MySpace Worm Creator Sentenced

Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."

Idea

[mfh]

Stop writing malicious scripts.

Restitution?

[jfenwick]

I'm curious what exactly paying restitution entails in this case, as there was no actual damage. The only thing I can imagine is paying the wages of the people who went into to remove him as a friend from all the people who were affected by the hack, and maybe the wages of the people who were analyzing what was going on.

How can anybody be banned from internet?

[andres32a]

I realize the sentence but... how can this be enforced? For how much time?

But Samy is my hero

[Anonymous Coward]

The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.

From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.

Missing the point

[cunamara]

Clearly, disclosing security vulnerabilities doesn't pay.

The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.

Re:Idea

[tomhudson]

"Stop writing malicious scripts."

1. Crack sites, get caught and punished
2. Get job as internet security consultant
3. PROFIT!

The whole "It takes a thief to catch a thief" thing. Hey, it worked for Kevin Mitnick ... [kevinmitnick.com]

Report security holes only to open source authors

[kcbrown]

The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.

So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them? Let them and their customers suffer. It sucks that their customers will suffer, but if their customers suffer, then perhaps (unlikely, I know, but still) they will suffer too. And for having such a simultaneously naive and arrogant attitude, they deserve to suffer.

Instead, if the target in question is running open source software, inform the author(s) of said software about the security vulnerability. Include a fix if you can. They'll be far more grateful for your effort than any of these piece of shit corporations will.

The end result? Open source software gets fixed, because vulnerabilities get reported to those who can do something about it, and closed-source software remains vulnerable. That gives open source software even more of an advantage than it already has, thanks to the blind arrogance of the corporate idiots who would prefer to harm the messenger rather than fix their own problems.

Sounds like a win-win deal to me!

Banned from internet == banned from using phones

[tomhudson]

A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).

It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.

It also means not using a bank ATM card.

Or digital cable TV.

Or the self-serve scanners at the local Wallyworld, since they're connected to a local server, which is in turn connected to the net at large.

Or any pre-paid gift card/cash card, since they're validated via the net.

Or a speedpass to pay for his gas. Same problem - accessing the net to validate.

So, if he gets a job writing spam, is he legal?

Re:Banned from internet == banned from using phone

[Night Goat]

Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.

Re:The moral of this story...

[Alioth]

Sigh. He released a frikin' worm, he didn't just pick up the phone and say "Your service is vulnerable to X". He actually exploited the vulnerability. It's like instead of telling someone that the lock doesn't work on their door, you instead go in, sleep in their beds, drink their beer and rearrange their furniture. Telling them the lock doesn't work? A nice neighbourly thing. Going in and rearranging their house without their consent? Criminal trespass.

Re:Banned from internet == banned from using phone

[Yvanhoe]

And this is something to be thankful for, because where would we go if people obeyed the letter of the law (or judgement) instead of their perceived spirit ?

Re:Restitution?

[eck011219]

You've answered your own question -- that's where the expense is.

More to the point, things like this statement (from the original post) get under my skin:

Clearly, disclosing security vulnerabilities doesn't pay.

That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. Instead, he pasted his name all over the place (I thought he was nineteen -- that sounds more like the actions of a nine year old). To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's [wikipedia.org] a security consultant. He didn't really hurt anything and clearly disclosed some problems with palace security procedures, but that wasn't his reason for doing it.

You can't commit a crime and then claim you were simply displaying a flaw in the system. "But your honor, I was simply showing my friend here how lax he was about avoiding punches to the face!"

Precisely

[Sycraft-fu]

This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.

Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.

In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.

This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.

Re:I still insist

[@madeus]

Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??

(a) I don't know of anyone who's ever been 'put away' for developing a computer virus in a lab.
(b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').

The writeup is misleading when it says:

The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.

The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.

Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.

I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).

Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.

One less guy like that on the Internet for a while is something I'd welcome too.

No Damage?

[thedbp]

I guess you don't value other people's time. Time spent cleaning up their profile. Bandwidth wasted on this stupid little look-at-me script.

Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.

Simple formula.

Too Bad People Don't Understand Technology

[logicnazi]

The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.

I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.

In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.

Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).

Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.

Liability

[bryan1945]

I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.

We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?

Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"

Re:Banned from internet == banned from using phone

[Loie]

by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)

He wouldn't have been caught...

[hellraison]

If he had only knew about proxy servers :(...
and didn't put his name everywhere

Re:Idea

[0xdeadbeef]

Stop writing malicious scripts.

Indeed. When you discover an exploit, you should sell it to the highest bidder. It keeps your hands clean, and it punishes the people who would otherwise punish you.

Re:Idea

[legirons]

"Stop writing malicious scripts."

Sony only got fined $175 maximum per incident [slashdot.org], and they didn't get banned from the internet

Banned from the Internet!?

[Anonymous Coward]

LOL He sucks at life.

Re:Idea

[MyLongNickName]

Yeah. And banks should thank Bonnie and Clyde for making their banks more secure.

Banned from internet--Cruel and unusual punishment

[3t3rn4l]

Though other posters have alluded to this, I'm going to come right out and state:

I think being banned from the internet falls under "Cruel and unusual punishment".

Although currently, many products and services still have a "physical world" work around, e.g., snail mailing your bill, subscribing to a magazine, enrolling in college and college classes, interacting with a bank account, some services do not, e.g., Slashdot, e-mail.

In present times, one can live without the internet (yes, yes, I know, but it's true!), but one will be greatly inconvenienced at the very least. Perhaps though, sometime in the not so distant future (10-20 years), one will not be able to fully operate in society without internet access.

This doesn't really address who is responsible for determining if the convicted person is using an internet enabled device, e.g., Tivo, Wii, PS3, cell phone, for terms of violating parole. They very well should have just banned him from using anything that uses electricity, takes batteries, etc.; Just absurd.

At any rate, this case helps further a dangerous and unjust precedent, such as used against Mitnick and countless others.

Yes, he was being an nuisance. Yes, he should get community service. No, he should not be banned from the internet.

This is why...

[dacarr]

This is why, in the real world, if you're going to do "sneaker attacks", you make absolutely positively sure you have a contract. It gives them an understanding as to what can happen, and more importantly, it covers your ass if you find something that blows up the system.

Besides, Myspace is evil anyway.

creating vulnerabilities does pay, however

[oohshiny]

It seems, however, that creating security vulnerabilities does pay. Why, companies like MySpace and Microsoft can always shift the blame on some teenager or "computer error" or a careless employee.

Unlike physical security, making a computer system secure against teenage hackers is not rocket science. This vulnerability was clearly a MySpace screwup, and they should be held responsible and pay the price for it. That principle may not be so important when it comes to MySpace (because there is little of value there), but it becomes of paramount importance when it's your bank or your hospital.

People who offer commercial services using software should be responsible for the safety and security properties of that software. And in order to prevent those companies from blame-shifting, the people breaking in should be held responsible only if they demonstrably attempted to commit a real-world crime other than simply breaking into the computer system.

I know Samy

[davidu]

I know Samy personally and he is one of the smartest and most level-headed individuals I know. This is the case where a joke went a bit awry but it could have happened to any of us. He specifically made sure he wasn't malicious in what he did but the side effect over overwhelming MySpace's server was unintended.

This is no different from the Morris worm. The sad fact is that he got prosecuted whereas the hundreds of botnet operators overseas and here in the US continue to wreak the real havoc on networks and infrastructure totally immune from prosecution.

Samy got caught because he put his name on what he did. It's sad that that is the only basis for prosecution of computer crimes in this country. The good guys at the FBI and USSS don't have enough clue helping them to bring in the real criminals.

-david

Re:Idea

[Web Goddess]

From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.

IMO this is flamebait. Misery applies to human suffering. System instability is bothersome and may require overtime hours. Save "misery and pain" for, say, Gitmo Torture Camp. This was a nuisance to a company, and the people at that company. Nothing more.

Oh flippin' please

[Moraelin]

There is a fundamental rule of human nature at play here, and it needs to be acknowledged: no one, not even those hiding behind the veil of a corporation, enjoys being embarrassed in public. Exposing a website's flaws may ultimately make it a better website. Just don't expect them to thank you for it.

Oh flippin' please... There's a difference between disclosing a vulnerability properly and actually exploiting it to your own ends.

To give you a RL example, publishing a paper about the vulnerability of locks with master keys (yep, one actually exists) is OK. Using that knowledge to break into every office in the building and vandalize it, is _not_ ok. The former is disclosing a vulnerability, the latter is breaking and entering. There is no law against the former, but there _are_ laws against the latter in any country.

Or in a similar vein:

- writing about what the limits of Kevlar vests are, is ok, shooting a SWAT trooper is not ok

- notifying a bank about a blind spot with their camera layout is ok, using that to rob the bank is not ok

- notifying a company about a vulnerability in their proxy or mail server software is ok, using that to add your name to all their internal mailing lists is industrial espionage, among other charges that you'll face

Etc.

And it seems to me disingenuous (and retarded) bullshit at its finest to pretend that a case that was purely about the latter, is somehow punishing the former.

Here's a fun concept: The fact that you know a vulnerability doesn't automatically entitle it to use it at other people's expense, and that use does _not_ count as just disclosing a vulnerability. The idea that with great knowledge or power comes great responsibility to abuse it, simply isn't recognizd by any RL code of laws.

Here's another fun concept: RL security, which is where we got those laws and legal concepts from, is _not_ based on some nerdy wild-west notion that if something isn't 100% secure then it's fair game for anyone who can break in. RL security is based simply on the law. You may know how to break into something, but we'll throw your sorry ass in jail if you actually do.

There are a lot of people who know how to steal your car or house. Yes, it's not secure. A brick through the window works just nicely. And everyone on the street knows it. But if they actually break in, we're gonna throw them in jail. _That_ is the deterrent and security factor.

It's just not feasible and it makes no economic sense to demand that everyone builds their house as a bunker, with bulletproof windows and a vault-like steel door. And then someone comes around with a bazooka, so better stand guard with your shotgun 24 hours a day. 'Cause you know, if they do break in, it was just showing that you didn't have enough security. It just doesn't work that way, and doesn't scale. It's cheaper for society as a whole to have a few cops and judges.

And I fail to see anything wrong with extending that concept to computers too. No, hi-tech as IT may be, you _don't_ automatically have a right to cause damage if you can. You may think that society owes you some great power for your being so nerdy and smart, but it actually doesn't owe you jack squat. Certainly not a right to be above the law. It doesn't work that way in any other domain, so I fail to see why IT would automatically be different. We don't give a top surgeon (and that's a very smart guy too) a right to murder, so I fail to see why we'd give a computer nerd a right to break into other people's computers.

Re:But Samy is my hero

[Grashnak]

I'm not malicious, it was a joke. If anyone should be punished it's you for leaving yourself so open to being kicked in the balls repeatedly.