Logo

    61: Samy

    Samy Kamkar, known for creating the Samy Worm, shares his story on a podcast episode focused on cybersecurity and hacking. He explains how his creation caused significant effects on social media sites.

    en-usMarch 17, 2020
    1
    Darknet Diaries

    150 Episodes

    Who is Samy Kamkar and what did he create?
    What does the hacker mindset involve according to the text?
    How does Openpath enhance physical building security?
    What is Evercookie and its purpose?
    How can power usage be measured using a phone's microphone?

    • The Hacker Mindset: Unconventional Thinking and Unexpected Outcomes.Passion and curiosity can lead to unconventional thinking and unexpected outcomes. By viewing things in a different way, like how Samy Kamkar saw computers as puzzles to solve, we can create something new and impactful.

      The hacker mindset involves ignoring the intended use of something and finding new ways to employ it, like how Samy Kamkar saw computers as a puzzle to solve. Samy's early fascination with computers led him to study programming and practice video games, eventually finding himself addicted to them. The story illustrates the power of curiosity and passion in leading to unexpected outcomes and unconventional thinking, as Samy's love for computers pushed him to explore beyond the usual user experience and led him to create the now-infamous Samy worm.

    • From Counter-Strike to Cheating and Beyond: Samy's Journey Through Software NetworkingSamy's curiosity and experimentation with game hacking led him to gain extensive knowledge of software networking, but also resulted in dropping out of high school.

      Samy learned about packet sniffing, memory injection, and intercepting function calls while playing Counter-Strike. He used this knowledge to create cheat software that allowed him to do things like automatically aim at people, remove smoke grenades, and add zoom to all weapons. However, he eventually got bored of playing the game and instead started playing against the engineers of the PunkBuster program that was designed to detect cheating. By trying to circumvent PunkBuster's detection methods, Samy learned even more about software networking and continued to update his cheats. This experience taught him a lot and was like rapid training for him, which ultimately led him to drop out of high school.

    • The Power of Passion and Persistence: Samy's StoryPursue your passions, take risks, and be open to new opportunities to learn and grow. Don't be afraid to face challenges if it means creating something meaningful and fulfilling.

      Samy's story emphasizes the importance of passion and persistence in learning and growth, as well as the value of seizing opportunities when they arise. He wasn't a good learner in school but learned to code on his own, and when a chance to work remotely came up, he jumped at it and eventually started his own company. Despite not getting paid at first, he was driven by his desire to learn and create something meaningful. Samy's story shows the value of pursuing what you love, even if it means taking risks and facing challenges, and the importance of being open to new opportunities and experiences in order to learn and grow.

    • Samy's XSS worm and the vulnerability of web applicationsSamy's ability to exploit vulnerabilities in web applications highlights the importance of addressing and fixing such issues to prevent unauthorized access and manipulation of data. It is important to regularly update and secure web applications to protect against hackers.

      Samy, the creator of the first XSS worm, got bored and started playing with MySpace. He bypassed the photo upload limitation and the relationship status rules by exploiting the browser's interpretation of tags and executing JavaScript in a CSS tag. This enabled him to upload more photos and change his relationship status to In a Hot Relationship, which was not an option in the drop-down box. Samy's ability to bypass the MySpace restrictions showcased the vulnerabilities in web applications. His knack for finding loopholes in the system highlights the importance of addressing and fixing such vulnerabilities.

    • SAMY's Viral Mistake - The Danger of Unknowingly Creating a Worm.Creating a virus unknowingly can lead to significant damage and is hard to control once it spreads. In the age of the internet, being cautious and responsible with online content is essential.

      SAMY created a MySpace worm unknowingly that spread quickly and led to 10,000 new friends. A virus that spreads itself like a worm is hard to remove, and it doesn't stop spreading easily. SAMY realized he wrote a virus and gets flooded with messages. It was time for him to do damage control. So, he e-mailed MySpace anonymously to delete the virus. One mistake like SAMY's can lead to significant damage, and viruses are hard to control once they spread. In the age of the internet, it's essential to be cautious and responsible with what you create and post online.

    • The Consequences of a Curious Mind in ProgrammingCuriosity in programming can lead to unintended consequences. It is important to be cautious with programming tools as even a small experiment can have significant ramifications.

      A small mistake can lead to unanticipated consequences. Samy's curiosity about the number of friends on his MySpace profile led him to create a worm that spread rapidly and ultimately brought down the entire website. Samy realized how big of a mistake he had made when the number of his friends started to grow exponentially, but by then, it was too late to stop the worm. He even considered going to the MySpace office to apologize but decided against it, fearing that he might end up in jail. The incident highlights the importance of being cautious when playing with programming tools, as even a small experiment can have significant ramifications.

    • Accidentally Taking Down MySpace: A Lesson in ResponsibilityAs a developer, it's important to be responsible and think before taking actions that could have serious consequences. Samy learned this the hard way after accidentally taking down MySpace and facing the possible consequences of his prank.

      Samy accidentally took down the largest social network in the world but heard nothing back from MySpace or the police. Although he got famous, he learned a lesson. The secret service, the LA District Attorney's office, and the California Highway Patrol officials showed up at his place six months later. They suspected his new, fancy car was stolen. With his fingerprints all over the worm, he realized the gravity of his actions. He got lucky and didn't have to face any charges. He learned that playing such pranks was foolish and vowed never to do it again. The incident taught him to be more responsible as a developer.

    • Overcoming Legal Challenges and the Importance of HonestyWhen facing legal challenges, it's important to mentally prepare and know the outcome. Honesty and transparency are essential, even in difficult situations.

      Samy's experience with law enforcement and the legal system was challenging, but ultimately he was able to negotiate a plea agreement that resulted in no prison time. The experience made him realize the importance of knowing the outcome and mentally preparing, even for difficult situations. His livelihood and skills were dependent on his ability to use a computer, and facing a potential lifetime ban on computer use was scary. However, he was able to come out of the experience with a renewed appreciation for the importance of being honest and transparent, even in difficult situations.

    • Losing everything led to a new beginning for SamyLosing everything can be an opportunity for growth and self-discovery, leading to valuable life lessons and a new appreciation for what we may have taken for granted.

      Getting into trouble with the law and losing everything may seem like the end of the world, but it can also be an opportunity to learn and grow. For Samy, losing his computer privileges forced him to try new things and explore the world outside of technology. He discovered new hobbies, made friends, and learned how to socialize. Although it was a difficult journey, Samy persevered and completed his community service, leading to the lifting of his probation and the ability to use computers again. This experience taught him valuable life lessons and helped him appreciate the value of technology in his life.

    • Ethical hacking with SamySamy demonstrates that ethical hacking and continued research can improve the security of vulnerable systems. Using simple and inexpensive devices, he shows that these attacks can be easily performed, but also educates vendors on safety measures.

      Samy, even after not being allowed to use computers for two years, continued to think about new exploits and ways to manipulate systems. He eventually started looking into hacking credit cards, specifically the NFC and RFID chips on them, but not with malicious intent. He wanted to show that the system was not secure and teach others about safety involved with these products. Even though vulnerabilities will always exist, Samy continues to research in an ethical and safe way, sharing his findings with vendors. He uses simple and inexpensive devices such as the two-dollar chip or an Arduino to show people that these attacks can be easily performed. The key takeaway is that through ethical hacking and research, the security of vulnerable systems can be strengthened.

    • Power usage measurement and cookie tracking for secret key recovery and user tracking.Processors use varying amounts of power for different instructions, which can be measured for secret key recovery. Cookies can be stored in various locations on a user's device, allowing websites to track them even after cookie deletion.

      Processors require different amounts of power for different instructions and this power usage can be measured using a phone's microphone. This measurement can be used to perform timing and power analysis to recover secret keys used for encryption. Additionally, cookies are a tracking mechanism used by web browsers that can be stored in various locations on a user's computer, including Flash cookies and HTML 5 storage. Samy created an open-source JavaScript library called Evercookie to demonstrate all the different ways data can be stored on a user's computer without their knowledge, making it easy for websites to track their users even if they delete their cookies.

    • Evercookie and Skyjack - Two Tools for Testing Browser Protection and Drone SecurityEvercookie helps modern browsers protect user privacy by testing against tracking mechanisms. Skyjack aims to expose security risks in drones and encourage better security measures.

      Evercookie is a tool that is effective in testing the protection of browsers against tracking mechanisms like local storage. The tool is updated to incorporate new techniques, and it is a useful asset for modern browsers seeking to ensure user privacy. While some governments use Evercookie to track browser users, it is only effective on those who do not update their browsers or operating systems. Skyjack is an open-source project that aims to address security concerns around drones. The project allows for the hijacking and takeover of drones that lack proper security mechanisms like encryption. Skyjack seeks to highlight security vulnerabilities in drones and promote the implementation of better security measures.

    • Risks Associated with Wireless Drone TakeoverThe vulnerability of wireless drones can be exploited by unauthorized organizations. Public awareness is crucial to pressurize companies to resolve the issue. Consumer rights non-profits like the Electronic Frontier Foundation can provide support.

      The vulnerability of wireless drones to remote takeover has always existed, and it is not limited to just the drones owned by Samy. There are potentially many organizations that have developed the necessary software and hardware to control a swarm of drones for their benefit without revealing it to the public. By demonstrating the issue publicly, Samy believes that it can provide the necessary pressure to the companies to resolve the issue. Releasing a proof-of-concept helps in highlighting the underlying problem with the protocol. Although Samy has faced cease-and-desist orders, he has been fortunate to receive support from non-profits like the Electronic Frontier Foundation that look out for consumers' digital rights.

    • The Dangers of Smartphone Tracking and the Implications of Sharing Personal DataSmartphone tracking through Wi-Fi MAC addresses poses a threat to online privacy and security. We must understand how our data is being collected and used to protect our privacy and be aware of the consequences of sharing personal information.

      Samy discovered that smartphones were tracking their users through Wi-Fi MAC addresses. Google used this information from Google Street View cars to locate the MAC addresses and track their movement. Even encrypted wireless routers revealed their location. Android phones were potential wardriving machines, allowing Google to further expand their tracking. This revelation led to a class action lawsuit. Samy demonstrated how he could use this API to track website visitors without their authorization. This technological advancement raises concerns about online privacy and security. It is essential to understand how our personal information is being collected and used. We must be vigilant in protecting our privacy and aware of the implications of sharing our data.

    • The Privacy Concerns Surrounding Android and iPhone's Location Tracking.Android and iPhones collect user data through WiFi MAC addresses and GPS coordinates to create traffic data. This data can be exploited, so users must be aware of the privacy violations going on when using their phones.

      Android phones are wardriving machines that collect WiFi MAC addresses and GPS coordinates, which Google uses to track location and traffic data. iPhones also collect and send similar data to Apple. Samy created a proof-of-concept app that could exploit this data and trick Google Maps into diverting drivers away from a route by simulating thousands of other Android devices reporting zero miles per hour. This highlights the underlying issue of users unknowingly sending their exact location to these companies, leading to Google and Apple appearing on Capitol Hill. Although they've resolved some issues, phones still collect this data and users should be aware of this violation of privacy.

    • Openpath's Revolutionary Secure Access System without Physical CardsOpenpath offers a modern, cloud-based, and secure solution for physical access using phone-based encryption and Bluetooth technology, making it more convenient and safer than traditional methods. Led by Samy Kamkar, Openpath aims to revolutionize the way we secure buildings.

      Openpath is a company that uses phone-based encryption and Bluetooth technology to provide secure access to buildings without the need for physical access cards. This technology is not only convenient but also more secure than traditional methods. Despite advancements in technology, security for physical access has not improved much in the last decade. Openpath aims to change that by providing a modern, cloud-based, and secure way of getting into buildings. With Samy Kamkar at the helm of this endeavor, it's clear that the company will continue breaking new ground in the field of technology, as they aim to make the world a more secure and convenient place.

    Was this summary helpful?

    Recent Episodes from Darknet Diaries

    150: mobman 2

    150: mobman 2
    Re-examining Episode 20 of Darknet Diaries, exploring doubts about Greg aka 'mobman' claiming to create sub7 malware.
    Darknet Diaries
    en-usOctober 01, 2024

    148: Dubsnatch

    148: Dubsnatch
    Story of daring teens pursuing unreleased dubstep music, revealing their audacious tactics to sneak a peek before others.
    Darknet Diaries
    en-usAugust 06, 2024

    147: Tornado

    147: Tornado
    In this podcast, Geoff White discusses the digital heist of Axie Infinity and Tornado Cash, revealing how cryptocurrencies were manipulated for money laundering, details from his book 'Rinsed'.
    Darknet Diaries
    en-usJuly 02, 2024

    146: ANOM

    146: ANOM

    In this episode, Joseph Cox (https://x.com/josephfcox) tells us the story of anom. A secure phone made by criminals, for criminals.

    This story comes from part of Joseph’s book “Dark Wire” which you should definitely read. Get yours here https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691.

    Darknet Diaries
    en-usJune 04, 2024

    145: Shannen

    145: Shannen
    Shannen Rossmiller wanted to fight terrorism. So she went online and did. Read more about her from her book “The Unexpected Patriot: How an Ordinary American Mother Is Bringing Terrorists to Justice”. An affiliate link to the book on Amazon is here: https://amzn.to/3yaf5sI. Thanks to Spycast for allowing usage of the audio interview with Shannen. Sponsors Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet. Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free. Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com. Learn more about your ad choices. Visit podcastchoices.com/adchoices

    Related Episodes

    Don't underestimate how much trouble Facebook is in right now

    Don't underestimate how much trouble Facebook is in right now
    Facebook's management doesn't seem to understand why daily use on the site is continually falling. It may be because of all of the false promises Facebook has made about fixing problems like fake news and conspiracy videos. Facebook would do well to remember the fall of Myspace and what happened to Nokia and Blackberry.  

    Learn more about your ad choices. Visit megaphone.fm/adchoices

    Trading Tech Talk 2: Hackers and Rogue Algos

    Trading Tech Talk 2: Hackers and Rogue Algos

    Trading Tech Talk 2: Hackers and Rogue Algos

    Hot Topics in Tech: Security of Financial Platforms

    Should we expect more attacks in the future? Is this the new norm going forward? What sort of realistic uptime expectations should institutional clients, end users of exchanges and vendors have in this environment? Are we approaching a point where retail clients should maintain multiple brokerage account to ensure access at all times?

    While the recent OPRA problem was limited to NASDAQ OMX, it highlights the issue of the entire industry fixating around a single point of failure. What risks does that pose to the marketplace? How do we address that as an industry? Rogue algos are not just the domain of equities and options anymore; futures are now under attack as well.

    The Inbox: We’re taking your questions

    • Question from Amac: Is there a way for small traders to see or get access to big options shows via IM? Seems like I am missing much of the picture.
    • Question from T. Norvin: What exactly is a sweep order? Can a sweep be used to lift liquidity without moving markets? I.e. Buy 10 on all vs. 100 on one exchange?

    The Lightning Round: A minute to win it

    • Should customer open multiple brokerage accounts to avoid security risks?
    • The industry will have a backup/alternate to OPRA in place by the end of 2014 - Yea or Nay?
    • Will every major derivatives exchange experience some sort of systems outage/glitch in 2014?
    • Will microwave transmission gain a foothold in the U.S. financial markets in 2014?
    Logo

    © 2024 Podcastworld. All rights reserved

    Company

    Pricing

    Stay up to date

    For any inquiries, please email us at hello@podcastworld.io