After creating the MySpace Samy worm in 2005, causing MySpace to shut down, and then agreeing to a felony plea deal that included not touching a computer or accessing the Internet for four years, Samy Kamkar learned a valuable lesson: “Do unto others…”
A lot of Kamkar’s life has been built around navigating what he thinks is moral and what he thinks is ethical. And generally, he tries to live by the Golden Rule: “Only do to others what he would be OK being done to him.”
“After the MySpace hack, I learned that it wasn’t OK to change something which someone else considers their own — whether it’s MySpace’s server or someone else’s profile. I don’t own any of those things, so I shouldn’t be modifying them”.
Kamker held a reflective talk with Techopedia about what two decades as a gray hat hacker has taught him.
About Samy Kamkar
A famous “gray hat” hacker, Samy Kamkar is a security researcher, known for creating the MySpace worm, the fastest-spreading virus of all time. He is the co-founder of Openpath Security Inc., which was acquired by Motorola Solutions Inc.
His open-source software, hardware, and research highlights the insecurities and privacy implications in everyday technologies — from the Evercookie, which produces virtually immutable respawning cookies, to SkyJack, a drone that wirelessly hijacks and autonomously controls other drones.
Kamkar’s work has been cited by the National Security Agency, triggered hearings on Capitol Hill, and has been the basis for security advancements across vehicles, smartphones, and other technologies.
Key Takeaways
- Samy Kamkar considers himself a gray hat hacker because his intentions are never malicious.
- After suffering the fallout of the MySpace (Samy) worm, Kamkar learned that it wasn’t OK to change something on what someone else considers their own.
- Kamkar tries to live by the golden rule – only do what he’s OK with being done to him.
- Today, Kamkar is passionate about combining the understanding of physics and electromagnetism to protect against new cyberattacks.
The Birth of a Gray Hat Hacker
Q: Can you tell me about your early interest in computers and what initially drew you to hacking?
A: It really all started when my mom got me a computer when I was 10 years old. I went online and started searching for the X-Files television show. I downloaded a chat server — Internet Relay Chat — and I went into the chat server and asked who wanted to chat about the X-Files. But someone told me to get out. I wasn’t sure why. But I said, ‘No.’
Then the person said I had 10 seconds to get out of the chat room. I was behind my computer and I figured they didn’t know my name, and they didn’t know where I lived.
So again I said, ‘No.’ And then 10 seconds later, the brand new computer that my mom had just bought displayed a blue screen of death.
That person was somehow able to crash my computer. When I realized what had happened, I thought I’d be grounded for the rest of my life. I was absolutely terrified. So I pulled the wires out of the computer.
I waited maybe half an hour, and then I plugged everything back in. And fortunately, everything came back up.
But at that moment, I thought that was the coolest thing ever, and I wanted to know how to do it. And I’ve sort of spent the rest of my life trying to understand how to do that and how to protect against it.
I think security is very cat and mouse. As soon as you can secure against something, there’s always another way to perform some type of attack. And there’s always another way to protect against that. So just going back and forth down that rabbit hole has been really fascinating.
Q: How did you transition from being a hobbyist to becoming a well-known figure in the hacking community?
A: To me, there was never any distinction. I always thought it was really interesting to see how a system worked. I’ve always been fascinated about understanding something more deeply. And with that understanding being able to manipulate that system in a way that could be advantageous or interesting. So it’s just always been a passion ever since ever since that day. And that hasn’t changed. I’ve only expanded my areas of interest.
White Hat vs. Gray Hat vs. Black Hat
Q: What are your thoughts on the differences between white hat, gray hat, and black hat hackers? Where do you see yourself fitting into these categories?
A: If anyone asked directly, then I would say that I am gray hat. The reason for that is that I don’t actually do anything malicious. My intentions are never malicious. Generally, white hat means good and black hat means bad, but good and bad are subjective.
You might be talking to someone who works for the government and their job is to reverse engineer or hack into nation states that we believe have been malicious to us in the past. So we might consider that a good person.
However, that totally depends on which government they work for. Because it could be someone in the U.S. hacking China or someone in China hacking the U.S.
But at the end of the day, it’s the same type of person doing the same thing for the same reasons and the same goals, but their homelands are reversed.
So it’s hard for me to consider one good and one bad. Now, of course, there are people who are just malicious and know that they’re doing things that are wrong like taking from people for financial gain.
But generally, I think the idea of good and bad is nuanced. And I think my goal is to improve things for the statistical majority.
Ethical Boundaries in Hacking
Q: What do you consider the ethical boundaries in hacking, and how do you navigate the gray areas?
A: That’s a really interesting one. I don’t think everyone agrees about what ethics are and what a person’s individual ethics are. So a lot of my life is built around navigating what I think is moral, what I think is ethical. And generally, I try to go with the golden rule. So it’s what I’m OK with being done to me.
That ethical line is just something I’ve learned. I got in quite a bit of trouble when I was a teenager writing the MySpace worm [also known as the Samy worm]. I wasn’t allowed to touch a computer or access the Internet for four years.
And that also made me think about what my own ethics were. And in that scenario, I realized I did something wrong. I shouldn’t have modified things on someone else’s computer when I knew that they didn’t want that to be done.
And that’s when I thought that I was OK with doing things on anything that I own, something that I’ve purchased. I believe, ethically, I should be able to do anything I want to my own computer. And that’s my own ethical investment ethics. I also don’t think there’s anything wrong with sharing knowledge. So I’m happy to share that information publicly. But I shouldn’t use it against someone else – against what they own.
And that’s my definition of ownership. There are companies out there that are actually trying to say, ‘No, you don’t even own the hardware you buy.’ And that’s another, more philosophical concern that I have – organizations, companies, governments trying to define what ownership means and companies actually trying to restrict [what we can do with their products that we buy].
Some companies have been trying to make it so that when we buy devices, we don’t own them. Rather, we essentially just own a license to use them. And some companies have tried to make it illegal to open up certain devices or vehicles. Fortunately, none of that has passed in the U.S. However, that’s an interesting fight that’s actually going to continue.
The MySpace (Samy) Worm
Q: You mentioned getting in trouble for the MySpace worm. Your creation of the Samy worm on MySpace is infamous. What were your motivations behind it?
A: I was 19 years old at the time [Oct. 4, 2005] and MySpace was the biggest site on the Internet. And all I was really trying to do was to see how I could make my profile more interesting. I thought it would be nice if I could add more photos than were allowed back then. I think 12 photos was the restriction and I wanted to have 13. I thought that would be interesting.
I realized the only way I could make any changes was by executing code. So I spent a little time figuring out how I could execute code whenever someone was in my profile. And once I realized I was executing code on someone else’s computer, then I could just make them kind of do anything.
I thought it would be funny to just show off to some of my tech friends. And I thought it would be funny if the person [viewing my profile] added me as a friend, if we weren’t already friends. Then I realized I could make them update their profile.
So I updated the code so that it would add ‘Sammy is my hero’ to the bottom of a profile. And I was just having a little laugh. I expected maybe a few people would run into this. And then someone might tell MySpace and they would remove it and no big deal. Initially, it didn’t really spread. I had so few people visiting my profile that after a few nights, I think it only impacted one person.
But I wanted it to spread a little faster, and then I realized if I can make them add me as a friend and as a hero, I can just copy the code to their profile. So when someone’s in their profile, they’ll add me as a friend and as a hero. I imagined within a month, maybe I’d have 50 or 100 new friends. I was very wrong.
I woke up to 10,000 new friends the next morning, and I really had no concept of how big the site was. And that grew to 100,000 to more than a million just that day.
And that’s when MySpace had to shut down to remove the worm. I was terrified and horrified that it was spreading so quickly. No excuse. Obviously, it was a worm in the way it worked. But I just had no concept of the virality that it would have, and I immediately regretted having released it. Yeah, hindsight is 2020.
And maybe six months later, I had a little run-in with the law. The United States Secret Service came to my home, they came to my office. I got raided. They took all my computers, iPod, Xbox, anything with digital media on it.
Then I went to court and [ultimately] agreed to a plea agreement.
[Kamkar was placed on three years’ formal probation, ordered to perform 90 days of community service, pay restitution to MySpace, and not touch a computer or access the Internet for four years.]Lessons Learned and New Perspectives
Q: What lessons did you learn from that?
A: I learned what is acceptable and what’s not. And that it wasn’t OK to change something on what someone else considers their own, whether it’s MySpace’s server or someone else’s profile. I don’t own any of those things, so I shouldn’t be modifying them.
Q: How has your perspective on hacking and cybersecurity changed over the years?
A: It’s been interesting to see how much cybersecurity has grown and how much it has become a critical component of many systems. I think that’s new to us and because it’s new to us, we’re going to be missing a lot of things. We’re going to have a lot of issues. We’re going to have a lot of vulnerabilities because the general population isn’t familiar with this.
As we embark on any new technology or science we’re not going to fully grasp the magnitude of its effects, and the magnitude of the potential issues that come along with it. And it’s time and exploration that will help us understand better and find ways to improve [cybersecurity].
Q: How do you envision your role in the cybersecurity community evolving in the coming years?
A: My personal passion as of late has been in physics. I’m trying to see how I can combine the understanding of physics and electromagnetism and how the fields around us work. How to potentially take advantage of that for exploitation purposes, and then how to resolve and how to actually strengthen our systems to protect against a new set of attacks that I believe are possible.