Samy, where are you from, how old are you, and what do you for a living? Please tell us a little bit about your background.
I’m from all over. I was emancipated at 16, got out of high school, moved out, and began a life as a playboy/software developer. It was a great concoction. I had already written some notable software when I was younger that I had released which got me job offers pretty easily. I’m now 19, turning old, and working hard while enjoying life.
Could you describe the approach to the worm you wrote? It was Ajax making use of a MySpace security hole, right?
The basic approach was this:
Which browsers did the worm work with?
I only tested it with Internet Explorer on Windows and OS X. It seemed to work on both, however I didn’t test it very much because I wasn’t that concerned whether it would really work or not. I tried it on Safari on OS X, however it didn’t seem to work. To my surprise, I saw later that day that my girlfriend became infected even though she only uses Safari, although an older version.
I spent an hour or two a day trying to do something new on MySpace for about a week. After one week, I put a few of the things developed into one big piece and had the resulting worm.
I’m sure you were surprised by the success of your worm. Did you realize from the beginning on the deployment would be exponential?
It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly. When I saw 200 friend requests after the first 8 hours, I was surprised. After 2000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.
Did you tell your girlfriend about this whole thing? How did she react?
Once I had hit a few thousand friend requests, I got a bit worried. Instinctually, I wanted to see her in case anything would happen to me, but I tried to keep it humorous at all times. I had lunch with her and told her that I might be going away for a long time due to my overnight celebrity status. I told her it’s not easy being famous, and she just laughed. I was ecstatic with the success of it, but worried at the same time. She thought the whole thing was pretty funny, though risky.
Did anybody from MySpace contact you already?
No one from MySpace has contacted me. The only contact I have gotten so far was each automated email from MySpace telling me I had a new friend request. Oblivious to the fact, MySpace would send an email to my personal account each time a friend tried to add me, whether it was intentional or through the worm. I consider the hundreds of thousands of emails in my Inbox from MySpace equal payback for the profiles that were modified.
Do you think the security issue could cause harm on popular sites other than MySpace?
What was first – the idea to find a way to become the most popular man on MySpace, or your uncovering of the security hole?
First was discovering the hole. The only reason the attempt to discover a hole was even made was so that I could customize my profile a little more than other people could.
What do you think of MySpace anyway? I once read someone suggesting the site had a certain “ghetto appeal” because of its freestyle HTML layouts...
I was never really into MySpace until a few months ago. Enough of my friends had started using it that I thought it would be nice to get in touch with other friends that I may have lost touch with. I created a profile, found many old friends, and rediscovered fond memories with them.
It is true that many people go overboard with their HTML layouts, and I believe that such “yellow on blue” page layouts cause much more damage in the long run than my worm did.
Nevertheless, I think MySpace is a great service. It’s always been free and has been a pretty useful networking tool for lots of people. Although it has ads, they do need a way to make money to keep it up, but it isn’t riddled with very intrusive ads or popups, so I’ve never had any animosity or negative feelings about it. In the end, it’s really up to the user to shape the site but the team behind it has really built something useful, if the user base doesn’t tell you that already.
Once you realized the worm was spreading so quickly, did you feel like stopping it... and could you have done that in the first place? E.g. could you have disabled your MySpace account to block further spreading?
Your code is on the lines of a prank, but did the thought cross your mind to insert something else into other people’s pages than just that line?
Not at all. I mean, sure, “free samy” came into my head the second I started getting worried, but all I wanted was a little fame, among my friends.
They’re already selling “Samy is my hero” t-shirts. What do you think of that?
Is this your first attempt at creating a worm, or to create a hack of some sort? What else did you try in the past?
I’ve never created a worm or planned to in the past. However, I have been interested and involved in security related projects, but nothing usually ever too intrusive.
Probably the closest thing to this that I’ve done in the past was a few years ago when I modified a ham radio to be able to transmit to restricted frequencies. I found a frequency used by a chopper that was giving a live weather/traffic forecast and I happened to transmit over them, stating something short and humorous. It was broadcasted live onto a very popular radio station, and my guilty conscience kicked in and I decided to stay away from radio-related electronics for a while. I only listened to CDs for quite a while after that.
If you’re not online, what are you doing?
Like any geek trying to avoid the stereotype, I’m either spending time with my girlfriend and friends, stunting and performing asinine tricks on motorcycles, or fleeing to Mexico.
What kind of websites are you visiting? Can you give us some URLs?
Scientific and technology oriented sites are my favorites.
>> More posts