A Brooklyn teen found a novel way to land a job in a terrible job market, he launched a worm against Twitter last week, actually four worms.
Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET.com, that he wrote the worms because he was bored and wanted to bring Twitter’s attention to the security holes.
Michael was hired by a Web application development firm, ExqSoft in Hammond, Ore, last week and on Friday and then, released a fifth worm on Twitter.
Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users’ followers and modify profile pages.
Travis Rowland founder of Exqsoft, old CNET News that he saw the worms on Twitter and was impressed with Mooney’s skills so he contacted him about working for him doing security analysis. “I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone,” Rowland said.
After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn’t contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.
“I just want to let (Twitters) know that my intent is not to aggravate them,” Mooney said in a phone interview with CNET News. “It’s probably not the best way, but it’s the only way I can reach out to Twitter so they will fix the vulnerability.”
The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft.
Rowland blasted Twitter for not adequately protecting its site. “It’s a complete failure on their part,” he said.
Twitter executives did not respond to an e-mail seeking comment.
In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.
So should bad behavior be rewarded?
And why would a company allow the young man to continue to launch worms once they hired him.
Was Mr. Mooney conduct malicious and should he be prosecuted by Twitter, or did he in fact “Do Twitter a Favor” by pointing out the security flaw?
Patrick McDermott says
As far as I am concerned he did them a favor.
His non-malicious worm may have prevented malicious ones in the future.
Patrick McDermott says
I forgot to add:
The only ones that should be punished are the Twitter Execs who did nothing
when the vulnerabilities were brought to their attention.
Christian says
Reminds me of Frank Abagnale, Jr. (if you’ve see Catch Me If You Can) or To Catch a Thief. Who else to help with security flaws than someone who knows how to exploit security flaws?
Ross says
Hackers are hired by many companies even governments for this exact reason. Guess what their resume is? A hack or exploit to the hiring company’s systems…
Steve M says
He committed a federal (and likely state/s as well) crime and should be prosecuted.
No different than stealing from a store and then telling them what their security problem/s is/are.
And if ExqSoft had prior knowledge of that 5th worm, they’re equally at fault.
You don’t punch someone in the face and them explain how they could have avoided getting hit.
How would any of us feel if it had been one of our sites?
Scott Alliy says
If the story is verified and true exactly as written about then absolutely maximum punishment is due to him and whoever knowingly aided or assisted him,
What a B.S. excuse, “I was trying to help them”
Is a robber helping the bank by compromising their building or business? And let’s not even talk about crimers perpetrated against people? If people are vulnerable then psychos and sickos should take advantage of them for their own good and to make them aware of their vulnerability? What the hell is going on with peoples thinking?
And finally for those who can’t think past the surface. HELLO does anyone who thinks this guy should not be prosecuted have an Internet business or any investment in the Internet? If so have you a clue of the battles that we have and continue to fight to gain the trust of consumers who have less and less reason to trust the internet with each instance of spam and news of worms like the 5 worms that this guy is alleged to have unleashed?
Every serious internet business owner or domainer or anyone with a monetary interest in the net should be calling for the maximum penalty in this case IMO.
Patrick McDermott says
“The worms appeared to do no damage other than spread to infected users’ followers and modify profile pages.”
The only thing I know about this case is what was written here.
It says no damage was really done which means to me no malicious intent.
It’s curious that those who think this kid should be prosecuted have nothing
to say about the failure of Twitter Execs to take any action when warned about
the security exploits.
To use one of the metaphors above, this kid broke into a bank to show that
the security system sucks but he didn’t take anything.
He just wanted to show the security vulnerability.
What kind of criminal is he?
He didn’t steal anything and now that the exploits are known may have
actually prevented future robberies.
—
“You don’t punch someone in the face and then explain how they could have avoided getting hit.”
He did not punch anyone in the face (“The worms appeared to do no damage”).
He faked a jab and showed the Boxer that he is holding his left arm too low.
Big difference.
He’s also only 17 and it is now a known fact that certain areas of the brain
affecting judgment are not yet developed.
MHB says
Patrick
I don’t know anymore about this than I wrote here either.
The only thing that truly bothers me is the guy who hired him, if he knowing let the kid release another worm after he hired him, but that is not clear.
On the other hand how many e-mails do you think Twitter gets a month from people saying they found a hole in their system. It’s probably not the first e-mail they got like this, nor is every e-mail sent a valid threat.
Patrick McDermott says
“how many e-mails do you think Twitter gets a month from people saying they found a hole in their system.”
MHB,
You’re right. I did not consider that.
Then it begs the question: How can you get a company’s attention when
you know there is a serious problem that should be addressed?
Send some worms? 🙂
Ross says
@Steve M
How does a boxer know how to avoid a punch?
If you have never been punched before, how do you avoid it?
Although i do believe such things are against the law it does give a gain and force twitter to move forward with their security. This is the way Microsoft fixes security patches, they either get hacked and exploited or they hire hackers to find them.
Steve M says
@Ross; the critical difference is of course that with your example of a boxer, the boxer asked for the lesson…
…twitter did not ask to be attacked.
Dave Zan says
If anything, only Twitter will decide the answer to that question despite how everyone else feels about it. The “kid” here, and the company, ought to be ready to deal with the results of their choices.