Cenzic 232 Patent
Paid Advertising
web application security lab

My Lunch With Samy

I just had a really interesting lunch meeting that lasted the better part of the day with Samy Kamkar and Matt Austin. If you aren’t familiar with the name Samy you should probably go read his story on releasing the most successfully virulent worm in the history of the Internet to date. Anyway, I met them and I got the whole story. Some of it is still a tad confidential, but most of it he authorized me to talk about. So here’s the whole story that he was willing to share.

He started off by explaining that he absolutely did not mean to write a worm of any sort. He actually wanted to do something very simple. He just wanted to change his relationship status on his MySpace page to say “In a hot relationship” instead of “In a relationship” as a joke for his girlfriend (which incidentally reminds me a lot of how I hacked my girlfriend). The very first comment out of my mouth was why he didn’t just use a div overlay with absolute positioning and he said only that he didn’t want to bother with pixel shifting and cross browser support. That seemed like more effort than it’s worth, so he tried to find some JavaScript injection to do the job. After toying around he figured out that you could do the expression exploit by breaking it up with newlines.

As a side note, he did NOT use my XSS Cheat Sheet to perform this part of the attack, despite my being convinced that he had (sorry if I mislead anyone on this matter, but I wanted to set the record straight). He said he actually wrote a similar program to my fuzzer on his own and came up with it by himself - if it wasn’t already clear, he is a very smart guy. Sorry, anyway, back to the meat of the story.

So he modified the code, to simply to get his friends to add comments on his behalf. That was funny. Later he revised it to attempt to do POST requests to add himself as their hero. That too was funny and you can read his site for the detail on how the code actually worked for that part and how he had to deal with the cross domain policy issues by forcing a redirection to another cname on MySpace. Samy is a funny guy. Samy doesn’t think this is wrong, because these are only his friends.

Then Samy writes the full worm, which actually takes some work to reduce it to the right size that can fit in the space he is alloted. He goes to bed thinking it might work with one or two people. He knew it was exponential but he was thinking more like 2 people this month 4 people the month after and so on. I encourage you to re-read the saga he wrote on his page at this point as far as the time lines. He did inform the admins anonymously what was going on and told them a shortcut to fixing the issue in an attempt to stop the monster he had inadvertantly created.

It took MySpace over 20 hours to fix it after he disclosed it to them and the worm managed to infect more than one million users. He smiled and sat back in his chair at this point while telling me the story, and said that he was impressed at the notoriety he got as a result of it. I had to remind him that he had single handedly written the largest worm in the history of the Internet - by a factor of 10. He laughed. Then I also reminded him that it was the single best example of an XMLHTTPRequest based worm out there. He smiled and nodded. Samy is clearly amused.

This, however, is when things started going bad for Samy. After over one million infections MySpace was taken off-line. The DA’s office got involved. Although MySpace was only tangentially interested in nailing Samy (for publicity’s sake from what he can tell) the DA’s office was far more interested (for their own publicity). At some point they actually began to follow him - for what they told him was about a two week period of time - before finally serving a warrant. The only amusing part of that story was that they had to tail his every move to watch his behavior. I guess it was a pain for them because he worked a lot of hours at that point and they were having to shadow him until late into the evening. Samy smirked at this - at least it hadn’t been all fun and games for them to screw with him.

They took all of his computers from his home and from his office (30 people in all, spread evenly across the two raids) and managed to scare the wits out of his girlfriend and his room mate. The prosecutor even said at one point that he had seen murder trials that had been handled less formally. How did they catch him? Instead of looking at his own profile (that had his home address on it) they tracked him down through a partial photograph of a license plate in a photo. Not exactly your high tech sleuths working on that case, I’d say.

Samy eventually plead to a minor sentence, including some monetary restitution and one year’s probation where he can only use supervised computers for work. Samy openly said, although it was great press and a lot of amusing things happened during the last two years since the code was released, it was clear he never meant to do anything like what had happened, and certainly would advise anyone against doing something similar in the future. We also did talk about where he went wrong in the command and control infrastructure, where he could have used his own account as the single point for command and control or other similar ideas. Samy admitted that there was probably a lot of things he could have done different, not the least of which would have been not having released it in the first place.

So what was my take-away? I really don’t believe Samy had any criminally malicious intent. He’s a laid back guy, who is way too smart for his own good, who thought he might have a little fun with his friends. It was far more of a practical joke than anything malicious in his eyes, it’s clear to me now. In the aftermath, he and Matt are a couple of great guys to grab beers with, both of whom I’ll definitely keep in touch with, and if all goes well I think there may be some interesting stuff in the future there as there is a lot of ideas pent up in that brain of his and while he can’t use a computer, there’s a lot left to talk about. I’ll keep you all posted.

16 Responses to “My Lunch With Samy”

  1. Awesome AnDrEw Says:

    I’m always amazed at the real detective work these agencies engage in when the evidence is clearly in front of them. It’s like an incident that happened to my girlfriend back in her highschool days when she exchanged some rather insulting words with another girl over instant messenger, and was then told by an officer who had called her down to the principal’s office that they wouldn’t have found her had the girl not already known who she was, because “they searched for her profile on AOL, and found nothing” to which she replied, “that’s because it’s an AIM account”. Oh the memories.

  2. tx Says:

    That’s seems to be pretty much the impression I got from reading his account of things http://namb.la/popular/tech.html

    of course, we must remember the most important result out of all of this: Samy’s popular!

  3. Awesome AnDrEw Says:

    By the way, how did you get in touch with him (not that I want to personally, but just curious)? Do you go for lunch with any other eCelebrities? I’m always up for a burger ;).

  4. RSnake Says:

    Matt introduced us since Samy can’t use a computer for anything other than work. But yah, I’m always up for meeting people who know their way around a computer or at least are fun to chat with over a beer.

  5. quadszilla Says:

    Dugg.

    http://digg.com/security/Lunch_With_1_000_000_Friend_Myspace_Worm_Sammy

  6. RSnake Says:

    Thanks, quadsz!

  7. chillervalley Says:

    hell this guy rock… while reading i imagine him like sitting there, lazy and all cool, smiling all the time, not really knowing what shit he have done, but hell, he rocks.

    So RSnake, you can have a beer with me too. just come to Austria (its in Europe, not that country with this fucking kangaroos! we have the cows! ;-) )

    so long

  8. Bubbles Says:

    Damn Quad, I wanted to submit this to digg :)

  9. SW Says:

    I still don’t get how he can be charged because he entered some letters and symbols into a textbox where he was supposed to. MySpace choose to eat up the data and spew out a worm. Bullshit IMO.

    He sounds like a cool guy. Must suck to be cut off from computers for that though maybe it would actually be a blessing in disguise. *rethinks getting someone in asia start off the next worm*

  10. Awesome AnDrEw Says:

    I’m sure it’s not exactly the most entertaining thing to be hit by the FBI party van, or have to pay fines.

  11. thrill Says:

    Hmm.. supervised use of computers.. what if he’s working for a Security oriented company and part of his job is to write down all these ideas he has pent up in his head?

    –thrill

  12. Andrew Says:

    “I still don’t get how he can be charged because he entered some letters and symbols into a textbox where he was supposed to. MySpace choose to eat up the data and spew out a worm. Bullshit IMO.”

    So if someone makes a malformed HTTP request that causes a buffer overflow and compromises a web server, they can’t be held responsible because “hey, you’re supposed to send requests to web servers. All they did was send some letters and symbols!”

    Only in a perfect world, where all applications are totally secure, does your argument make sense. In this world, however, security is always going to be imperfect.

  13. Tribute Says:

    Was it just coincidence that Myspace was down for most of the day that this article was posted?

  14. SW Says:

    @ Andrew: “So if someone makes a malformed HTTP request that causes a buffer overflow and compromises a web server, they can’t be held responsible because “hey, you’re supposed to send requests to web servers. All they did was send some letters and symbols!”

    Only in a perfect world, where all applications are totally secure, does your argument make sense. In this world, however, security is always going to be imperfect.”

    All they did was send some data. The server chose to 1) accept connection, 2) eat up the request, and 3) not filter it and cause itself problems.

    I don’t see how we can legitmately regulate this. “You can send ‘javasnipt’ but if you send ‘javascript’ we are going to sue you because our server comprimises itself!!”

    Security doesn’t have to be imperfect. A shitty way of trying to make everything secure is to punish people who are smart enough to find holes and use them to their benefit.

  15. Jason Says:

    That rocks! His source code story was funny… seems like a nice kid. :)

  16. Kyran Says:

    I dunno.
    Do nice kids watch Nip/Tuck?
    Besides, burgers are a much better snack than burritos.