Friday, April 17, 2009

Hack a social network - Get a job

There's been lots of hoopla going around today about this Mikeyy Mooney character, and I have to say I find the whole situation incredibly irritating.

For those people who don't know, of which I doubt there are many, this 17 year-old recently hit Twitter with a series of XSS worms which move from one account to another. Just today, another one was supposedly release by him which is targeting popular users in an effort to spread faster.

The worm would post messages under your account along the lines of "Twitter, hire Mikeyy!" or "Dude, Mikeyy is the shit!". This has caused many people to wonder whether or not their account was compromised and their password stolen. Fortunately, the attack did not require stealing your credentials, so members' profiles remain safe. Or at least they will, once this worm has been eradicated.

Aside from the obvious damage of causing Twitter to spend many man-hours remediating this and correcting the vulnerability, I fear it has also damaged the InfoSec community and Web 2.0 community as a whole.

I could re-hash all of this, but I think Innismir put it very eloquently in a post on his blog:
Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.

I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people

I completely agree with him here. I also fear a rash of copycat attacks from people hoping to prove themselves as l33t and get enough cred to land jobs. I just don't understand why someone could be so foolish as to say "Hey, you know how you hijacked thousands of people accounts, without their knowledge, without their consent, and never even thought to assist the site in fixing the problem once you exploited it? That was awesome! Here... have a job!"

To me, this is nothing short of ridiculous. I've known plenty of younger kids who have asked me about hacking, said they wanted to be hackers before, and always asked, "How many people's computers have you hacked? Could you hack my friends computer for me?" I fear for kids like this. An example such as Mikeyy just what we need to push them into doing the same things in an attempt to become 'cool' and 'popular'.

I have to say, though, as someone who is in his mid-20's and has aspirations for a nice career in InfoSec, I can kind of identify with this. It can be fun to poke at sites and maybe pull some XSS or CSRF tricks on your friends. It can be good practice, and sure you can brag about how you made one of friends post 'I <3 Hannah Montana' on your favorite message board.

But, the one difference is if I ever play around like this and actually exploit something or someone before reporting it, I have existing relations with all the parties involved: web admin, tricked friends, etc. and they know me well enough to understand it was not malicious. Furthermore, when I'm done, I say "Yea, that was neat, and oh, by the way, here's how you can fix this."

Something of this magnitude, however, is utterly unacceptable no matter what your intentions. What's even sillier is that after hiring Mikeyy, Travis Rowland had the audacity to say one of the Twitter co-founders: "@biz hope u guys don't file lawsuit against him, hope u understand Mikeyy did u favor and could have compromised personal information."

I hope Twitter reads this and says to themselves, "Yea he really did us a favor! Not only did he point out a security flaw to us, but he also gave us thousands of accounts which we need to go clean up! Isn't he wonderful?" and then proceeds to take him to court in order to get reimbursed for all their time which they've wasted on cleaning up something which should have never happened in the first place.

Anyhow, I hope we see the end of this soon, and I hope the kid gets what is coming to him. I mean, this is a good start, at least if it's true that it actually happened to him, but I, for one, would like to see something a little more legal brought down upon his dumb self.