Samy Kamkar, who unleashed one of the fastest-spreading computer viruses of all time as a teen, explains his 'compassion for young hackers' and his advice on exploring, not exploiting

  • In 2005, 19-year-old Samy Kamkar unleashed a computer virus that infected 1 million MySpace users in 20 hours, making it one of the fastest-spreading computer viruses ever and forcing the social network to temporarily shut down. 
  • He took a felony plea deal and law enforcement forced him to stay off the internet for three years. 
  • Kamkar still believes that young hackers should push the boundaries, but be prepared to "get slapped around a little" as part of that education. 
  • He also urges hackers to be careful and not confuse exploring with exploiting, saying: 'You don't want to go through the same thing I went through.'
  • Visit Business Insider's homepage for more stories.

 

Samy Kamkar, who unleashed one of the fastest-spreading computer viruses in history in the mid-2000s, has a broad, mischievous smile and the compassionate eyes of someone who admits his mistakes. 

Kamkar, who took a felony plea deal at the time, has since built a career out of ethical hacking, and now provides a uniquely insightful perspective on a new generation of hackers making headlines – sometimes for serious crimes. 

This week, a high school student was arrested in connection to attacks that shut down Miami schools. This summer, 17-year-old Graham Clark was arrested and charged with 30 felony charges for allegedly taking over dozens of verified Twitter accounts — including those of Barack Obama and Bill Gates — to trick people into handing over money. In May, a 15-year-old in New York was accused of master-minding a cryptocurrency scheme that stole more than $20 million from victims. The list seems to grow by the day.

Compared to these examples, Kamkar's teenage social media exploit looks tame and his consequences mild. As one of the original teen social media hackers, he doesn't see "hacking" as a dirty word and thinks young people should keep pushing the boundaries of what they can do online.

Kamkar spoke this week at the online conference Disclosure, organized by the identity security company Okta, on his past and the experiments he works on today. In an interview with Business Insider, he discussed what he learned as a young hacker and how he thinks teens that are interested in ethical hacking today might benefit from his experience. 

Kamkar was the original teen social media hacker 

In 2005, Kamkar was a 19-year-old high school dropout who enjoyed experimenting on what now seems like a quaint and very limited internet. He created a computer virus that caused Myspace users to involuntarily send him a friend request and, as a kicker, add the words "but most of all, Samy is my hero" to their profile.

The virus infected a million Myspace users in one day, forcing the website — then the world's most popular social network with 60 million users — to shut down for several hours. Six months later, federal law enforcement agents raided Kamkar's home and confiscated all his computer equipment. As part of a plea deal he made with authorities in which he pled guilty to a felony, he had to stay off the internet for three years. 

"I read books, spent time outside, learned to talk to people," he said in an interview with Business Insider. "In some ways, it was good for me." 

Myspace is now a socially-inclined music website, and Kamkar is chief security officer of Openpath, which makes keyless, touchless entry products for buildings. And he remains an indefatigable hacker, discovering how to take over control of other people's drones and re-create his credit cards so he can shop with a wireless device. 

So what's different now? He concedes it may sound corny, but he tries to follow the "golden rule": Only hack unto others as you would have them hack unto you. 

You might not realize what you've done until it's too late

Kamkar says his hack of Myspace was not intended to go viral.

"That wasn't even a buzzword back then," he says. "I was just a teenager at the time playing around on a random social network, thinking, 'How can I show that I did something kind of cool, kind of different, that other people were not necessarily able to do?'"

At first, not much happened. According to Kamkar's online journal about the Myspace hack, he went to bed on October 4, 2005, with one new friend request as a result of his virus. He woke up the next morning to find 221 new friend requests. By 1:30 that afternoon, that number was 6,373. Five hours later, 1,005,831 Myspace users had involuntarily sent him a friend request and posted that he was their hero. An hour after that, the most popular social network in the world was offline.

"Oh no, I've made a terrible mistake," he remembers feeling. "I didn't realize it would spread so fast. This has gone way out of hand. I didn't know this would happen. I want to stop it."

But it was too late. "If you have a cold and you sneeze on somebody, you might be fine the next day, but it doesn't matter. It's a virus, and it's going to spread."

His experience showed him that there can be major repercussions that you can't foresee while you are experimenting, and caution can save you from serious consequences later.  

Getting "slapped around a little" as part of a hacker's education

While Kamkar is not recommending that anyone commit a crime, he believes that overstepping boundaries — and paying a price — can be an important educational experience, as long as a young hacker doesn't go too far. 

"We all have to learn. We start out knowing nothing, and we have to gain knowledge. Some of us are fortunate. We get awesome people to teach us. Some of us have to run into walls and have to bump around and, you know, get slapped around a bit before we learn," Kamkar says. "That's me. I was getting slapped around here, right? The world was saying, 'This is not how you treat other people, other systems.' I didn't know I was doing anything wrong until someone told me. It was obvious afterwards. It was obvious to everyone else, but it wasn't obvious to me."

Kamkar describes the time of his hack as "much more Wild West" — now that "things are much more strict," his "slap on the wrist" could have been worse.

"I have a lot of compassion for young hackers. I think I know what it feels like to have that excitement over a discovery. To think, 'I found this bug. I found this thing. It's awesome,'" he said. "It's really cool that you found it." 

Today, most major companies have bug bounty programs that allow people to get paid if they find and report vulnerabilities in the firm's code. That provides the challenge — and a reward without the risk. "You don't want to go through the same thing I went through," Kamkar says. 

Hacking is like figuring out a puzzle 

Perseverance in following your curiosity can lead you to fascinating places, Kamkar says. 

"If you are a hacker, you should explore until you hit a boundary. I very much — I would say almost innately — have that personal belief. And I think my life has been a bit different than other people's lives as a result, so I see things in a different way," Kamkar says. "I believe that you shouldn't just assume things are true, even if another scientist says so. I think hackers want to see for themselves. That pursuit of truth may take you some interesting places. I don't necessarily apply any legal or illegal attribute to the word 'hacking.' I just think of it as a puzzle, as figuring out a puzzle." 

He wants to encourage young hackers to explore, with a conscience. Understanding the difference between exploring and exploiting is important, he says.

"You can get a degree, or not, and still do a lot of cool stuff with this talent. You can, you know, make a name for yourself by going into this area."

The cybersecurity community seems to appreciate his guidance. After his talk at the Okta conference this week, a member of the audience posted in the chat "but most of all, Samy is my hero." It caught on for a moment, was reposted once or twice, and stopped. 

Source: Read Full Article