MySpace Worm Creator Sentenced 387
Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."
Summary biased? (Score:5, Interesting)
Re:Restitution? (Score:5, Interesting)
Re:Banned from internet == banned from using phone (Score:2, Interesting)
Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?
Does he simply have to ask someone else to enter things in order not to "use" the internet?
If he shares his computer with his roommate, and the computer updates the definitions of the firewall he installed, who's using the internet? if it asks for confirmation? if he presses the "update definitions now" button?
Re:Restitution? (Score:3, Interesting)
Banned from the Internet? (Score:3, Interesting)
Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?
I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.
One rule for Sony and one rule for Samy (Score:3, Interesting)
Sony screwed up lots of computers too. But all they had to do was pay some fine that's just a small percent of Sony's profit.
Re:disclosing arrogance doesn't pay (Score:5, Interesting)
http://www.xs4all.nl/uk/overxs4all/voorwaarden/in
4.4 Without prejudice to article 4.3, customers are permitted to hack the XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that of the XS4ALL system administrator will be offered six months' free use of the system, provided that the said customer explains how he or she succeeded in hacking the system, has not damaged the system or other customers and has respected the privacy of other customers. Each customer hereby gives consent for other customers to attempt to hack the system under the aforementioned conditions.
Would more companies have a similar and well published policy guys like Samy might not have to go through all this legal grief.
And the companies would gain a lot of security.
Re:Idea (Score:4, Interesting)
What he did and how much time and effort he was willing to put into it shocked the heck out of me and caused me to put very strong anti-JavaScript code into my site. I didn't want to do it because I wish we could have given people the freedom to be creative in that arena. But after I saw what he did I felt I had no choice.
That being said, the reality is that he did an enormous amount of damage. He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.
From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.
Not that I really think he will avoid using the Internet for social purposes no matter what the courts say. And I really don't think probation or community service seems like that heavy a punishment for someone who deliberately disrupted a service, however disliked in some quarters, that many people rely on.
Samy and people like him make it a difficult, miserable and thankless task to create services that hopefuly will do nice things for people. They make people like me waste our time trying to figure out how to restrict things, when we'd much rather produce fun features people will use and enjoy. Samy's account made me laugh, but it also made me furious that human nature is so pointlessly destructive.
I hope the sentence deters people from doing similar things.
I wonder how much he had to pay Myspace. Does anyone know?
D
Re:Banned from internet == banned from using phone (Score:1, Interesting)
He had monthly meetings with the probation officer, each time he had to pay the officer some $60 or so for the officer's time. Meetings were specifically scheduled during school hours by an asshat judge (because the only thing better for a society than a delinquent is a delinquent who fails out of school). He was not allowed out of the county. If he had been arrested for any reason his probation would have put him in jail, even if it turned out he was innocent or was just picked up by an asshole officer (something Houston appears to have several of, given the number of people arrested for "resisting arrest" but nothing else... what arrest were they supposedly resisting?). Getting so much as a speeding ticket would have had his license revoked (he gave the red sportscar he had been driving to our mother, who was pulled over twice by the same cop who apologized to her because her car "looked fast" [read: he thought it was driven by some little boy he could push around]).
Even with all of this, I think my brother would agree that it was superior to spending time in jail.
Re:Restitution? (Score:3, Interesting)
Poor judgment (for example, leaving money in the driveway) on the part of the owner of something does not make it okay to take the property. While I generally don't have much use for people who fall back on Webster's Dictionary to make a point, here is what m-w.com says about "theft":
1 a : the act of stealing; specifically : the felonious taking and removing of personal property with intent to deprive the rightful owner of it b : an unlawful taking (as by embezzlement or burglary) of property
So the concept of theft, at least semantically, has little or nothing to do with whether the owner made a sufficient effort to secure his or her property. (I only throw in "little" because I suppose you could say that burglary involves entry to a building, thus implying some effort to contain one's own stuff.)
But your point about criminal trespass on a computer is a good one -- the difference between chairs on a street and bits of data may prove to be legally different somehow. Or in this case, the difference between writing your name all over a wall like a butthead may be different than digitally tagging a million pages. Is it vandalism if the wall you're writing on doesn't really exist? I would hope (from a logical standpoint) that there would be no difference between virtual property and physical property as far as criminal or negligent behavior is concerned, but the way the law sees digital stuff never ceases to surprise me.
Re:Restitution? (Score:3, Interesting)
The cost of the whole episode less the cost of patching the vulnerability seems more fair.
Re:Too Bad People Don't Understand Technology (Score:3, Interesting)
Ah, the plague of "If we can make it into a bad analogy, then obviously it's okay."
Other people have pointed out that the physical behavior you described actually would be illegal and could have noticeable consequences. But I want to pick on the analogy itself: this was not a case of "it looked like the store was open, the door was unlocked, so I went in and messed around with things." The store did not look open. He did not enter through the front door. It was very clear that he was exploiting something that was not ever intended to happen -- at best, the analogy would be entering through an unlocked (or insufficiently locked) window when the store was clearly closed.
He may not have been doing this maliciously, but that does not mean he was somehow under the mistaken impression that myspace thought this was acceptable, or this hack was intended to be used.
Understanding technology has nothing to do with it -- a lot of computer people have this bizarre conflation of what can be done with what is acceptable to actually do. There are computers all over just waiting to be exploited, but if I release a worm that sets a picture of myself as the desktop background of 99% of Internet-connected Windows boxen, it doesn't matter that, in my own opinion, I didn't "hurt anybody," or that I was just "demonstrating a flaw to Microsoft" or whatever. Intent should be taken into account in sentencing (and I think in this case it was, or there probably would have been jail time), but that doesn't mean that wide scale vandalism should receive a mere slap on the wrist, just because computers are involved.
Re:Restitution? (Score:3, Interesting)
Re:Idea (Score:2, Interesting)
To be fair the site is frequently unstable, so I think that suggesting that the stability issues were soley relating to this attack is a little harsh.
I too create sites where people can control content, and do interesting things, Personally I would be angry at being subjected to an attack like this - but after it had been cleaned up and I was calm again I would be genuinely greatful.
Responsible disclosure would be best, since it would avoid the "angry phase", but I can understand why people don't go in for it.
Re:Idea (Score:3, Interesting)
I grew up when the Incompatible Timesharing System was running at MIT and anyone could log on to it by just making up an account. There were no passwords or restrictions. Ordinary users could spy on other people's terminals, and all files were public. Anyone could delete anyone else's files.
But they didn't, because there was an atmosphere of mutual respect that is tragically gone from computing today.
In the late 1970s, about when I left that environment, the administration forced passwords on everyone. It was an ugly scene. RMS [Richard M Stallman, yes, the GNU guy] hated passwords and account control so much that he made his an empty string. And nobody cared about security holes. I pointed one out on a mailing list - you could send an email outside of the login process and escape into emacs and then do anything you want. I was gently flambeed for pointing it out. You don't want those evil administrators to win, do you?
Ever since then I have had an inherent bias against security and protection. Because there are now millions of bad guys out there who want to damage what people spend months putting together, I have had to change my tune and put together tight security.
After coming of age in an environment where you could get away with having no security at all, it's deeply depressing for me to face the modern word.
Face it I do.
But that doesn't mean I like it.
I hope that helps your understanding and makes my attitude seem a bit more understandable.
What a mean, ugly world computing has turned out to be today.
D