Friday, February 02, 2007

Samy pleads guilty

As reported by SC Magazine, "The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."

What Samy did was wrong, and whether he meant it or not, caused damage. The good thing is his sentence doesn't look outrageous, as been seen in other cases, some probation and restitution. He'll be able to get on with his life, but it doesn't look good on a resume thats for sure. Maybe in a couple years we'll see him at a Defcon or BlackHat starting a consultancy like Kevin Mitnick. :)

5 comments:

Eric said...

I caught this story friday and I have to say I was outraged at how assinine the entire ordeal is. I'm mostly agrivated with myspace. They've labeled samy, as well as his actions as criminal.

What's worse is the judicial system allowed this to go through the court system when there really was no damage to myspace, nor any user. I think the government is reverting back to the level of ignorance seen in 95 with the mitnick fiasco. Nice comment on the consultancy though ;)

http://www.hamsterswheel.com

Jeremiah Grossman said...

I've been hearing people comment that Samy didn't do damage, but I believe he did. 24 hours of downtime for a website that makes all their money on advertising is significant. Not the mention all the database clean up.

> Nice comment on the consultancy though ;)

It always turns out the same. :)

Ian said...

When I first read that Samy was being prosecuted, I had the same reaction. I mean, what he did was something akin to a simple prank that he lost control of- Not something that merits this kind of punishment.

However, after thinking about the situation, I have to agree that what he should have done was responsibly disclose the vulnerabilities he found, not exploit them. Just because myspace is (among other things) an extremely poorly engineered system from a web application security standpoint, doesn't mean that anyone has the right to bring down the entire service with a worm, no matter how well intentioned and innovative that worm may be.

dre said...

fine. let's pretend (and lie to ourselves) that samy didn't try disclosing this responsibly first without it falling on deaf ears.

let's even pretend that samy knew exactly what his worm was going to do when he wrote/released it. myspace allows user-submitted XHTML/DHTML. they could say anybody caused downtime if their application ate it for 24 hours and they had to "cleanup their database".

oh wait. i forgot that myspace has "strong javascript filters". samy's worm was basically like breaking down a drawbridge, right?

GO LOOK AT THE CODE.

let's pretend that samy made money off this. let's also pretend he works for the largest underground online criminal organization this world has ever seen.

my question is: does the punishment fit the crime? even under the worst of circumstances?

think of this again: 3 years probation (during which time he cannot use a computer except for supervised work), 90 days community-service, plus - restitution, fines, legal fees, et al. talk at blackhat? somehow i doubt that he will ever (well, at least not in 3 years) be able to associate with blackhat people ever again. unless he wants somebody to open a new investigation into his everyday life and harass him.

if you ask me, this has nothing to do with damage from the samy worm. this has everything to do with myspace threatening the vulnerability research community (also see myspace+godaddy take down seclists.org). it could have to do with something else as well, such as http://www.phenoelit.net/lablog/Irresponsible.sl
which could have easily been samy since he has worked with lance james and others in the dachb0den / securescience / san diego 2600 scene.

in any case, i see it as demoralizing for both web application vulnerability research and full-disclosure. i guess only legitimate researchers that make lots of money such as yourself get to enjoy the fruits of labor given to you by true hackers (and all-around good people) such as samy.

Anonymous said...

I am suprised and not suprised. Samy did not do any serious damage to MySpace but MySpace gave him a harsh sentence. MySpace deceived and abused the legal system by having very selfish lawyers. Large companies have good lawyers. If he put a similar "virus" on other smaller websites, he would probably not get into trouble.

Many people are ignorant about Samy's virus since they think that Samy caused serious damage, but he actually did not. Yes, the government is also very ignorant about it and other technical stuff. These kind of things happen all the time from the igorance of the judical system.

Why should Samy waste his time finding and reporting that bug? Does MySpace reward people for reporting its bugs? He is not a application vulnerability researcher working for MySpace. He would have not reported that bug in the first place if knew it would cause serious damage.

I cannot see the point for coding "secure" web applications when the website can punish the people for hacking. We all cannot make un-secure web applications and punish people like MySpace does. Only rich companies can make insecure web sites.