So, over the weekend Twitter was hit with not one, but two worms. “Mikeyy Mooney” wrote a worm to deface people’s profiles and cause compromised accounts to first promote his website, then promote himself. A bad weekend for Twitter indeed, but it has possibly turned into something worse for the Internet as a whole.
Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.
I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people. Chris Boyd (who’s weblog you should definitely be reading) has done some work in investigating these attitudes and they are quite scary. There are thriving communities of kids who are scamming people out of HabboHotel and RuneScape credits and not only seeing nothing wrong with it, they kind of see it as getting experience for later on in life. (Sadly, Chris’s archives seem to be wiped out, so I can’t provide links). Some of Mike’s statements even reflect such an attitude:
“I’m really getting a bad reputation from it but at the same time people are taking into consideration that even though I did some harm I didn’t cause any damage,” he said.
When did it suddenly become “OK” to hijack people’s accounts? Have we really slid down the slippery slope enough that taking control of someone else’s “property” is fine as long as you don’t do anything *really* malicious? Also, whether or not “damage” was done is another thing entirely. How many non-security-savvy people completely freaked out over the weekend when they saw their Twitter account was posting random things? How many man hours were wasted not only of the Twitter staff, but the thousands of people who were compromised and had to clean up their account in addition to making sure they weren’t compromised in some other fashion? How would Mike like to recieve a bill for that?
Now, Mr. Rowland sees his hiring as a way of providing Mike a safe place to use his talents. You know, sort of like an online YMCA. At one point in my life I did agree with this sentiment as there was no easy way to “break” things. However this is not the case anymore. I am amazed at some of the utilities available today specifically designed to hone peneration and security skills. I see it as upping the ante for these groups. Seeing Mike get hired after he exploited Twiter is probably going to get a lot of gears turning and cause thinking of “Geez, if I do something similar to YouTube/Facebook/Hi5/MySpace” maybe I’ll get a job as well!”
When I finally made the decision to try to make a jump from an Information Security hobby into an Information Security career, I did have a similar conundrum: How do I get some, for lack of a better term, “street cred?” I’ll admit I started poking at websites looking for similar holes as the ones Mike found in Twitter and finding them in the process. HOWEVER, and this is the key difference, I worked with the websites to fix the holes, rather then attempt to make the front page of the Technology section of ABC’s website. Closest I ever got to that was an article in InfoWorld about an anti-phishing application I wrote in my spare time. Not as exciting? Nope. A lot of work? Yup. Did it work? My current place of employment says “Yes”.
Of course, it isn’t all sunshine and puppies for Mike as he also got himself reamed a new one by a group who posted all his personal information online to Full-Disclosure. This might temper the rush of script kiddies trying to get their name in the press. However, I’d be willing to make a bar bet that we will see an uptick in “harmless” attacks against social media services like Twitter due to Mike’s hiring.