MySpace Worm Creator Sentenced

Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."

Summary biased?

[anakin876]

Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.

Re:Restitution?

[BasharTeg]

Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. We're just glad he's staying out of prison. Everything else is a secondary concern.

Re:Banned from internet == banned from using phone

[Stormx2]

A COMPUTER uses the internet, he uses the computer

Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?

Does he simply have to ask someone else to enter things in order not to "use" the internet?

If he shares his computer with his roommate, and the computer updates the definitions of the firewall he installed, who's using the internet? if it asks for confirmation? if he presses the "update definitions now" button?

Re:Restitution?

[Zen]

I couldn't agree more. The 'slant' on this story is completely ludicrous. He never intended to disclose a security vulnerability. The completely ethical crackers that disclose their work send the information to the company who owns the product and tell them that if it is not patched in a reasonable amount of time that they will release the information. The quasi-ethical crackers that disclose their work send it to the mailing lists as a 0-day often with working exploit code as a proof of concept. This guy did neither. He discovered a flaw, and used that flaw to his advantage. Yes, it was pretty funny, and it didn't actually harm anything specifically. But it did take up system resources, and it did take many hours to clean up the 'damage'. Nothing he did at that point was altruistic in nature, as the poster would like us to believe. You are not free to do anything you want on the internet. You are, for the most part, free to do anything you want to your own server running your own software on the internet. This guy did neither (he doesn't own the servers, nor the software).

Banned from the Internet?

[Schraegstrichpunkt]

and is also banned from the Internet.

Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?

I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.

One rule for Sony and one rule for Samy

[TheLink]

One rule for Sony and one rule for Samy...

Sony screwed up lots of computers too. But all they had to do was pay some fine that's just a small percent of Sony's profit.

Re:disclosing arrogance doesn't pay

[Teun]

A nice example of how to deal with friendly hacker/crackers in an adult way is in the Terms and Conditions of Dutch ISP xs4all:
http://www.xs4all.nl/uk/overxs4all/voorwaarden/ind ex.php?taal=en [xs4all.nl]

4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.

The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.

Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
And the companies would gain a lot of security.

Re:Idea

[daviddennis]

I can tell you that before I saw his account of the situation [namb.la], I wanted to let anyone do anything they wanted on my fledgling social networking site [amazing.com]. I agree, this account is required readng for anyone wanting to create a community site.

What he did and how much time and effort he was willing to put into it shocked the heck out of me and caused me to put very strong anti-JavaScript code into my site. I didn't want to do it because I wish we could have given people the freedom to be creative in that arena. But after I saw what he did I felt I had no choice.

That being said, the reality is that he did an enormous amount of damage. He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.

From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.

Not that I really think he will avoid using the Internet for social purposes no matter what the courts say. And I really don't think probation or community service seems like that heavy a punishment for someone who deliberately disrupted a service, however disliked in some quarters, that many people rely on.

Samy and people like him make it a difficult, miserable and thankless task to create services that hopefuly will do nice things for people. They make people like me waste our time trying to figure out how to restrict things, when we'd much rather produce fun features people will use and enjoy. Samy's account made me laugh, but it also made me furious that human nature is so pointlessly destructive.

I hope the sentence deters people from doing similar things.

I wonder how much he had to pay Myspace. Does anyone know?

D

Re:Banned from internet == banned from using phone

[Anonymous Coward]

My brother got busted and put on probation. It really depends on where and when and what you were doing to get yourself arrested.

He had monthly meetings with the probation officer, each time he had to pay the officer some $60 or so for the officer's time. Meetings were specifically scheduled during school hours by an asshat judge (because the only thing better for a society than a delinquent is a delinquent who fails out of school). He was not allowed out of the county. If he had been arrested for any reason his probation would have put him in jail, even if it turned out he was innocent or was just picked up by an asshole officer (something Houston appears to have several of, given the number of people arrested for "resisting arrest" but nothing else... what arrest were they supposedly resisting?). Getting so much as a speeding ticket would have had his license revoked (he gave the red sportscar he had been driving to our mother, who was pulled over twice by the same cop who apologized to her because her car "looked fast" [read: he thought it was driven by some little boy he could push around]).

Even with all of this, I think my brother would agree that it was superior to spending time in jail.

Re:Restitution?

[eck011219]

IANAL, but I seem to recall this very thing coming up somehow in the past. I think it may have been people leaving lawn chairs in their shoveled-out parking spaces -- a common (though dumb and also illegal) practice here in Chicago in the winter to "reserve" that spot for when you get home from work. They left the chairs out, the chairs were taken, and whoever took the chairs was convicted of theft. Even though the chairs were clearly not secured in any way and were, in effect, abandoned in a public street. (I think the people who left the chairs got tickets for something too, probably for placing an obstruction in the road.)

Poor judgment (for example, leaving money in the driveway) on the part of the owner of something does not make it okay to take the property. While I generally don't have much use for people who fall back on Webster's Dictionary to make a point, here is what m-w.com says about "theft":

1 a : the act of stealing; specifically : the felonious taking and removing of personal property with intent to deprive the rightful owner of it b : an unlawful taking (as by embezzlement or burglary) of property

So the concept of theft, at least semantically, has little or nothing to do with whether the owner made a sufficient effort to secure his or her property. (I only throw in "little" because I suppose you could say that burglary involves entry to a building, thus implying some effort to contain one's own stuff.)

But your point about criminal trespass on a computer is a good one -- the difference between chairs on a street and bits of data may prove to be legally different somehow. Or in this case, the difference between writing your name all over a wall like a butthead may be different than digitally tagging a million pages. Is it vandalism if the wall you're writing on doesn't really exist? I would hope (from a logical standpoint) that there would be no difference between virtual property and physical property as far as criminal or negligent behavior is concerned, but the way the law sees digital stuff never ceases to surprise me.

Re:Restitution?

[arth1]

The restitution was probably the cost of patching the vulnerability.

That doesn't seem fair. They would have had to patch the vulnerability anyhow once they discovered it themselves, wouldn't they?
The cost of the whole episode less the cost of patching the vulnerability seems more fair.

Re:Too Bad People Don't Understand Technology

[Garse Janacek]

Ah, the plague of "If we can make it into a bad analogy, then obviously it's okay."

Other people have pointed out that the physical behavior you described actually would be illegal and could have noticeable consequences. But I want to pick on the analogy itself: this was not a case of "it looked like the store was open, the door was unlocked, so I went in and messed around with things." The store did not look open. He did not enter through the front door. It was very clear that he was exploiting something that was not ever intended to happen -- at best, the analogy would be entering through an unlocked (or insufficiently locked) window when the store was clearly closed.

He may not have been doing this maliciously, but that does not mean he was somehow under the mistaken impression that myspace thought this was acceptable, or this hack was intended to be used.

Understanding technology has nothing to do with it -- a lot of computer people have this bizarre conflation of what can be done with what is acceptable to actually do. There are computers all over just waiting to be exploited, but if I release a worm that sets a picture of myself as the desktop background of 99% of Internet-connected Windows boxen, it doesn't matter that, in my own opinion, I didn't "hurt anybody," or that I was just "demonstrating a flaw to Microsoft" or whatever. Intent should be taken into account in sentencing (and I think in this case it was, or there probably would have been jail time), but that doesn't mean that wide scale vandalism should receive a mere slap on the wrist, just because computers are involved.

Re:Restitution?

[wile_e_wonka]

I totally agree with you. I just don't think that's the way it went--Courts are presided over by Judges, who are very old white guys that don't really understand this stuff. (I'm a law clerk for two judges; watching these guys try to check their email makes my day every time I see it) "The internet is not a truck...The internet is a series of tubes" speech makes sense to them.

Re:Idea

[stevey]

He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.

To be fair the site is frequently unstable, so I think that suggesting that the stability issues were soley relating to this attack is a little harsh.

I too create sites where people can control content, and do interesting things, Personally I would be angry at being subjected to an attack like this - but after it had been cleaned up and I was calm again I would be genuinely greatful.

Responsible disclosure would be best, since it would avoid the "angry phase", but I can understand why people don't go in for it.

Re:Idea

[daviddennis]

A little context might be useful.

I grew up when the Incompatible Timesharing System was running at MIT and anyone could log on to it by just making up an account. There were no passwords or restrictions. Ordinary users could spy on other people's terminals, and all files were public. Anyone could delete anyone else's files.

But they didn't, because there was an atmosphere of mutual respect that is tragically gone from computing today.

In the late 1970s, about when I left that environment, the administration forced passwords on everyone. It was an ugly scene. RMS [Richard M Stallman, yes, the GNU guy] hated passwords and account control so much that he made his an empty string. And nobody cared about security holes. I pointed one out on a mailing list - you could send an email outside of the login process and escape into emacs and then do anything you want. I was gently flambeed for pointing it out. You don't want those evil administrators to win, do you?

Ever since then I have had an inherent bias against security and protection. Because there are now millions of bad guys out there who want to damage what people spend months putting together, I have had to change my tune and put together tight security.

After coming of age in an environment where you could get away with having no security at all, it's deeply depressing for me to face the modern word.

Face it I do.

But that doesn't mean I like it.

I hope that helps your understanding and makes my attitude seem a bit more understandable.

What a mean, ugly world computing has turned out to be today.

D