I just had a really interesting lunch meeting that lasted the better part of the day with Samy Kamkar and Matt Austin. If you aren’t familiar with the name Samy you should probably go read his story on releasing the most successfully virulent worm in the history of the Internet to date. Anyway, I met them and I got the whole story. Some of it is still a tad confidential, but most of it he authorized me to talk about. So here’s the whole story that he was willing to share.
As a side note, he did NOT use my XSS Cheat Sheet to perform this part of the attack, despite my being convinced that he had (sorry if I mislead anyone on this matter, but I wanted to set the record straight). He said he actually wrote a similar program to my fuzzer on his own and came up with it by himself - if it wasn’t already clear, he is a very smart guy. Sorry, anyway, back to the meat of the story.
So he modified the code, to simply to get his friends to add comments on his behalf. That was funny. Later he revised it to attempt to do POST requests to add himself as their hero. That too was funny and you can read his site for the detail on how the code actually worked for that part and how he had to deal with the cross domain policy issues by forcing a redirection to another cname on MySpace. Samy is a funny guy. Samy doesn’t think this is wrong, because these are only his friends.
Then Samy writes the full worm, which actually takes some work to reduce it to the right size that can fit in the space he is alloted. He goes to bed thinking it might work with one or two people. He knew it was exponential but he was thinking more like 2 people this month 4 people the month after and so on. I encourage you to re-read the saga he wrote on his page at this point as far as the time lines. He did inform the admins anonymously what was going on and told them a shortcut to fixing the issue in an attempt to stop the monster he had inadvertantly created.
It took MySpace over 20 hours to fix it after he disclosed it to them and the worm managed to infect more than one million users. He smiled and sat back in his chair at this point while telling me the story, and said that he was impressed at the notoriety he got as a result of it. I had to remind him that he had single handedly written the largest worm in the history of the Internet - by a factor of 10. He laughed. Then I also reminded him that it was the single best example of an XMLHTTPRequest based worm out there. He smiled and nodded. Samy is clearly amused.
This, however, is when things started going bad for Samy. After over one million infections MySpace was taken off-line. The DA’s office got involved. Although MySpace was only tangentially interested in nailing Samy (for publicity’s sake from what he can tell) the DA’s office was far more interested (for their own publicity). At some point they actually began to follow him - for what they told him was about a two week period of time - before finally serving a warrant. The only amusing part of that story was that they had to tail his every move to watch his behavior. I guess it was a pain for them because he worked a lot of hours at that point and they were having to shadow him until late into the evening. Samy smirked at this - at least it hadn’t been all fun and games for them to screw with him.
They took all of his computers from his home and from his office (30 people in all, spread evenly across the two raids) and managed to scare the wits out of his girlfriend and his room mate. The prosecutor even said at one point that he had seen murder trials that had been handled less formally. How did they catch him? Instead of looking at his own profile (that had his home address on it) they tracked him down through a partial photograph of a license plate in a photo. Not exactly your high tech sleuths working on that case, I’d say.
Samy eventually plead to a minor sentence, including some monetary restitution and one year’s probation where he can only use supervised computers for work. Samy openly said, although it was great press and a lot of amusing things happened during the last two years since the code was released, it was clear he never meant to do anything like what had happened, and certainly would advise anyone against doing something similar in the future. We also did talk about where he went wrong in the command and control infrastructure, where he could have used his own account as the single point for command and control or other similar ideas. Samy admitted that there was probably a lot of things he could have done different, not the least of which would have been not having released it in the first place.
So what was my take-away? I really don’t believe Samy had any criminally malicious intent. He’s a laid back guy, who is way too smart for his own good, who thought he might have a little fun with his friends. It was far more of a practical joke than anything malicious in his eyes, it’s clear to me now. In the aftermath, he and Matt are a couple of great guys to grab beers with, both of whom I’ll definitely keep in touch with, and if all goes well I think there may be some interesting stuff in the future there as there is a lot of ideas pent up in that brain of his and while he can’t use a computer, there’s a lot left to talk about. I’ll keep you all posted.