Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MySpace Worm Creator Sentenced

CmdrTaco posted more than 7 years ago | from the wear-the-hat-and-sit-in-the-corner dept.

Security 387

Aidan Steele writes "Remember Samy? The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation. As was said in the earlier story, the script was "written for fun" and caused no damage. The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability. Apparently this was enough to get the 20 year old (19 at the time of writing the worm) three years of probation, three months of community service, pay restitution to MySpace and is also banned from the Internet. Clearly, disclosing security vulnerabilities doesn't pay."

Sorry! There are no comments related to the filter you selected.

Idea (4, Insightful)

mfh (56) | more than 7 years ago | (#17881120)

Stop writing malicious scripts.

Re:Idea (3, Funny)

LiquidCoooled (634315) | more than 7 years ago | (#17881134)

but Samy is my hero!

Re:Idea (4, Funny)

rblancarte (213492) | more than 7 years ago | (#17881466)

Only because he wrote a script to make him your hero.

RonB

Re:Idea (1)

creimer (824291) | more than 7 years ago | (#17881756)

Samy should've written a virus to have script kiddies worshipped him as a god. Some hero.

Re:Idea (4, Insightful)

tomhudson (43916) | more than 7 years ago | (#17881236)

"Stop writing malicious scripts."

  1. Crack sites, get caught and punished
  2. Get job as internet security consultant
  3. PROFIT!

The whole "It takes a thief to catch a thief" thing. Hey, it worked for Kevin Mitnick ... [kevinmitnick.com]

Re:Idea (1)

Yvanhoe (564877) | more than 7 years ago | (#17881378)

Man, this is soooooo 20th century !

Re:Idea (1)

Idbar (1034346) | more than 7 years ago | (#17881622)

I don't think it's completely a person's problem. After all, media and advertisement have work REALLY hard on making people believe they have to be popular. So, they guy should get back, saying that he was deeply affected for not having friends and being rejected from the cyber-society.

On the other hand, have you ever write a code that does something you didn't expect because you made a simple mistake? Well, I guess the guy wasn't expecting this result either.

Anyway, it was fun. Good think I don't use myspace anyways.

A much better (and safer) idea (5, Funny)

Anonymous Coward | more than 7 years ago | (#17881774)

Stop writing scripts. Someone could deem them "malicious" and you're history. Just don't write any. To be on the safe side, do not engage in witchcraft practicing like IT, OSes etc. Leave dangerous experiments to professionals. It already takes a lot of time for them to manage their trade on bigger projects, so it's not for you anyway, you miserable kiddie.

Which brings us to an analogous point, stop playing scientist, too. The government has extensive facilities to determinate current trends in climate behaviour change. Alarmist declarations which negatively impact sales by some of our respected oil industries will be considered criminal activity, for them deprive such noble corporations from their hard earned profits.

Unfortunately, people won't get this, therefore I'm forced to explain the joke: it's sarcasm.

Restitution? (3, Insightful)

jfenwick (961674) | more than 7 years ago | (#17881138)

I'm curious what exactly paying restitution entails in this case, as there was no actual damage. The only thing I can imagine is paying the wages of the people who went into to remove him as a friend from all the people who were affected by the hack, and maybe the wages of the people who were analyzing what was going on.

Re:Restitution? (4, Interesting)

BasharTeg (71923) | more than 7 years ago | (#17881384)

Being part of a group of Samy's RL friends, we're not sure what his restitution is, but he is very likely not allowed to disclose it. We're just glad he's staying out of prison. Everything else is a secondary concern.

Re:Restitution? (3, Informative)

Zen (8377) | more than 7 years ago | (#17881798)

On one hand I feel really sorry for the guy. He didn't exactly get the whole book thrown at him, but being that young and knowing that something bad is going to happen to you for months and not being able to do anything except wait and see what the Judge says has got to be pure torture. On the other hand, using a flaw in somebody else's code to do something that benefits you (however hilarious and non physically damaging it is) is just ludicrous. If he stopped to think about it for just one minute he would have realized that he could never get away with it. A company that big would never sit back and let it slide when they got their butts handed to them by one guy working alone. That said, I hope he can appeal the Internet usage ban after his community service and restitution payback is finished. That's just inhumane punishment for a computer nerd like most of the people reading /. If he has no other recorded history of doing anything similar that the police can dig up, he should hopefully have a good chance at an appeal. One strike and you're out when the damage was not physical, trade secrets, or military secrets does not seem fair.

Best of luck to him!

Re:Restitution? (1)

WebProNews (1059812) | more than 7 years ago | (#17881878)

One strike and you're out when the damage was not physical, trade secrets, or military secrets does not seem fair.

While the law is rarely "fair" I do agree with you 100%. There was no real damage done, unlike what may have happened had this exploit been uncovered by someone with more malicious intent. Also, in this day and age, how can you really keep someone from using a "computer". Does that also mean no cellphone, ipod, atm, cash register etc....?

Re:Restitution? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17881862)

Dude you make 200K/year? Dang.

Re:Restitution? (1)

SnowZero (92219) | more than 7 years ago | (#17881390)

He has to tell one million people "I am not your hero."

Re:Restitution? (1)

jfengel (409917) | more than 7 years ago | (#17881604)

Can he do it by leaving kudos on their myspace page?

Re:Restitution? (5, Funny)

sxtxixtxcxh (757736) | more than 7 years ago | (#17881890)

that'd take forever! maybe he could whip up some sort of script...

Re:Restitution? (5, Insightful)

eck011219 (851729) | more than 7 years ago | (#17881422)

You've answered your own question -- that's where the expense is.

More to the point, things like this statement (from the original post) get under my skin:

Clearly, disclosing security vulnerabilities doesn't pay.

That's not what he did. If that were his true intent, he would have contacted MySpace about the vulnerability. Instead, he pasted his name all over the place (I thought he was nineteen -- that sounds more like the actions of a nine year old). To call this an altruistic attempt to help MySpace is akin to calling the guy who broke into Buckingham Palace in the 80's [wikipedia.org] a security consultant. He didn't really hurt anything and clearly disclosed some problems with palace security procedures, but that wasn't his reason for doing it.

You can't commit a crime and then claim you were simply displaying a flaw in the system. "But your honor, I was simply showing my friend here how lax he was about avoiding punches to the face!"

Re:Restitution? (3, Interesting)

Zen (8377) | more than 7 years ago | (#17881730)

I couldn't agree more. The 'slant' on this story is completely ludicrous. He never intended to disclose a security vulnerability. The completely ethical crackers that disclose their work send the information to the company who owns the product and tell them that if it is not patched in a reasonable amount of time that they will release the information. The quasi-ethical crackers that disclose their work send it to the mailing lists as a 0-day often with working exploit code as a proof of concept. This guy did neither. He discovered a flaw, and used that flaw to his advantage. Yes, it was pretty funny, and it didn't actually harm anything specifically. But it did take up system resources, and it did take many hours to clean up the 'damage'. Nothing he did at that point was altruistic in nature, as the poster would like us to believe. You are not free to do anything you want on the internet. You are, for the most part, free to do anything you want to your own server running your own software on the internet. This guy did neither (he doesn't own the servers, nor the software).

Re:Restitution? (2, Informative)

Antique Geekmeister (740220) | more than 7 years ago | (#17881870)

Why not? It worked for Robert Morris, who is now a computer science professor at MIT after writing the most destructive worm in UNIX history. Of course, Robert's father was head of the NSA, which helps you get a "stay out of jail free" card when you go to court. Look for details at http://en.wikipedia.org/wiki/Robert_Tappan_Morris [wikipedia.org] .

Re:Restitution?...nawww....REVENGE!! (0)

Anonymous Coward | more than 7 years ago | (#17881634)

Somebody found a shallow pocket upon which to levy an impossible fine. Somebody else said that there was no damage actually done, and that all he really did was point out a problem to the folks that could painlessly correct that problem. Namely the folks that ran the problem entity. Maybe an older wiser hacker in the future...maybe many of them will take a lesson from this and give these solutions not to the so called white hat snakes, as they will show no apprecitation and only bite the hands that attempt to help them. Rather they will seek out their friendly local
black hats and real malware writers and give it to them....or sell it to them...serripititiously in bars and internet cafes all over the world. This also sends a signal to the world hacker community that our IT structure has a fatal flaw, and that is it is willing to eat its good children while rewarding its bad children. In other societies this is not done. That it is done in ours due to our own stupid laws will mean that the enemies of the United States will win every battle and in the end drive the American self flagellators from internet space. This disease is in Europe as well. As can be seen in the last fifty years, the classical 'west', Europe and America, is on its way down. Societies on thier way down tend to have self defeating polieies that typically benefit a tiny minority of its citizens, reflecting basic and unnatural distributions of wealth and benefits in those unstable societies. Think of a pyramid like those of Egypt. They have stood for twelve thousand years. The Egyptians built them with a little help, but Khufu and Khafri and his like at his time only painted the walls. The point is they are stable. Now turn them upside down and see how long they stand. Such is western economics now. We have become a society that rewards crime....look at our Vice ..President and his oil company; and it punishes those who would enforce the law...look at the two federal officers in prison for hindering the international cocaine trade by shooting a 'valuable' dope smuggler in the butt. Even Hitler wrote that: ..."where treason prospers, the fall of the state will be swift and sure!".

How can anybody be banned from internet? (3, Insightful)

andres32a (448314) | more than 7 years ago | (#17881156)

I realize the sentence but... how can this be enforced? For how much time?

Re:How can anybody be banned from internet? (0, Redundant)

PrinceAshitaka (562972) | more than 7 years ago | (#17881166)

I had the same thoughts. FTA: he is banned from accessing the internet for personal reasons for an unknown amount of time"

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.

Re:How can anybody be banned from internet? (5, Informative)

TubeSteak (669689) | more than 7 years ago | (#17881242)

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.
Samy is on probation.
He now has a probation officer.
If Samy violates the terms of his probation, he can go to jail.
This is how they enforce the internets banhammer.

If Samy leaves the country, much less leaves the state, he has violated the terms of his probation and probably goes to jail. If Samy downloads movies on his cellphone, for non-work related reasons, he has violated the terms of his probation and could go to jail.

Being banned from the internet is no different than being banned from driving, or from going into [place of business] or going near schools, or from possessing [item X], etc.

Judges have this type of power and use it frequently.

Banned from internet == banned from using phones (3, Insightful)

tomhudson (43916) | more than 7 years ago | (#17881302)

A LOT of voice traffic is carried, at least in part, over the internet. The only way he can be banned from the internet is if he never, among other things, uses a phone (landline OR cellphone).

It also means being banned from certain fast food drive-through windows, where the person who says "can I take your order" is actually sitting in a center in another state.

It also means not using a bank ATM card.

Or digital cable TV.

Or the self-serve scanners at the local Wallyworld, since they're connected to a local server, which is in turn connected to the net at large.

Or any pre-paid gift card/cash card, since they're validated via the net.

Or a speedpass to pay for his gas. Same problem - accessing the net to validate.

So, if he gets a job writing spam, is he legal?

Re:Banned from internet == banned from using phone (5, Funny)

Goaway (82658) | more than 7 years ago | (#17881322)

Yes, because the judgement is obviously meant to be interpreted by a literal-minded nerd.

Re:Banned from internet == banned from using phone (4, Insightful)

Night Goat (18437) | more than 7 years ago | (#17881330)

Thankfully our legal system has more common sense than you. He can use TV, ATMs, and phones. THEY use the Internet, he uses them.

Re:Banned from internet == banned from using phone (2, Insightful)

Yvanhoe (564877) | more than 7 years ago | (#17881402)

And this is something to be thankful for, because where would we go if people obeyed the letter of the law (or judgement) instead of their perceived spirit ?

Re:Banned from internet == banned from using phone (1)

maxwells_deamon (221474) | more than 7 years ago | (#17881740)

IANAL and I have never been on probation.

However what I think this means is the following for three years

must meet with his probation office once a week
may have to take a drug test on a regular basis (even if has never taken drugs)
gets his finger prints on record and the conviction.
aggrees not to use the internet for other than business purposes.
community service ....

The probation officer has the right to inspect the browser cache and files on any computer he has access to.

The bigest deal is that if he does something nasty on the internet he gets real prison time. (in theory)

Oh and the ban from the internet is for a time period that was not disclosed to the press. I would be quite shocked if it was not disclosed to him or if it ran longer than three years. And I am sure they mean volentary personal use of the web and email
and he can probably get permission from his officer to do specific things on the web if needed like change his address with the DMV....

I think the sentence is fair based on the idea that he release the expliot before warning myspace.

Re:Banned from internet == banned from using phone (2, Interesting)

Stormx2 (1003260) | more than 7 years ago | (#17881638)

A COMPUTER uses the internet, he uses the computer

Nice use of black and white. Clearly he can't use a library's website to check if a book is in stock, but if he went to the library and took out a book, and they asked him for his name, address, phone number, and the data is sent to their online server, is he using it then? If the librarian sudden got a bout of Carpal tunnel syndrome and asked him to type in the details would he be allowed to do that?

Does he simply have to ask someone else to enter things in order not to "use" the internet?

If he shares his computer with his roommate, and the computer updates the definitions of the firewall he installed, who's using the internet? if it asks for confirmation? if he presses the "update definitions now" button?

Re:Banned from internet == banned from using phone (2, Insightful)

Loie (603717) | more than 7 years ago | (#17881838)

by this logic, doesn't my computer use the internet, and I just tell it what to do? (i do get the point though, just being contentious)

Re:How can anybody be banned from internet? (1)

westlake (615356) | more than 7 years ago | (#17881252)

How do you ban someone from the internet? What if he leaves the country? What if he tries to download movie times on his cell phone? I do not think any governing power would have the ability to ban someone from the internet.

It's called violation of parole. You do not leave the country. You do not carry a web-enabled cell phone.

Re:How can anybody be banned from internet? (1)

DarkVader (121278) | more than 7 years ago | (#17881338)

Realistically? You can't. It's unenforceable, and it's unconstitutional.

The right to freedom of speech doesn't include a "due process" weasel out clause, it's a right no matter what else you do.

In the 21st century, it's like banning someone from publishing a newspaper, which no court would ever consider being able to get away with.

Re:How can anybody be banned from internet? (1)

SnowZero (92219) | more than 7 years ago | (#17881596)

Realistically? You can't. It's unenforceable, and it's unconstitutional.
While it's true that it will be difficult to enforce, how on earth is it "unconstitutional"? Where, exactly, in the constitution does it guarantee a "right to use the internet"?

The right to freedom of speech doesn't include a "due process" weasel out clause, it's a right no matter what else you do.
No. Rights are regularly removed when you break the law. Life, liberty, and property can all be taken away for crimes, provided that the punishment is legally justified, and isn't cruel and unusual. The second amendment doesn't have a "weasel out clause" either, yet few would argue that people in prison or on parole should be allowed to own guns.

Also, jumping from "internet use" to "free speech" is a huge leap. Protesters are regularly banned from certain locations if they break the law; They can still exercise their speech, but they have to do it elsewhere or through another method. The internet is no different, as it is one of many ways of exercising free speech. If Samy really needs something on the internet, he can write it on paper and have a friend or relative post it for him.

In the 21st century, it's like banning someone from publishing a newspaper, which no court would ever consider being able to get away with.
Publish a newspaper full of death threats and incitement to break the law, and see where that lands you. The court will have no trouble banning you from using your preferred method to commit a crime. It wouldn't get overturned either, since you forfeited your guarantee of freedom when you began breaking the law. Don't worry though, after the judge bans you from publishing a newspaper, you would still be able to post on myspace and write angry emails.

Re:How can anybody be banned from internet? (1)

whiteknight31 (744465) | more than 7 years ago | (#17881170)

What they will probably do is make sure that he isn't paying any ISP's for internet access. Of course this doesn't stop him from just using his neighbor's unsecured wireless network....

Re:How can anybody be banned from internet? (1)

Lazerf4rt (969888) | more than 7 years ago | (#17881208)

It's not even as simple as being banned from the Internet. He's "banned from using the Internet for personal reasons for an unknown period of time". Basically, as long as nobody sees him on MySpace for a little while, he'll probably be fine.

I'm sure the whole sentence was handed down just to send a public message: Don't fuck with MySpace. They have a heavily vested interest in being online every minute of the day, and don't want to be taken down for 5 minutes.

Re:How can anybody be banned from internet? (5, Funny)

CHacker (971699) | more than 7 years ago | (#17881488)

But why wouldn't I want to fuck with MySpace? Where else on the net could I find a bigger group of clueless individuals to mess with?

Re:How can anybody be banned from internet? (5, Funny)

riff420 (810435) | more than 7 years ago | (#17881542)

Oh, the irony. Look around, buddy. You're there already.

"disclosing security vulnerabilities doesn't pay" (1)

mangu (126918) | more than 7 years ago | (#17881168)

It won't pay until the blame is shifted to the real culprits: managers who hire the least competent possible technical people.


Let's face it, a company selling a service should have a team who knows more than the customers do about the details of that service. If that were the norm, security vulnerabilities would be found before exploits came out.

disclosing arrogance doesn't pay (1)

Anonymous Coward | more than 7 years ago | (#17881316)

"It won't pay until the blame is shifted to the real culprits: managers who hire the least competent possible technical people."

So in other words it's OK to treat others however you want because they're not as smart as you are. Let's say they did have the uber team and he still managed to exploit them? Who would you blame then? When will people stop blaming others for their own actions? When hell freezes over.

Re:disclosing arrogance doesn't pay (1)

mangu (126918) | more than 7 years ago | (#17881418)

it's OK to treat others however you want because they're not as smart as you are


No, it's not OK. But if you are in a position of responsibility you should get the smartest people you can to protect your customers.


What if your bank manager told you, "sorry, your money has been stolen, but, of course, we have nothing to do with that, don't blame me for the criminal's action".


In a perfect world, there would be no burglars. No thieves or murderers. But this world is not perfect, and you should learn to live with that simple fact. When thieves and burglars exist, and other people have entrusted their belongings or information to you, then you have a responsibility. A web company manager that hires incompetent people is like a bank manager who carries cash in open cardboard boxes in the street.

Re:disclosing arrogance doesn't pay (1)

rblancarte (213492) | more than 7 years ago | (#17881530)

I agree that there is some level responsibility of the site operators. I think your bank example is a really good one. But at the same time, just because the bank made a mistake, doesn't mean that the burglar who robbed the bank can get off scott-free.

RonB

Re:disclosing arrogance doesn't pay (1)

DogDude (805747) | more than 7 years ago | (#17881788)

I challenge you to name one web service/site/business that has NOT been compromised in some way. It's virtually impossible to make a hack-proof web site that does any more than display static pages.

Re:"disclosing security vulnerabilities doesn't pa (1)

rblancarte (213492) | more than 7 years ago | (#17881442)

WTF are you talking about? This guy wrote is worm. He didn't disclose any sort of vulnerability. Unless by disclose, you mean he exploited it. That is like saying a guy who writes a Windows virus that wipes out millions of hard drives world wide is not at fault, Microsoft it for leaving that vulnerability in there.

Look, this is like tons of other cases, Gary McKinnon [wikipedia.org] , Adrien Lamo [wikipedia.org] and others. If you are breaking a rule or the law, do not expect leniency, regardless if you meant good or ill. Claiming that you were doing it just to demonstrate something is not a defense. If that is the case a valid breaking and entering excuse would be "I was just showing these people their locks didn't work".

RonB

Re:"disclosing security vulnerabilities doesn't pa (1)

SnowZero (92219) | more than 7 years ago | (#17881706)

Ah yes, the old "throw a brick through a car window and blame it on the window manufacturer" argument. Samy didn't just identify an exploit, he actively exploited it, and even made it self replicating. That's a little bit more than "disclosing", don't you think? Considering that he effectively took down myspace, and probably cost them quite a bit in lost advertising revenue, I think he got off pretty easily.

Personally I really like the idea of community service sentences as punishment for internet crimes. They didn't cause physical damage, but they hurt the internet community by wasting people's time and bandwidth. Now he can pay it back by helping the real community.

Banned from using the Internet? (5, Funny)

SteveFoerster (136027) | more than 7 years ago | (#17881176)

Banned from using the Internet? Is that like the opposite of house arrest?

no (1)

mfh (56) | more than 7 years ago | (#17881246)

That's the same as house arrest.

Meanwhile ... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17881180)

... Bill Gates, who has caused far more damage to far more people, is walking round on the loose and laughing at the ineffectiveness of the justice system:

http://slashdot.org/article.pl?sid=07/02/03/152425 0 [slashdot.org]

Mod parent up (0)

Anonymous Coward | more than 7 years ago | (#17881250)

The world would be a better place if Microsoft programmers had computer restrictions put in place to prevent them from having written the software to facilitate cyber-crime on a global scale.

Re:Mod parent up (0, Offtopic)

ScrewMaster (602015) | more than 7 years ago | (#17881412)

The world would be a better place if Microsoft were restricted, period.

Re:Meanwhile ... (0)

Anonymous Coward | more than 7 years ago | (#17881424)

Yes. Damn Bill Gates and his wife for giving all that money to AIDS research! Somebody think of all they lives he's damaged by doing so.

Summary is wrong... (5, Informative)

TubeSteak (669689) | more than 7 years ago | (#17881188)

"The creator of the infamous worm was unfortunate enough to be the the target in MySpace's latest litigation."

AFAIK, a civil court (which is where MySpace would have to sue Samy) doesn't ban people from the internets or sentance them to community service. And TFA says he pleaded guilty in LA Superior Court... you don't plead guilty in civil court.

Here's a better article [techspot.com]

Samy Kamkar (aka 'Samy is my Hero') plead guilty yesterday in Los Angeles Superior Court to a violation of Penal Code section 502(c)(8) as a felony and was placed on three years of formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and had computer restrictions placed on the manner and means he could use a computer - he can only use a computer and access the internet for work related reasons.

Undoubtedly, the prosecutor had MySpace's cooperation, but MySpace certainly didn't "target him" in court.

P.S. of the 3 articles on Google News [google.com] submitter picked the least informative one.

Re:Summary is wrong... (0)

mrbbad (1059772) | more than 7 years ago | (#17881274)

The fact that this guy ended up is court is a bit perplexing, I am not sure what he is going to learn from it other than to be more anonymous in the future maybe. If it were totally nefarious I might understand, but if I am reading this correctly and it was more a 'demonstration' than anything, it would be smarter to hush up and let him be and learn from these things. I just think criminal courts should be left to dealing with people that actually hurts others. I'm sure MySpace was fine.

Re:Summary is wrong... (1)

rblancarte (213492) | more than 7 years ago | (#17881572)

Why did the guy end up in court? What he did was illegal. Demonstration is not an excuse.

RonB

Re:Summary is wrong... (1)

TubeSteak (669689) | more than 7 years ago | (#17881324)

hmm, i just read the MySpace press release in the techspot comments section

"MySpace is committed to protecting our community from any abusive misuse of the site. We worked closely with the Los Angeles District Attorney's office in taking criminal action against Samy Kamkar (aka "Samy Is My Hero") for criminal activity related to launching a replicating worm attack on MySpace. We are pleased with the verdict and will continue to pursue criminal action against people who try to harm our members in any way."
...
MySpace's suit against Samy is one of many in a series of aggressive steps MySpace has taken over the last two years to combat spam, phishing, and other abusive misuse of the MySpace site.
"

I guess you could say they targeted him, as in "we pressed criminal charges", but the litigation still wasn't MySpace's, no matter how they like to claim that their "suit against Samy" is part of their campaign to combat abuse.
 
/no more replying to my own posts

But Samy is my hero (5, Insightful)

Anonymous Coward | more than 7 years ago | (#17881212)

The kid wasn't malicious, it was a joke. If anyone should be punished it's myspace for having such a crap web application that allowed a worm to replicate so quickly.

From what I've heard of the quality of MySpace code and given it's popularity, the site is the nets #2 liability behind Windows zombies.

I still insist (1)

kirils (1050022) | more than 7 years ago | (#17881222)

laws have to be changed ASAP. They were created before anyone in the goverment has seen what a computer or "an internet" is and are not just not fit for the real computer world today. Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??

Re:I still insist (5, Insightful)

@madeus (24818) | more than 7 years ago | (#17881538)

Why don't they put in jail everyone who creates real viruses in the labs, but do put those away that create computer viruses (and do not even use them out of a controlled enviroment (lab))??
(a) I don't know of anyone who's ever been 'put away' for developing a computer virus in a lab.
(b) Kamkar used this exploit in the real world, effecting one million accounts (and even he isn't being 'put away').

The writeup is misleading when it says:

The source and technical explanation for the "attack" was not even released until after MySpace had patched the vulnerability.

The author used the script it to add over one million 'friends' to his profile, MySpace then addressed the issue. Obviously the source was released *before* it was patched (that's fundamental to how the exploit worked). All he did after the event was post a more detailed explanation of how he developed the exploit.

Note, he didn't circulate that that to anyone before hand or tell MySpace about what he had found - he just decided to go right ahead exploit the vulnerability.

I don't believe for a minute MySpace - as much as I dislike the site and most of it's users - would go after someone who, on discovering the issue, actually went to them first and told them about what they had found (or even if they'd just published notice of a theoretical vulnerability via something like a known and respected security mailing list).

Kamkar did none of those things, he just decided to go right ahead and exploit the hole and play at being a haxor. Given he was 19 and so clearly old enough to have known better, three months of community service and being forced to pay restitution to MySpace sounds about right to me.

One less guy like that on the Internet for a while is something I'd welcome too.

Re:I still insist (0)

Anonymous Coward | more than 7 years ago | (#17881748)

Since when is MySpace "the real world"?

What goes on in that site actually has little bearing on the world at large, it's mostly teenage blogs.

Re:I still insist (1)

@madeus (24818) | more than 7 years ago | (#17881858)

Since when is MySpace "the real world"?

It always has been a web site,in the real world, maintained by real people who cost real money to employ to run the site and to clean up after this sort of thing, it has real advertisers and real owners too. It exists to generate money for people, it's a business.

In what way does it not exist in "the real world"?

Missing the point (5, Insightful)

cunamara (937584) | more than 7 years ago | (#17881234)

Clearly, disclosing security vulnerabilities doesn't pay.

The summary misses the point by a country mile, as do some of the comments in response. Disclosing security vulnerabilities is fine and appreciated. But doing so in the way that this clown did it is not. He used poor judgment and is paying the price for that.

Re:Missing the point (0)

Anonymous Coward | more than 7 years ago | (#17881292)

It was a prank (facilitated by poor code courtesy of MySpace) that got out of hand. Microsoft should be just as liable for having IE execute javascript from a stylesheet (Apple decided Safari should be bug-compatible with IE).

Try asking the supposed responsible entities to be responsible before asking it of some punk kid!

Poor Judgement (1)

BlueCoder (223005) | more than 7 years ago | (#17881744)

Yes he had poor judgement in creating a worm that did no evil. He should have created one that did very bad things and then he would have been on his gaurd and not have gotten caught. His poor judgement was telling a bully his fly was open and not thinking the bully would blame him for it.

Re:Poor Judgement (1)

Animaether (411575) | more than 7 years ago | (#17881854)

"His poor judgement was telling a bully his fly was open and not thinking the bully would blame him for it."

Except that said analogy is more wrong than car analogies. But seeing as you created it...

This was more along the lines of this guy taking a piss into said bully's open fly. Then the bully obviously realizes that there's piss in his underpants, and he sure didn't put it there, so he ponders what went on.. realizes his fly was open, then traces back past events until he realizes that it was a kid who pissed through his open fly. Then once the bully zipped up his fly, the kid added insult to injury by disclosing exactly how it was done to the world.

Suddenly, the bully doesn't sound like much of a bully anymore, does he?

Source of all exploits discovered (1)

ingo23 (848315) | more than 7 years ago | (#17881238)

From the article:

Kamkar, using a programming technique known as Asynchronous JavaScript and XML(AJAX) that permitted browsers to execute malicious code, was able to circumvent MySpace's strong JavaScript filters.
Now we know where all those buffer overflows are coming from. Good that somebody has finally exposed that obscure AJAX thing.

The moral of this story... (0)

kryptkpr (180196) | more than 7 years ago | (#17881248)

Clearly, disclosing security vulnerabilities doesn't pay

The moral of this story is that if you do the right thing and inform those affected then you risk personal liability, charges, fees and so on...

Instead, you should just sell the exploit to the highest bidders (probably hackers employed by the Russian mob). He could have gotten a few thousand for it no problem (and as an extra added bonus, no probation!).

Re:The moral of this story... (5, Insightful)

Alioth (221270) | more than 7 years ago | (#17881368)

Sigh. He released a frikin' worm, he didn't just pick up the phone and say "Your service is vulnerable to X". He actually exploited the vulnerability. It's like instead of telling someone that the lock doesn't work on their door, you instead go in, sleep in their beds, drink their beer and rearrange their furniture. Telling them the lock doesn't work? A nice neighbourly thing. Going in and rearranging their house without their consent? Criminal trespass.

Precisely (5, Insightful)

Sycraft-fu (314770) | more than 7 years ago | (#17881532)

This is something I just don't get, the mindset that so many people seem to have that when it comes to comptuers, if you can do it, that should make it legal and acceptable. No, that's not the case. Being able to do something doens't make it ok. I highly doubt there's more than a handful of peopel on Slashdot with houses so secure that I couldn't break in to them. Home security is usually pretty basic. However that doesn't make it ok for me to do, even if my intent is simply to prove that it can be done. It's your house, I'm welcome to stay the fuck out unless you give me permission.

Same is true of a computer. Just because there's a security hole on a system, doesn't give you any right to access that system. You need to leave it alone unless you have permission from the owner.

In general, you shouldn't even go looking for security holes without permission. If you notice my door is hanging open and tell me, I'll be appreciative, however if I catch you jiggling the door knobs, checking the windows, etc I'm likely to interpret that has malicious, even if you intent is just to check for vulnerabilities. Ask first. Same with computers. If you run across something, by all means tell the person in charge. However don't sniff around looking for holes unless they've given you the OK.

This isn't complicated and really just comes back to basic kindergarten morals: Don't take things that aren't yours, ask before playing with someone else's toys, don't break things on purpose, etc. The rules don't change just because it's computers and not something else.

Re:Precisely (0)

Anonymous Coward | more than 7 years ago | (#17881704)

Welcome to the hall of bad analogies!

Breaking into someone's home is illegal because there's a law against trespassing. That's why home security is usually pretty basic.

On the other hand a computer system is more like game of chess. If you look for "security holes" and checkmate someone in a tournament it might piss him off, but it's not illegal.

Re:The moral of this story... (1)

BlueCoder (223005) | more than 7 years ago | (#17881882)

That's not a valid analogy. When it comes to computers the concept is the thing itself. The worm didn't do anything, it's a proof of concept. It's more like posting a xerox of a key on the internet. No payload is no payload. There was no actual "use" involved. It's like trying to rob a bank with an orange water gun. It's called a bad joke.

His actual crime was embarassing people.

Re:The moral of this story... (1)

gsslay (807818) | more than 7 years ago | (#17881388)

The moral of this story is that if you do the right thing and inform those affected then you risk personal liability, charges, fees and so on...


In what way is writing a virus to exploit a security weakness "informing those affected"?

banned from the internet, work too? (0)

Anonymous Coward | more than 7 years ago | (#17881258)

if his primary income comes from internet related activities ( no , not scamming ), will the state be responsible for feeding him?

Summary biased? (5, Interesting)

anakin876 (612770) | more than 7 years ago | (#17881276)

Wow - what a horribly biased summary. Was it written as a deliberate troll? It reads like a deliberate troll! Disclosing a security problem does not usually entail creating a virus that uses it. I realize that his virus did not "hurt" anybody - other than, apparently, him - but he did not just disclose the security hole. It sure would be nice if Commander Taco would read this stuff before approving the submission.

Re:Summary biased? (1)

ScrewMaster (602015) | more than 7 years ago | (#17881448)

Actually, disclosing a vulnerability does often entail creating executable code to exploit it: how else do you prove the vulnerability really exists? Actually releasing said code ... that's a different matter.

Re:Summary biased? (0, Flamebait)

Gojira Shipi-Taro (465802) | more than 7 years ago | (#17881584)

It certainly doesn't EVER entail RELEASING a virus or worm that exploits the vulnerability (which is what this little shit did).

I hate myspace, but FFS, their network wasn't created for mister "special snowflake" to explore for his amusement.

Fuck him. The penalty wasn't nearly harsh enough.

Protected from "harm"? (1)

kestasjk (933987) | more than 7 years ago | (#17881296)

We are pleased with the verdict and will continue to pursue criminal action against people who try to harm our members in any way.
Protect your members from the horrors of a harmless prank by helping get one of your members three years of probation, three months of community service, pay restitution to MySpace, banned using the Internet for personal uses, and having a tarnished CV.

I'd like to think that if someone managed to release a script onto /. that added everyone as their friend the admins would brush it off and take it as a joke. I don't think such a script would "harm" me. (I use FF's NoScript [noscript.net] anyway, but that's besides the point..)

Report security holes only to open source authors (2, Insightful)

kcbrown (7426) | more than 7 years ago | (#17881300)

The way things are in the U.S. today (and getting that way elsewhere as well), it looks to me like it's simply not worth revealing security holes to the corporations that have them. All they'll do is either sue you into oblivion or get you criminally prosecuted. They sure as hell won't thank you.

So I think it's time to let these corporations have what they want. Let them have their blissfully naive fantasy that they're invulnerable. They don't want to hear anything to the contrary, so why tell them? Let them and their customers suffer. It sucks that their customers will suffer, but if their customers suffer, then perhaps (unlikely, I know, but still) they will suffer too. And for having such a simultaneously naive and arrogant attitude, they deserve to suffer.

Instead, if the target in question is running open source software, inform the author(s) of said software about the security vulnerability. Include a fix if you can. They'll be far more grateful for your effort than any of these piece of shit corporations will.

The end result? Open source software gets fixed, because vulnerabilities get reported to those who can do something about it, and closed-source software remains vulnerable. That gives open source software even more of an advantage than it already has, thanks to the blind arrogance of the corporate idiots who would prefer to harm the messenger rather than fix their own problems.

Sounds like a win-win deal to me!

I bet Samy feels short changed now (0)

Anonymous Coward | more than 7 years ago | (#17881420)

If I was going to be tried and sentenced for a felony, I'd want the satisfaction of having replaced all user images with goatse.

Samy is a true hacker [wikipedia.org] , he is my hero.

The wording of this article is horribly biased (1)

Omnifarious (11933) | more than 7 years ago | (#17881434)

He did not 'disclose a vulnerability'. He wrote a script that exploited it. It wasn't a script that was designed as a proof of concept that did nothing. It was a script added him to tons of people's friends list and put a phrase in their profile.

Banning someone from the Internet is a stupid punishment. And perhaps the whole thing was a bit harsh. IMHO, this was a prank that deserved the equivalent of the punishment you get for disorderly conduct or vandalism, not for a really serious crime.

But, this is not punishing someone for exposing a vulnerability. This is punishing someone for exploiting it. Those are different things. The wording of the article really annoys me because there are people who are punished merely for exposing a vulnerability and this makes it seem like when they complain about this they're just crying wolf.

Understandable really... (1)

cliveholloway (132299) | more than 7 years ago | (#17881452)

He's been acting a little strange since he failed the screen test [flickr.com] for Brokeback Mountain... cLive ;-)

Banned! (1)

kernel_pat (964314) | more than 7 years ago | (#17881486)

How can you get banned from the internet, it's not like it's a tangible object like being banned from the shopping mall.

LOL (1)

Raven42rac (448205) | more than 7 years ago | (#17881522)

He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.

please explain (1)

nomadic (141991) | more than 7 years ago | (#17881580)

He did less damage then the Enron guys, yet he'll still probably end up facing worse punishment.

He got probation, so no jail time. Jeff Skilling of Enron fame got 24 years in prison. Andrew Fastow got 10 years.

Re:please explain (1)

Raven42rac (448205) | more than 7 years ago | (#17881710)

Oh, oops. Maybe I meant some of those other robber barons.

Re:LOL (0)

Anonymous Coward | more than 7 years ago | (#17881824)

Reformed coke-head, George W Bush launched an illegal war that has resulted in the death of thousands and he goes unpunished. You see, being responsible for thousands of deaths pales in comparison to the evil of unleashing a javascript worm onto a recreational web site.

No Damage? (2, Insightful)

thedbp (443047) | more than 7 years ago | (#17881544)

I guess you don't value other people's time. Time spent cleaning up their profile. Bandwidth wasted on this stupid little look-at-me script.

Punishment more than suits the offense. If you don't want to be inconvenienced and have your time taken from you by the legal system, don't inconvenience other people and steal their time.

Simple formula.

Re:No Damage? (0)

Anonymous Coward | more than 7 years ago | (#17881650)

I'm sure the Russian mob have no such scruples and are outside US jurisdiction. Myspace should be thankful this was a prank and not something malicious, news of which could have scared away users for good.

If MySpace had an iota of clue, Samy would be offered a consulting gig "to help protect users".

Too Bad People Don't Understand Technology (5, Insightful)

logicnazi (169418) | more than 7 years ago | (#17881550)

The problem is that judges, juries and prosecutors aren't really comfortable and familiar with technology so they apply the law stupidly and literally. Kinda like the same way some earlier comment took 'no internet' to mean not using any device that happens to utilize the internet.

I mean consider an appropriate physical analogy for what this kid did. It would be like if he walked into a bookstore that looked to be open but turned out that the staff had taken the day off and gone home but forgot to lock up but then instead of stealing anything rearranged all the books so they spelled out funny comments and left a little note on the cash register suggesting they lock the store next time. Now obviously it would be a bad idea to do this as it would be a bad idea to run this myspace worm, however, because the prosecutors, judges and juries would correctly see this as a mere youthful prank rather than a serious threat to public order and give him community service. This to a large part is how a good legal system operates, having strong punishments for behavior that can be used maliciously but showing mercy when used more innocently.

In the computer case the offended company (and eventually the prosecutor) talks about how the offender used "sophisticated computer hacking techniques" and spouts off all sorts of words the average person doesn't understand. Thus in their mind far from a kid playing a trick on a company that left the door open the situation becomes a precocious teen who used sophisticated criminal techniques to break into a locked store and thinks it's all a game. What is the real world equivalent of rearranging the books can be made to seem the activities of some kind of online underground.

Even the harm caused is easily distorted. While it might be clear to us that this kid was taking steps to avoid causing harm (not releasing info etc..) the prosecution just talks about how it was a DOS attack and the jury isn't going to know any better. In fact it is all to easy to spin horror stories about what the attack 'could have done' if it hadn't been dealt with by their computer people (the equivalent of saying what could have happened if the bookstore never resorted the books). Finally this lack of knowledge and the difficulty valuing IP makes it super easy (as in the mitnick case) to over estimate the seriousness of the harm. Even if it may have actually made more people visit myspace (I looked).

Obviously it isn't a good idea to release a javascript worm like this but it surely doesn't deserve more than community service and a good scolding. If the people in the system understood the technology it would do just that.

Liability (5, Insightful)

bryan1945 (301828) | more than 7 years ago | (#17881566)

I'm taking a grad course in infosec, and our prof told us about a case where an engineering student found a vulnerability in his department's website. Wasn't even looking, just stumbled upon it. He reported it to his adviser, who told the department, and it got fixed. The next semester someone exploited the mathematics department's site, and the first person they questioned was the engineering student. Different department, different exploit, but they focused on him first since he reported a vulnerability. They eventually found the real person responsible.

We ended up having a good 30 minutes of discussion about IT ethics. Obviously this case is different, but look at the case with the engineering student- what if they didn't find the person? Would they blame the engineering guy just to have someone to blame?

Just makes me wary of ever telling someone that their front door is open- "How did you know! You trying to break in!"

Twilight Zone? (1)

madsheep (984404) | more than 7 years ago | (#17881568)

I am going to have to expand on what the first poster said: "Stop writing malicious scripts." My response to that is either "exactly!" or "no shit!" I feel like I am in the twilight zone with some of these other respones, especially the submitter's last comment.

Clearly, disclosing security vulnerabilities doesn't pay.
Since when is exploiting the vulnerability considered disclosing it? Sure you can argue something more malicious could have been done, but that is bogus. You can't just decided to exploit a vulnerability because it doesn't do any damage. That's like saying I could open everyone's door in my condo complex because I found out the key they gave me was a master key. So who exactly did he disclose this vulnerability to again? He deserves what he got. I think MySpace could have definitely went another route but they didn't. Sucks for him.

1st Ammendment Rights (0, Offtopic)

Inmatarian (814090) | more than 7 years ago | (#17881598)

Poor Sammy had his 1st Ammendment Rights violated. The publication of a worm that was never deployed is just a publication, and by constitutional right, Congress can make no law banning it (free press), and the Judicial system can cite no law that convicts him.

If I knew Sammy personally, I'd say he should call one of those constitutional legal groups and ask them to help him make an appeal.

Should'a used AMP! (1)

Skudd (770222) | more than 7 years ago | (#17881612)

Nah, seriously... I'm sure that the Coldfusion platform has similar abilities:

  1. Delete "Sammy's" profile from the database
  2. Search for all occurrences of the "malicious" code in the database and remove it
  3. Return to ruining the social world


Just my $0.02 USD.

Ye Olde Times (1)

RockoTDF (1042780) | more than 7 years ago | (#17881624)

Whenever I hear of people getting in trouble for exposing security holes, I always think of how in England (and many feudal societies, I'm sure) in the days of yore physicians could be executed for telling royalty just how sick they were. "Your Majesty, you are going to die" was considered a death threat. "hey myspace, your shit is broken" seems to yield a similar response, minus the gallows. As a previous poster said, (to paraphrase) "just because my house isn't %100 percent secure doesn't mean you should break into it to prove it." While I agree, how can one prove that there is a hole in a system's security without breaking into it? Perhaps an email just saying "hey, you left this port open and these lines of code are weak..." or something would suffice, but something tells me that would be a EULA violation.

Corps like these deserve what they get (1)

BlueCoder (223005) | more than 7 years ago | (#17881652)

When the good and neutral are being punished for bringing attention to what needs attention... It's just not worth it to be honest and true.

The ignorent may not listen but the dark market understands. The dark side is seductive.

gn44 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17881674)

He Exploited the Vulnerability (1)

ClubStew (113954) | more than 7 years ago | (#17881776)

The poster said that exposing the vulnerability didn't pay. Now, while I think banned from the Internet (yeah, however THAT works) is extreme, keep in mind he didn't just disclose the vulnerability - exploited it. Had he just exposed it - and was mindful to disclose it first to MySpace - I'd feel more sympathy toward the guy.

Slanted summary (1)

Feanturi (99866) | more than 7 years ago | (#17881816)

Clearly, disclosing security vulnerabilities doesn't pay.

Ummm, nice slant on that summary. Exploiting security vulnerabilities before disclosing them is an entirely different matter. This kid isn't anybody's hero for explaining about the hole after it had already been fixed, what was that supposed to have served anyhow?

Samy is my hero (1)

WndrBr3d (219963) | more than 7 years ago | (#17881830)

In all fairness, Samy is still allowed to use the internet for work reasons.

He never used it in his spare time because he was always too busy being a sexy [enusbaum.com] man picking up women with his hot body [ytmnd.com] .

We love you Samy!

- #L

He wouldn't have been caught... (2, Insightful)

hellraison (1059636) | more than 7 years ago | (#17881860)

If he had only knew about proxy servers :(...
and didn't put his name everywhere

Myspace, fix your site! (1)

mw22 (908270) | more than 7 years ago | (#17881866)

"MySpace is committed to protecting our community from any abusive misuse of the site," the company said in the statement.
That's just not true, give the way they've set up the site. How about giving every user it's own subdomain? Apparently, myspace is allowing all kinds of html for people to use, and they're trying to strip out all the javascript afterwards. That is just asking for trouble.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?