Wow. That was quick. Of course, this isn’t a copycat attack, but holy crap, is this kid’s 15 minutes up already? Sadly, Mr. Rowland is now learning the hard way that he may not have thought his cunning plan all the way through:
And, of course, Chris Boyd comes up with the most direct worm prevention technique.
So, over the weekend Twitter was hit with not one, but two worms. “Mikeyy Mooney” wrote a worm to deface people’s profiles and cause compromised accounts to first promote his website, then promote himself. A bad weekend for Twitter indeed, but it has possibly turned into something worse for the Internet as a whole.
Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.
I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people. Chris Boyd (who’s weblog you should definitely be reading) has done some work in investigating these attitudes and they are quite scary. There are thriving communities of kids who are scamming people out of HabboHotel and RuneScape credits and not only seeing nothing wrong with it, they kind of see it as getting experience for later on in life. (Sadly, Chris’s archives seem to be wiped out, so I can’t provide links). Some of Mike’s statements even reflect such an attitude:
“I’m really getting a bad reputation from it but at the same time people are taking into consideration that even though I did some harm I didn’t cause any damage,” he said.
When did it suddenly become “OK” to hijack people’s accounts? Have we really slid down the slippery slope enough that taking control of someone else’s “property” is fine as long as you don’t do anything *really* malicious? Also, whether or not “damage” was done is another thing entirely. How many non-security-savvy people completely freaked out over the weekend when they saw their Twitter account was posting random things? How many man hours were wasted not only of the Twitter staff, but the thousands of people who were compromised and had to clean up their account in addition to making sure they weren’t compromised in some other fashion? How would Mike like to recieve a bill for that?
Now, Mr. Rowland sees his hiring as a way of providing Mike a safe place to use his talents. You know, sort of like an online YMCA. At one point in my life I did agree with this sentiment as there was no easy way to “break” things. However this is not the case anymore. I am amazed at some of the utilities available today specifically designed to hone peneration and security skills. I see it as upping the ante for these groups. Seeing Mike get hired after he exploited Twiter is probably going to get a lot of gears turning and cause thinking of “Geez, if I do something similar to YouTube/Facebook/Hi5/MySpace” maybe I’ll get a job as well!”
When I finally made the decision to try to make a jump from an Information Security hobby into an Information Security career, I did have a similar conundrum: How do I get some, for lack of a better term, “street cred?” I’ll admit I started poking at websites looking for similar holes as the ones Mike found in Twitter and finding them in the process. HOWEVER, and this is the key difference, I worked with the websites to fix the holes, rather then attempt to make the front page of the Technology section of ABC’s website. Closest I ever got to that was an article in InfoWorld about an anti-phishing application I wrote in my spare time. Not as exciting? Nope. A lot of work? Yup. Did it work? My current place of employment says “Yes”.
Of course, it isn’t all sunshine and puppies for Mike as he also got himself reamed a new one by a group who posted all his personal information online to Full-Disclosure. This might temper the rush of script kiddies trying to get their name in the press. However, I’d be willing to make a bar bet that we will see an uptick in “harmless” attacks against social media services like Twitter due to Mike’s hiring.
An article from from the Saginaw News from Saginaw, MI has been coming up on my Twitter feeds lately: “Ham radio? That’s not so 1950s” I try not to read Ham Radio articles from the Mainstream Media as invariably it still seems to perpetuate the stereotype that Ham Radio operators are a bunch of elderly guys who still think digital watches are a big deal. However, I decided to give it a read.
Ham radio operators are tech-savvy.
OK… Good start…
“The idea that most everybody has is from the 1950s movies where they see somebody in the basement with a telegraphy key,” said Pat Mullet, public information officer for the Midland Amateur Radio Club.
“There are guys who still do that because they love playing with the old equipment,” he said.
Good… Good…
“But today we’ve got radios the size of a couple of VHS tapes, and they can reach around the world.”
“the size of a couple of VHS tapes?!?!” What?! We’re “tech-savvy” but we’re refering to a medium that’s not just one, but two generations out of date? Come on, there has to be a better comparison.
“But today we’ve got radios that are smaller then a laptop, and they can reach around the world.”
Or maybe…
“But today we’ve got radios smaller then an XBox, and they can reach around the world.”
Or he could have played a bit fast and loose with the truth and said…
“But today we’ve got radios that fit in the palm of your hand, and they can reach around the world.”
I know I am nitpicking. It’s a throw-away quote. Mr. Mullet might be involved in cutting edge technologies and be doing stuff that I can only dream about. But when you’re dealing with something where you’re attempting to change the public’s opinions of Ham Radio these little bit matter. If we try to make ourselves out to be “hip” and “with it” and then compare our hobby to 20 year old technology, it rings hollow. These impressions matter and if we want to attract people to our hobby we need to make it interesting, exciting, and dare I say, sexy.
The article then goes on to the standard spiel about how Ham Radio operators are our last best hope when everything goes to heck (God help us), how when you’re licensed you can talk to people around the world (unlike, say, the Internet), and stuff like the International Space Station (No swarmy comment here, nice one).
Any press is good press they say and getting the hobby out to the general public is a good thing, so props to the Midland ARC for getting coverage and getting a few juicy tidbits out there. However, we, as a hobby, need to work on some talking points on some of the more “exciting” points of Ham Radio. We also apparently need to work on our comparisons.
Well, I haven’t updated here in a while, as I haven’t done much in the way of my hobbies recently. The cause for this is simple: On March 30th, as 6:52PM EDT, my son, Brady made his arrival into this world.
Brady and Dad
Mom did great and the entire process too less then 6 hours. That was the easy part. Needless to say, these past few weeks have been all baby all the time. This leaves very little time to play InfoSec and Radio. I have started to leverage the 3AM feeding into catching up on RSS feeds and I still occasionally post to Twitter. I am also looking forward to go to NEARFest (sans Brady) at the beginning of May. However, there has been quite a shift of priorities for the forseeable future.
I’ll leave it with another quote from Jeff Atwood, whose own son was born about two week prior to mine:
If you’ve been reading my blog for a while, I’m sure you know I will approach our new parenting adventure the same way I do programming — with absolutely no freaking idea what I’m doing. And often hilarious results.
Yup.
Twitter
LinkedIn
Facebook
Flickr
FriendFeed