From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online using Myspace — you may recall an incident with the Samy worm, which in 2005 spread through Myspace so quickly and uncontrollably that they had to temporarily shut the service down to regain control. It was, by all accounts, a prank that got out of hand, but the authorities were not amused, and Samy Kamkar, who wrote the worm, was eventually sentenced to probation, community service, and a hefty fine.

Since then, Samy Kamkar has set his sights on security research, with a specific focus on open source software. We caught up with Samy at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C., where he was delivering one of the keynote presentations.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 135 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

If you are of a certain age — an age where you may have spent a good bit of your time online using Myspace — you may recall an incident with the Samy worm, which in 2005 spread through Myspace so quickly and uncontrollably that they had to temporarily shut the service down to regain control. It was by all accounts a prank that got out of hand, but the authorities were not amused, and Samy Kamkar, who wrote the worm, was eventually sentenced to probation, community service, and a hefty fine.

Since then, Samy Kamkar has set his sights on security research with a specific focus on open source software. I caught up with Samy at Recorded Future’s RFUN: Predict 2019 Conference in Washington, D.C., where he was delivering one of the keynote presentations. Stay with us.

Samy Kamkar:

It started really early on. I was nine or 10, and my mom got me a computer. And initially I jumped on, and we got the internet. We dialed up onto her school’s network. As soon as I joined a chat room on IRC, someone told me to get out and I said, “No.” And a few seconds later my computer crashed. I got a blue screen of death. And I thought immediately that was the coolest thing ever and wanted to learn how to do that. How can I do that? How can I understand how that works? How can I stop that? How can I create it?

So I immediately got fascinated with the ability to really manipulate a system that I had little information on. I thought that was just super interesting, especially because it was a real world system. It’s something someone actually affected or could have affected, really done some impact, and that just seemed really intoxicating.

Dave Bittner:

And so where did it go from there? How did those explorations proceed?

Samy Kamkar:

I started learning about denial of service tools. I didn’t care about denial of service so much, that doesn’t seem interesting to me, but really manipulation of a machine. I think being able to access data or just doing something like opening someone’s CD-ROM just seemed like a lot of fun. How can I do that across the internet on someone who’s not expecting it?

So that’s when I started to realize, oh, I need to learn how to program. I need to learn how to reverse engineer, and understand memory manipulation, and packet sniffing. And so I really got into reverse engineering at that point.

I also, as a teenager, played a lot of video games, so it fed into that a lot as well. So I was playing multiplayer video games, first-person shooters, and I was trying to see, can I use reverse engineering skills in order to give myself unfair advantage in video games? And then I started writing cheat software. So I was writing cheat apps for Counter-Strike and other games to really just give me a super unfair advantage. But I’d make those open source because I think programming also became really fun to me as well. In the beginning it was a means to an end, but it was also fun to do.

Dave Bittner:

When you look back on it, what was setting your moral compass, your limits on what you would and would not do? As a teenager, I think most of us probably look back and think we probably had a little more moral flexibility than we do as adults.

Samy Kamkar:

Yeah, definitely. I don’t know where it came from, but I definitely had some feeling in general of, I wouldn’t want to do something to somebody that I wouldn’t want done to me. And I may have been a little more flexible back then where I’m like, “Well, other people can write cheat software too, so … ”

Where now I might not release game cheat software, I don’t think that’s the end of the world, but always definitely felt maybe a reciprocity or some sort of, yeah, I guess, reciprocal or quid pro quo type feeling. And that I think has often, well always, pretty much guided me into not going too down in a dark, dark side.

Dave Bittner:

Yeah, yeah. Well, I mean, I think it’s fair to say you first gained public attention due to the Samy worm. Take us through where did the idea for that come from and how did that play out?

Samy Kamkar:

Yeah, so this was 2005. It was the height of Myspace. Myspace was the number one site on the internet at the time. I was 19 years old and was just playing around on Myspace. I mean, my friends all had Myspace, so I thought I’d make an account. And I just wanted to see what could I do to my account that would just make it a little more interesting than other people’s?

And that’s when I started playing around and seeing, okay, is there a way that I can execute code? Can I at least execute JavaScript code on my profile, and Myspace and the browser would block that until I found some ways to escape that. And once I was escaping it and had to get through some other roadblocks, then I found, okay, well what can I do with this JavaScript? What can I make it do? Maybe I could make it add someone as a friend, so if they visit my profile, they add me as a friend. Maybe I could make it update their profile. So if you visit my profile, it would modify your profile, and it would append, “But most of all, Samy is my hero,” to your profile.

I just thought these were funny things, just a prank, and I just wanted to show off to a couple of friends. But it never really spread. So I thought, okay, it never hit more than one or two people. I had a new profile and didn’t know many people on there, so how do I make this spread a little faster? I thought, okay, I can make you add me as a friend and add me as a hero, couldn’t I just copy the code to your profile? So if someone visited your profile, they would add me as a friend, add me as a hero. And I tried that, and I launched it one night, and thought I would wake up with 10 new friends, and I woke up with 10,000 new friends.

Dave Bittner:

Oops.

Samy Kamkar:

Yeah, it was a very big oops moment. Unfortunately, I have several oops … Yeah, yeah, it was a recurring feeling in my life of, ah, my heart just sinks into my stomach, and I’m like, “I’m an idiot.”

Dave Bittner:

Was that the feeling you had, though? I mean, did you have that warm flush over you, like, “Oh”?

Samy Kamkar:

It was like, oh yeah, no, of course. It was like an “of course” moment, but maybe not … I just had no idea it would proliferate so quickly. I knew it was technically a worm, but I just had no idea of the magnitude of Myspace at the time. I didn’t know it was the number one site. It was just something a couple of my friends used. It was a social network. It was not really something important to me.

Dave Bittner:

At its core, it seems like it was really a prank. You were not stealing credit cards or destroying profiles or anything like that, but I suppose Myspace, and then later on law enforcement, were not so amused.

Samy Kamkar:

So yeah, within a day over a million people were infected. Ultimately, Myspace had to shut down in order to remove the worm. I later heard from some people who worked there that apparently they were deleting it from the database, but it was spreading faster than it could be deleted from the database side. So they had to shut down, remove it entirely, and only then bring it back up.

And yeah, it was six months later that I got a visit from the Secret Service and LA DA, actually someone from Recorded Future, Levi, who was actually a great guy. He was actually super friendly the entire time. I actually enjoyed talking to … He was the one person I actually enjoyed talking to back then, even during that event.

Dave Bittner:

Well, I mean, bring us up to date then. I mean, what has happened in the interim? You’ve had many projects you’ve been involved with, and what are you up to these days?

Samy Kamkar:

Yeah, I started a physical access control company called Openpath. I’ve released a lot of exploits in physical access control, so the ability to copy, clone, simulate cards, RFID cards that we use to get into buildings. I’ve demonstrated attacks on RFID as well for automobiles, how to unlock a vehicle and start the ignition wirelessly, and then be able to drive it away, someone else’s vehicle. And all of those are due to insecurities in basic RFID technology.

So this company is primarily a way to create a very secure way of getting into buildings just using your phone rather than using cards. And around that I continue to do research because I’m trying to understand, well, what are the other modern, let’s say, access control methodologies, whether it’s for vehicles, whether it’s for businesses, or buildings, or whether it’s just devices, our phones and laptops.

I’m really just curious how they work, and how can we exploit them? What are the things that we haven’t figured out yet or what are new attacks that are coming on the horizon just simply because devices, hardware, tools to investigate things are becoming more and more inexpensive? Where five or 10 years ago, a tool like an oscilloscope would have been thousands of dollars, where now it’s hundreds of dollars, or a powerful computer would have been hundreds of dollars where now you buy a Raspberry Pi for $35. So I think just the low cost of everything has also made things really interesting, and it also allows people to employ sophisticated attacks, but much more easily.

Dave Bittner:

Where do you think things stand today when it comes to responsible disclosure? When you discover some sort of vulnerability and you go to a manufacturer, do they greet you with open arms? Do they ignore you? What typically happens?

Samy Kamkar:

It’s interesting. I think if I’m finding a vulnerability that’s specific to a manufacturer, yeah, I’ll typically go to the manufacturer and let them know. Some are open, some are not. But I’m personally typically not looking for vulnerabilities in the manufacturer, I’m trying to find vulnerabilities in protocol, something that we all widely agree this is just the way things are. That’s the way our TCP/IP stack works. There’s no manufacturer of the TCP/IP stack. It’s just Microsoft, Apple, everyone who has an operating system, Linux, they’ve all implemented things based off an RFC, and that’s just the code. That’s what we build our things off of.

I’m more interested in finding attacks on those because no one has done anything wrong. It’s harder. I think to me, it’s just a lot more interesting because, A, it’s a lot more difficult to protect. Why that’s more interesting, I don’t know. It just is. I think I find it a lot of fun when you can find something and you say, “Oh, well, there’s not really a good solution to this.” There’s no one to blame. The technology is difficult. Security is extremely difficult. And it’s a lot more fun when you can find something in that base layer and that fundamental … Maybe a law that we all thought would be a good implementation, how can we just exploit that in a way that just breaks it entirely? I think that’s kind of cool.

Dave Bittner:

Yeah. What is your process? When you set your sights on something, when you’re looking to go through, dig in, and explore something, how do you set that?

Samy Kamkar:

That’s a question I get a lot, and I think what’s interesting is that I’m not trying to break something. All I’m trying to do is understand how things work. That’s how I spend my time. I don’t necessarily try to find a vulnerability. I’m not saying I’m going to look at a car, I’m going to look at how our key fob communicates with the car. I’m just saying I have a car or my friend has a car, and actually my friend has a car that got broken into, and that got me interested in, like, how do cars work? How does the key unlock? How does it unlock when you go up to the car? You just pull the handle and it just opens without you doing anything. How does that work? And then I saw, oh, there’s some wireless communication. Well, if there’s wireless communication, what’s limiting me from being only two meters away? Why can’t I be 10 meters away? Oh, it looks at the signal strength. Well, how can I amplify that signal strength? Can I just build a transceiver that amplifies it? Oh, yes I can. So now it can be miles away. Okay, interesting.

So it’s really just learning how something works, and then just poking at it, prodding at how things work, and that’s when you start to find the issues when things break down.

Dave Bittner:

But I mean, do you have any insights … In your introspective moments, do you wonder why is it when you’re looking at things that many other people have looked at, how are you coming at it from a different point of view? Is it a different type of creativity that you have to imagine things in a different way than perhaps other people have?

Samy Kamkar:

I don’t know. I don’t necessarily know how other people think. But I do know I didn’t have the same path as other people. I dropped out of high school. I didn’t actually go to any school after that, so I think my lack of knowledge has made me learn things a different way. So simply it’s just a different way of looking at it, there’s no right or wrong way of looking at things.

But I think maybe a lot of people learn with the same techniques. They learn with the same base layer of knowledge if you go through school in any subject or area. Where I have no idea what I’m doing, I’m really just picking and prodding at things. And so I don’t learn the fundamental rules or things that are instilled early on, so I have to learn those myself.

But I think there are a lot of assumptions in those things that we learn. So if I don’t have those assumptions to begin with, then I have to figure this stuff out myself. And then looking at other areas that I just don’t understand that other people do. So I don’t know, I pick and prod at those more.

Dave Bittner:

How nice to have the ability to do that, to have the time, to have the resources to be able to explore those things that you find interesting.

Samy Kamkar:

Yeah, I mean, I’m super fortunate. However, I would definitely like to share that anyone can. I was a kid just learning stuff in my free time, and anyone has the resources available, and we have more resources available today than we did a long time ago. So anyone can go online and just start reading stuff. Even if you’re not going to school, there’s open source textbooks now just for all sorts of subjects.

One, I think it’s Rice University created something called the OpenStax, where you can just download a chemistry textbook, entirely open, and that’s constantly being updated. They’ve been doing that for 20 years now. So there’s a lot of information available, freely available. In the U.S., you can access a library for free, so I think that’s the cool thing.

The thing that’s important to me is low cost. All of my tools are open source. I make everything freely available because that’s how I learned. I didn’t have a lot to purchase. When I was younger, I had a computer, and that’s all I needed. And I was fortunate to have a computer, I’m very fortunate for that. I think if you have access to a computer just by going to a library, that’s actually what I did before I had a computer, I would go to the library, that’s really all you need to start learning.

Dave Bittner:

I want to switch gears a little bit and talk about threat intelligence and get your take on how organizations are using that and the part that you think it plays when it comes to defenses.

Samy Kamkar:

Yeah, I mean, I think it’s super interesting just because you can really, from threat intelligence, you can learn how your organization is being exploited. I think that’s probably the most interesting thing to me.

What I’ve learned is that most organizations have already been hacked. Something has already been exploited. And the challenge is really understanding … Probably one question I’ve had most of my life is how many things have really been broken into? If you take an organization or you just take some set of machines and systems, maybe it’s 100 computers, what percentage of those have actually been attacked successfully? I don’t know. I don’t think anyone knows. Because I know when I was younger and I was attacking things, I would be able to get into something and no one knew and no one ever found out in many cases.

So how has that continued? And if that has happened for so many years, where else? People can get further and further into a network, especially once you’re on a single system in a network, it’s much easier to escalate privilege within that network. You’re already within a trust boundary. So being able to do more and more and more, I mean, how many people are able to actually write code and inject back doors into software we all use?

There was a backdoor that was inserted into Linux kernel many, many years ago, and it was caught very, very quickly by an astute observer. It was literally a single character that was missing that caused an equal zero to become an equal zero, which gave someone a user permission of root. But how many of those are actually out there from these?

So I think it’s really interesting to see the threats that are actually occurring in the landscape and then being able to use that and identify, oh wow, this could be happening to our organization because we’re actually running the same type of software. We’re running the same type of system. So yeah, I mean, I think it’s very important.

Dave Bittner:

It’s interesting to me, too, that it seems as though by necessity, more and more software is being written with building blocks and with Legos. You’re taking open source components, or you’re buying components, and writing from scratch, it’s really not practical, and why do that when you have these components that are available? But you’re a real advocate of open source, what are the benefits that you see people being able to enjoy through the use and availability and sharing of open source software?

Samy Kamkar:

I mean, the first, as you said, it doesn’t necessarily make economic sense to spend all your resources building something that has already been built. If you can do it better, then it might make sense, or perhaps you can spend that same time contributing to an existing project in order to improve that.

I think one of the issues with building something, and not to say that there’s anything wrong with closed source proprietary tools, however the bent of what I found over time is that a proprietary tool and an open source tool both come out, let’s say, around the same time, and they both work very well. However, the proprietary tool is harder to reverse engineer, so it’s not impossible, of course we can reverse engineer anything, but it’s harder, so it takes longer.

So both of these tools are moving forward, gaining more users, gaining more traction. And the open source one is easy to inspect, easy to investigate, and then people are finding issues with it. So those issues get reported because it’s open source, and then those issues get resolved, some issues don’t get reported, but that happens.

Then later on these tools are both growing and growing and growing. The open source one has had the advantage of people inspecting and poking and prodding and then finding vulnerabilities and then reporting it and fixing it. However, the closed source one has not. And then at some point in the future there is a vulnerability found. It just took a lot longer because you had to reverse engineer the binaries. And when it is found, well, now you have a much wider user base than you did.

This happened, for example with the MIFARE key cards which are used actually everywhere. Every hotel you go to, you’re using a MIFARE key card. And those are also used in all sorts of public transport in the U.S. and Europe, the Oyster card, just massive, massive, massive. And that was a closed source, closed crypto, that was ultimately broken many, many, many years later because it was all in hardware. It was very difficult to understand what was happening. So it took many years for people to actually reverse engineer and understand what was going on. Once it did, it was drastic because it affected billions of cards around the world.

Dave Bittner:

Right. It was so widespread.

Samy Kamkar:

So widespread versus the open ones which simply didn’t have or only had the issues, but earlier on, and had those results sooner with smaller user bases. That’s, I think, one of the benefits at least from a security perspective. There are pros and cons to both, at least when you’re talking about tools to build other tools or systems on.

Dave Bittner:

Well, I want to thank you for taking the time for us today. And I have to say I’m glad you’re on our side, that you’re using your skills and intellect and insights to try to help make things better.

Samy Kamkar:

Thanks, I appreciate it.

Dave Bittner:

Our thanks to Samy Kamkar for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict Conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

A Grab Bag of Pulse Reports

A Grab Bag of Pulse Reports

June 22, 2020 • Caitlin Mattingly

Recorded Future’s Allan Liska is our guest once again this week This time, he brings a collection...

Tooling up to Protect Federal, State, and Local Governments

Tooling up to Protect Federal, State, and Local Governments

June 15, 2020 • Caitlin Mattingly

Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup,...

Broadening Your View With Security Intelligence

Broadening Your View With Security Intelligence

June 8, 2020 • Caitlin Mattingly

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he...