MySpace filed a lawsuit against the virus creator, Samy Kamkar. He entered a plea agreement, on January 31, 2007, to a felony charge.[2] The action resulted in Kamkar being sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.
From: http://en.wikipedia.org/wiki/Samy_(XSS)
I'm not sure what is going to happen to the kid that did the Twitter worm.
On what grounds is what these people did considered harmful? It doesn't harm any end-users... at worst it only modifies their profile page. It's a bug (or feature) in the web application, not exactly a virus that affects other peoples computers. I guess my point is, it's all encapsulated to the website.
Furthermore, it just seems like they're taking advantage of the features the developers created. If you can execute javascript, why not force people to friend you? If the developers included a big button that said: "Delete a random user's profile" and you pushed it... would that be illegal? What if instead of a button, there was a hidden URL that did this? What if you needed to provide a 1 digit password?
I just don't get how fooling around with a website can be considered illegal, and what defines the line between legal and not.
I'm not talking about stealing a car. That would be hijacking or shutting down the entire website.
If you want to go the "car analogy" route, then put a whiteboard on your car, and claim it's illegal when somebody comes along and writes on the whiteboard. This is still a pretty crappy analogy.
The best analogy would be making something intended for one purpose, but somebody uses it for another purpose. Then, since it's bad for business, you sue the person who used the item as not intended. It just seems ridiculously unfair.
I'm talking about things like Web 2.0 profiles. The TOS on these things are that the entire use of the website is without warranty... yet if somebody comes along and makes a worm on these sites, a worm which harms nothing other than these warrantless profile pages, that's illegal?
Another example: Let's say Myspace said: "Feel free to use Javascript in your profile." Would it be OK to make the worm? It's just javascript, after all.
If something is easy to do or the actual damage is small does not make that something more "right".
I accidently drive off with your one (putting the fact the keys were in the ignition down to my own absentmindedness), and as a result get stopped by the police for grand theft auto.
What happens then?
http://boingboing.net/2008/07/28/law-prof-and-cop-agr.html
I expect that your lawyer will then explain the situation to the cops, point to your car in the parking lot, point to your lack of criminal record, motive, or experience in fencing stolen cars, offer a stirring and heartfelt apology on your behalf, and then stand by to argue.
(But I can't be sure of that, because I am not a lawyer myself.)
One: There are specific laws against unauthorized access to computer systems:
http://www.ncsl.org/programs/lis/CIP/hacklaw.htm
These acts are generally considered illegal because... they contravene laws!
Two: "What defines the line between legal and not?" The answer, ultimately, is judges and juries. These people have a wide range of discretion and are often surprisingly reasonable. (Although certainly not always. And they cost a lot to convince, and they can be randomly unreasonable, which is why there are a lot of jury-trial horror stories and why lawyers prefer to avoid jury trials whenever possible.)
If I leave a loaded gun lying around and you pick it up and shoot me dead, the legality of your action is going to depend crucially on what you can make the prosecutor and the jury believe. If you convince them that you did it by accident -- that you were honestly just playing around with the gun on the assumption that nobody would be dumb enough to leave a loaded gun around -- you might be found innocent. If you had a documented motive for killing me, or were arguing with me at the time in front of witnesses, or if there were no witnesses... well, good luck.
Finally, when you say:
It doesn't harm any end-users... at worst it only modifies their profile page.
You are making a lot of unwarranted assumptions. For one thing: If you publicly deface a website you advertise the existence of an exploit which someone else might then use for evil purposes. But, more importantly: Who says that an edit to a user profile is always harmless? People have lost relationships, job leads, careers, and reputations over such "trivial" things. Remember the poor teacher whose Windows box got infected by a virus and spewed porn links all over the screen in front of the students? The woman who lost her job and narrowly missed being convicted as a sex offender by a crazy prosecutor?
http://news.cnet.com/8301-1009_3-10107743-83.html
If I were a teacher and someone defaced my online profile with a porn link I'd consider it a direct threat to my family's life.
These people are using the website with no warranty. It says so in the Terms of Service. Myspace, Twitter, Facebook, etc, guarantee nothing about the security of their website, and whether or not their technology even works correctly. Even if they did say in their warranty: "Your information is guaranteed to be secure," does that magically make it illegal to make a worm?
Two: "What defines the line between legal and not?" The answer, ultimately, is judges and juries. These people have a wide range of discretion and are often surprisingly reasonable. (Although certainly not always. And they cost a lot to convince, and they can be randomly unreasonable, which is why there are a lot of jury-trial horror stories and why lawyers prefer to avoid jury trials whenever possible.)
If I leave a loaded gun lying around and you pick it up and shoot me dead, the legality of your action is going to depend crucially on what you can make the prosecutor and the jury believe. If you convince them that you did it by accident -- that you were honestly just playing around with the gun on the assumption that nobody would be dumb enough to leave a loaded gun around -- you might be found innocent. If you had a documented motive for killing me, or were arguing with me at the time in front of witnesses, or if there were no witnesses... well, good luck.
Good points. Especially the loaded gun thing.
But in the Myspace example -- what harm was done to Myspace that warranted any punishment? Is it because they're such a successful website, that it matters more? I mean, let's say the kid made this worm for a site with like 1,000 users... is it any less of a crime? And why is it not Myspace's fault for not securing the website?
Another thing I'm confused about... how responsible do the website owners have to be? Let's say they allow javascript in profiles. The worm was nothing more than javascript.. I'd argue that somebody was just getting creative with their profile! If they made an endless loop of alerts, is that a "virus" because in most browsers (ridiculously) you have to force quit them?
And, finally, how in the world does any of this technology stuff get explained to the people making the decisions, eg, the judge and jury. It seems it's nearly impossible for it to be adequately explained to them to the point of them understanding enough to make a fair judgment.
I think you will find that a jury will have no trouble telling the difference in value between something that has no warranty, something that has no warranty and is broken thanks to an error by its vendor, and something that is broken because some third party broke it. Warranty law is about the first two cases. It has nothing to do with the third case. If you break a company's product, you are going to be liable, whether the product is under warranty or not.
Incidentally, we have reached the point where it's important to point out that I am not a lawyer.
I'd argue that somebody was just getting creative with their profile!
If you get creative with your own profile, and it brings down your browser, you have found a bug. Indeed, if you get creative with your own profile, and it brings down Twitter, you have merely found a bug. (Though one that could obviously be used to perform a DOS attack on Twitter. If you exploit the bug to bring down Twitter over and over for your own amusement, you're getting into shakier legal ground. The responsible thing to do is report the bug.)
If you "get creative with your profile" to create a XSS attack that deliberately defaces other profiles? Hire a lawyer, pronto.
how responsible do the website owners have to be?
The truthful answer is "not very". You can be convicted for breaking into an account that has little or no actual security on it. You can be convicted for searching for an exploit on your employer's computer, even if you don't exploit it. (Ask Randal Schwartz. You should probably Google up his case. Sounds like you need some legal briefings.)
Don't impersonate other people on computer systems. Even if the system owners are begging for it. (Especially if the system owners are begging for it.) And don't "test" people's security without specifically getting their permission in advance.
my concern is that its myspace one day, my bank the next. Stemming this in the bud is of value for everyone.
For example, what if Myspace only allowed a 1 digit password on your account. Is it still illegal to "hack" your account, or is it Myspace's fault?
DCMA says that breaking ANY encryption even if the encryption says take my data, treat it as binary and invert all the digits, and the first line contains those instructions, it is illegal to break the encryption because of DCMA.
So yea if its a 1 digit password its illegal to guess it.
