case helps further a dangerous and unjust precedent, such as used against Mitnick and countless others.
Yes, he was being an nuisance. Yes, he should get community service. No, he should not be banned from the internet.
This is why... (Score:3, Insightful)
Besides, Myspace is evil anyway.
creating vulnerabilities does pay, however (Score:4, Insightful)
Unlike physical security, making a computer system secure against teenage hackers is not rocket science. This vulnerability was clearly a MySpace screwup, and they should be held responsible and pay the price for it. That principle may not be so important when it comes to MySpace (because there is little of value there), but it becomes of paramount importance when it's your bank or your hospital.
People who offer commercial services using software should be responsible for the safety and security properties of that software. And in order to prevent those companies from blame-shifting, the people breaking in should be held responsible only if they demonstrably attempted to commit a real-world crime other than simply breaking into the computer system.
I know Samy (Score:3, Insightful)
This is no different from the Morris worm. The sad fact is that he got prosecuted whereas the hundreds of botnet operators overseas and here in the US continue to wreak the real havoc on networks and infrastructure totally immune from prosecution.
Samy got caught because he put his name on what he did. It's sad that that is the only basis for prosecution of computer crimes in this country. The good guys at the FBI and USSS don't have enough clue helping them to bring in the real criminals.
-david
Re:Idea (Score:2, Insightful)
IMO this is flamebait. Misery applies to human suffering. System instability is bothersome and may require overtime hours. Save "misery and pain" for, say, Gitmo Torture Camp. This was a nuisance to a company, and the people at that company. Nothing more.
Oh flippin' please (Score:3, Insightful)
To give you a RL example, publishing a paper about the vulnerability of locks with master keys (yep, one actually exists) is OK. Using that knowledge to break into every office in the building and vandalize it, is _not_ ok. The former is disclosing a vulnerability, the latter is breaking and entering. There is no law against the former, but there _are_ laws against the latter in any country.
Or in a similar vein:
- writing about what the limits of Kevlar vests are, is ok, shooting a SWAT trooper is not ok
- notifying a bank about a blind spot with their camera layout is ok, using that to rob the bank is not ok
- notifying a company about a vulnerability in their proxy or mail server software is ok, using that to add your name to all their internal mailing lists is industrial espionage, among other charges that you'll face
Etc.
And it seems to me disingenuous (and retarded) bullshit at its finest to pretend that a case that was purely about the latter, is somehow punishing the former.
Here's a fun concept: The fact that you know a vulnerability doesn't automatically entitle it to use it at other people's expense, and that use does _not_ count as just disclosing a vulnerability. The idea that with great knowledge or power comes great responsibility to abuse it, simply isn't recognizd by any RL code of laws.
Here's another fun concept: RL security, which is where we got those laws and legal concepts from, is _not_ based on some nerdy wild-west notion that if something isn't 100% secure then it's fair game for anyone who can break in. RL security is based simply on the law. You may know how to break into something, but we'll throw your sorry ass in jail if you actually do.
There are a lot of people who know how to steal your car or house. Yes, it's not secure. A brick through the window works just nicely. And everyone on the street knows it. But if they actually break in, we're gonna throw them in jail. _That_ is the deterrent and security factor.
It's just not feasible and it makes no economic sense to demand that everyone builds their house as a bunker, with bulletproof windows and a vault-like steel door. And then someone comes around with a bazooka, so better stand guard with your shotgun 24 hours a day. 'Cause you know, if they do break in, it was just showing that you didn't have enough security. It just doesn't work that way, and doesn't scale. It's cheaper for society as a whole to have a few cops and judges.
And I fail to see anything wrong with extending that concept to computers too. No, hi-tech as IT may be, you _don't_ automatically have a right to cause damage if you can. You may think that society owes you some great power for your being so nerdy and smart, but it actually doesn't owe you jack squat. Certainly not a right to be above the law. It doesn't work that way in any other domain, so I fail to see why IT would automatically be different. We don't give a top surgeon (and that's a very smart guy too) a right to murder, so I fail to see why we'd give a computer nerd a right to break into other people's computers.
Re:But Samy is my hero (Score:2, Insightful)