MySpace Worm Writer Charged

R

Rich Tate

Supreme [H]ardness
Joined
Jun 9, 2005
Messages
5,955
The man who wrote the infamous MySpace super worm was charged with a years probation and ordered to perform 90 days of community service.

Kamkar, using a programming technique known as Asynchronous JavaScript and XML(AJAX) that permitted browsers to execute malicious code, was able to circumvent MySpace’s strong JavaScript filters.
Click to expand...
 
I'm sorry, what was the damage he caused? Showing that the MySpace web developers did not properly check their user generated code?

I seem to recall he never tried to hide what he was doing, and his little exploit never actually placed any malicious code on anyone's computer. I honestly don't see how placing code that adds someone as your friend can be considered malicious, especially since the MySpace web environment was supposed to be so completely safe.
 
The sentence was far to weak. Suggesting he didn't do anything wrong is bs. The penalty for doing malicious things with code should carry much worse penalties. Then maybe then something like what this guy did would happen less often.
 
That is just retarded. Not like he stole information, or caused any actual damage.

I gave the guy props, cause I thought it was funny in the Heroes section, Samy is my hero. That is just hilarious.

Didn't cause myspace any damage/or revenue loss.
 
So you're not supposed to be screwing with people's property even though you can. What a terrible message to send.
 
I would much rather have this guy taking up a spot in our already overcrowded prison system than someone that commited a violent crime, sex offender, drug dealer, etc. :rolleyes:
 
I find a lot of people treating this as if he committed some major offense.

Do you actually KNOW what he did?

He found a bug that allowed him to write code to make people add him their friend's list.

That's it. There is NO reason he should face jail time for this. No loss was incurred to anyone. It was, more or less, a victimless crime. Personally I see this on par with spray painting a wall or egging a house.

Sure, it's against the law, but.

1) It was not malicious.
2) It was PURPOSELY not malicious. If he wanted to do something malicious such as steal info he very well could have.
3) It caused no significant loss.
4) Myspace likely GAINED free publicity due to this.

There's no reason for jail time here.
 
I'm torn between punishing him for hacking, or punishing him for not using his one big chance to find a way to take MySpace down forever. ;)
 
Here's his log of what he did.

A few months back, I decided to make a permanent myspace account so that I could easily view pictures of random, hot girls whenever I please without creating a new account each time. I also had a number of friends on there and figured I would see what all the hype was about. Myspace is a site for keeping up with friends, meeting new people, and even getting laid (sorry ladies, I'm taken.) It allows you to set up a profile/web page with a limited ability to make it look and feel how you wanted. Too limiting. I couldn't even fit a good line into my "headline" without taking words out and sounding like G.W.B. trying to respond to an arbitrary question. Hell, I couldn't even fit more than 12 glamour shots on my photos page. Like an illegal alien with a plan, I ventured to evade these limiting borders.

I began to examine the site some more, seeing how they restrict things, what they restrict, taking some breaks to look at profiles of really hot girls, trying to add them as friends and getting rejected, and getting back to making my profile cool so that they would add me as a friend later. Chicks dig cool profiles. After a little bit of messing around, I found that I could put in a longer headline than what they allowed. Hell, I could even get around their other restrictions and get HTML in there in order to add cool "effects" to my page that other people can't add. Yeah, that will get me chicks. Girls want guys who have computer hacking skills.

Let's see here...what would make my profile rock. Well, the most popular profiles on myspace pretty much consist of people with the IQ and English delivery skills of Kanye West so I don't want to mimic those, but popularity begets popularity. I need some more friends. I need people to love me. I delved into the bug and found that I could basically control the web browsing of anyone who hit my profile. In fact, I was able to develop something that caused anyone who viewed my profile to add my name to their profile's list of heroes. It's villainous. I was ecstatic.

But it wasn't enough. I needed more. So I went deeper. A Chipotle burrito bol and a few clicks later, anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission. I had conquered myspace. Veni, vidi, vici.

But it wasn't enough.

If I can become their friend...if I can become their hero...then why can't their friends become my friend...my hero. I can propagate the program to their profile, can't I. If someone views my profile and gets this program added to their profile, that means anyone who views THEIR profile also adds me as a friend and hero, and then anyone who hits THOSE people's profiles add me as a friend and hero... So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends. And after that, well, that's when things get difficult. The math, I mean.

Some people would call this a worm. I call it popularity. Regardless, I don't care about popularity, but it can't hurt, right?

10/04, 12:34 pm: You have 73 friends.
I decided to release my little popularity program. I'm going to be famous...among my friends.

1 hour later, 1:30 am: You have 73 friends and 1 friend request.
One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning.

7 hours later, 8:35 am: You have 74 friends and 221 friend requests.
Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.

1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it's exponential, isn't it. Shit.

1 hour later, 10:30 am: You have 518 friends and 561 friend requests.
Oh crap. I'm getting messages from people pissed off that I'm their friend when they didn't add me. I'm also getting emails saying "Hey, how the hell did you get onto my myspace....not that I mind, you're hot". From guys. But more girls than guys. This actually isn't so bad. The girls part.

3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests.
I'm canceling my account. This has gotten out of control. People are messaging me saying they've reported me for "hacking" them due to my name being in their "heroes" list. Man, I rock. Back to my worries. People are also emailing me telling me their IM names so that I'll chat with them. Cool. Back to my worries. Apparently people are getting pissed because they delete me from their friends list, view someone else's page or even their own and get re-infected immediately with me. I rule. I hope no one sues me.

I haven't been worried about anything in years, but today I was actually afraid of the unknown. Afraid of myspace? No, afraid of FOX's legal department. If you're not aware already, myspace was purchased by FOX only a few weeks back for 580 million dollars. Not online myspace dollars, but actual cash that can buy strippers. With all that money, Tom from myspace could basically do 2 chicks at once, 580 times. Or he could have FOX come after me. I don't want FOX after me.

I spend the rest of the day working, trying to get the ideas of what could happen out of my head. I have my girlfriend visit me for lunch to say our goodbyes. I'm going to the big house. I could hear it then, "mr samy, you are hereby sentenced to an $800,000 fine and 3 years in jail for getting way too many friends on myspace and causing psychological damage to girls who thought they were your friends until you cancelled your account."

5 hours later, 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends. 917,084 friend requests.
I refresh three seconds later. 918,268. I refresh three seconds later. 919,664 (screenshot below). A few minutes later, I refresh. 1,005,831.

It's official. I'm popular.

I have hit 1,000,000+ users. In less than 20 hours, I've hit over 1/35th of all myspace users. Every request is from a unique, living, and logged in user. I refresh once more and now see nothing but a message that my profile is down for maintenance. I messed up, didn't I. I'm now more afraid and decide I am never doing anything even near illegal ever again. To get my mind off of everything, I begin downloading a copy of the latest Nip/Tuck episode.

1 hour later, 7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize. Another attempt to free my mind of worry, I go back to watching some episodes of The OC which I downloaded a few days earlier. File sharing rocks.

2.5 hours later, 9:30 pm: I'm told that everything on myspace seems to be working again. My girlfriend's profile, along with many, many others, still say "samy is my hero", however the actual self-propagating program is gone. I'm relieved that it's back up as they can't claim damages for any downtime past this second if everything is in fact working properly.

10 minutes later, 9:40 pm: I haven't heard from anyone at myspace or FOX. A few minutes later, my girlfriend calls, I pick up, and she says to me, "you're my hero". I don't actually get it until about three hours later.
Click to expand...

The totality is that Myspace went down for one hour and thirty minutes. BUT, notice that they DIDN'T reverse any changes made by his code? Essentially Myspace went down to fix the flaw in their code. Had he simply made a perfectly legal writeup on the error and distributed it the effect would be the same. They would still have to do the maintenance to fix the flaw. Therefor it could be argued that there was no loss to Myspace as a result of his actions.
 
Here's his log of what he did.

A few months back, I decided to make a permanent myspace account so that I could easily view pictures of random, hot girls whenever I please without creating a new account each time. I also had a number of friends on there and figured I would see what all the hype was about. Myspace is a site for keeping up with friends, meeting new people, and even getting laid (sorry ladies, I'm taken.) It allows you to set up a profile/web page with a limited ability to make it look and feel how you wanted. Too limiting. I couldn't even fit a good line into my "headline" without taking words out and sounding like G.W.B. trying to respond to an arbitrary question. Hell, I couldn't even fit more than 12 glamour shots on my photos page. Like an illegal alien with a plan, I ventured to evade these limiting borders.

I began to examine the site some more, seeing how they restrict things, what they restrict, taking some breaks to look at profiles of really hot girls, trying to add them as friends and getting rejected, and getting back to making my profile cool so that they would add me as a friend later. Chicks dig cool profiles. After a little bit of messing around, I found that I could put in a longer headline than what they allowed. Hell, I could even get around their other restrictions and get HTML in there in order to add cool "effects" to my page that other people can't add. Yeah, that will get me chicks. Girls want guys who have computer hacking skills.

Let's see here...what would make my profile rock. Well, the most popular profiles on myspace pretty much consist of people with the IQ and English delivery skills of Kanye West so I don't want to mimic those, but popularity begets popularity. I need some more friends. I need people to love me. I delved into the bug and found that I could basically control the web browsing of anyone who hit my profile. In fact, I was able to develop something that caused anyone who viewed my profile to add my name to their profile's list of heroes. It's villainous. I was ecstatic.

But it wasn't enough. I needed more. So I went deeper. A Chipotle burrito bol and a few clicks later, anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission. I had conquered myspace. Veni, vidi, vici.

But it wasn't enough.

If I can become their friend...if I can become their hero...then why can't their friends become my friend...my hero. I can propagate the program to their profile, can't I. If someone views my profile and gets this program added to their profile, that means anyone who views THEIR profile also adds me as a friend and hero, and then anyone who hits THOSE people's profiles add me as a friend and hero... So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends. And after that, well, that's when things get difficult. The math, I mean.

Some people would call this a worm. I call it popularity. Regardless, I don't care about popularity, but it can't hurt, right?

10/04, 12:34 pm: You have 73 friends.
I decided to release my little popularity program. I'm going to be famous...among my friends.

1 hour later, 1:30 am: You have 73 friends and 1 friend request.
One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning.

7 hours later, 8:35 am: You have 74 friends and 221 friend requests.
Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.

1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it's exponential, isn't it. Shit.

1 hour later, 10:30 am: You have 518 friends and 561 friend requests.
Oh crap. I'm getting messages from people pissed off that I'm their friend when they didn't add me. I'm also getting emails saying "Hey, how the hell did you get onto my myspace....not that I mind, you're hot". From guys. But more girls than guys. This actually isn't so bad. The girls part.

3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests.
I'm canceling my account. This has gotten out of control. People are messaging me saying they've reported me for "hacking" them due to my name being in their "heroes" list. Man, I rock. Back to my worries. People are also emailing me telling me their IM names so that I'll chat with them. Cool. Back to my worries. Apparently people are getting pissed because they delete me from their friends list, view someone else's page or even their own and get re-infected immediately with me. I rule. I hope no one sues me.

I haven't been worried about anything in years, but today I was actually afraid of the unknown. Afraid of myspace? No, afraid of FOX's legal department. If you're not aware already, myspace was purchased by FOX only a few weeks back for 580 million dollars. Not online myspace dollars, but actual cash that can buy strippers. With all that money, Tom from myspace could basically do 2 chicks at once, 580 times. Or he could have FOX come after me. I don't want FOX after me.

I spend the rest of the day working, trying to get the ideas of what could happen out of my head. I have my girlfriend visit me for lunch to say our goodbyes. I'm going to the big house. I could hear it then, "mr samy, you are hereby sentenced to an $800,000 fine and 3 years in jail for getting way too many friends on myspace and causing psychological damage to girls who thought they were your friends until you cancelled your account."

5 hours later, 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends. 917,084 friend requests.
I refresh three seconds later. 918,268. I refresh three seconds later. 919,664 (screenshot below). A few minutes later, I refresh. 1,005,831.

It's official. I'm popular.

I have hit 1,000,000+ users. In less than 20 hours, I've hit over 1/35th of all myspace users. Every request is from a unique, living, and logged in user. I refresh once more and now see nothing but a message that my profile is down for maintenance. I messed up, didn't I. I'm now more afraid and decide I am never doing anything even near illegal ever again. To get my mind off of everything, I begin downloading a copy of the latest Nip/Tuck episode.

1 hour later, 7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize. Another attempt to free my mind of worry, I go back to watching some episodes of The OC which I downloaded a few days earlier. File sharing rocks.

2.5 hours later, 9:30 pm: I'm told that everything on myspace seems to be working again. My girlfriend's profile, along with many, many others, still say "samy is my hero", however the actual self-propagating program is gone. I'm relieved that it's back up as they can't claim damages for any downtime past this second if everything is in fact working properly.

10 minutes later, 9:40 pm: I haven't heard from anyone at myspace or FOX. A few minutes later, my girlfriend calls, I pick up, and she says to me, "you're my hero". I don't actually get it until about three hours later.
Click to expand...

The totality is that Myspace went down for one hour and thirty minutes. BUT, notice that they DIDN'T reverse any changes made by his code? Essentially Myspace went down to fix the flaw in their code. Had he simply made a perfectly legal writeup on the error and distributed it the effect would be the same. They would still have to do the maintenance to fix the flaw. Therefor it could be argued that there was no loss to Myspace as a result of his actions.
 
UrielDagda said:
Wow, with such stiff penalties, it's a wonder people even dare try such things! :rolleyes:
Click to expand...

LOL True dat.

And then you find a 9 year old who downloaded a song from kazaa get nailed with massive fines and court dates... and is traumatized for the remainder of his computing life.
 
Hilarious log. Would've been better if 'friend requests' was actually money transfers :D
 
GJSNeptune said:
Hilarious log. Would've been better if 'friend requests' was actually money transfers :D
Click to expand...

I must agree. I nearly died rolling on the floor laughing, I just hope no one noticed here at work.

He has a great attitude, I'm glad the judge saw it his way.


Personally, I don't like myspace, so this is even funnier to me (I can't stand people on my space trying to out-"cool" the other person, he hit the nail on the head with the Kanye West comparison). Whats funny to me is that he actually had messages from girls who found him attractive out of all this, so it's not a bad payoff. I'm wondering if myspace is going to perhaps contact him in regards to a code exploiting position.
 
You must log in or register to reply here.
Back
Top