Transcription performed by LeahTranscribes
JACK: Hey, it’s Jack, host of the show. When I was a kid, I got an ant farm for my birthday. It’s like, two panes of glass with some sand in between and you can watch the ants dig tunnels and go about their day. It was really cool. But when you get the ant farm, it doesn’t contain any ants. You have to order the ants and they’re mailed to you. The first thing I thought about when I was a kid and I heard about this was wait a minute, I can mail ants to anyone I want? I think that is basically the hacker mindset; to completely ignore something’s intended use and find new ways to employ it. Today we’re gonna talk with a hacker who sees the world this way, and we’ll hear all the joy and trouble it’s brought him over the years.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Okay, today we’re gonna have a chat with someone so infamous he has his own worm named after him; the Samy worm. That’s right; today we’re talking with Samy Kamkar. Samy is a hacker in almost every way. He does things he’s not supposed to do. He’s the kind of guy that thinks buttons are toys and you push them for fun just to see what they do which often ends up breaking something.
SAMY: I was never a malicious person at all. All this hacking, all of this exploitation, it’s really about a puzzle. To me, this was all a puzzle, a really fun puzzle.
JACK: There’s a lot of reasons to call Samy infamous but to tell his story, we need to go back to his childhood.
SAMY: [MUSIC] When I was nine years old, my mom bought me my first computer. She sort of spent everything she had so I’d have something to do during the summer. She knew I loved computers; I’d always go to the library with her or to her university and go and just spend all day at the library on the computers that they had. Immediately, I went online and I started searching for the X-Files, which is obviously the best TV show of the time. I found some message boards and that quickly became really frustrating to have to refresh and refresh and wait for people to update that message board. Then, I found something called IRC, Internet Relay Chat. I jumped on, I went into a channel and said hey, who wants to chat about the X-Files? Immediately someone told me get out.
I’m thinking that’s weird; this is a random person I don’t know on the internet and they’re telling me to do something? No. So, I told the guy no. Then he said you have ten seconds to get out of this chat room. I said no. Ten seconds later, the brand-new computer that my mom spent everything on crashes. I had a blue screen and I freaked out. I had no idea what to do. I pulled the power from the back of the computer. I waited about half an hour for all the bad stuff to get out of the computer; I think that’s what you’re supposed to do, and then I plugged it back in. Fortunately, it came back up. Everything was fine but really, with the adrenaline still rushing through my veins, I was thinking that is the coolest thing ever. How do I do that?
JACK: [MUSIC] From that point forward, Samy was addicted to computers. This was so fascinating to him. He wanted to understand how this had been possible so he began studying computers and practicing programming. Since he now had a computer at home, he got into video games, too. Counter-Strike was his favorite game; you know, the first-person shooter? He played it a lot. [00:05:00] He was addicted to it.
SAMY: It was fun, I mean, it was a ton of fun. I had a clan and was playing with a bunch of friends in high school. I remember just one day I was playing and I heard some footsteps. My computer has two speakers, one on the left side and one on the right side, so some stereo sound. [FOOTSTEPS] I hear some footsteps coming from the right speaker. Then I hear them panning to the left speaker, so that immediately tells me oh, there’s someone behind me, ‘cause I can’t see them in my visual field of view in the game. Immediately, I’m like wait, that means someone is behind me in the game. This is a live person, someone else on the internet playing Counter-Strike with me, but I can’t see them in my radar which means they’re on the opposing team. I wondered right then, couldn’t I really use that information, that sound information on the computer itself? I’m sure that person killed me pretty quickly, but afterwards I exited Counter-Strike and I started looking into how can I pull that information? What’s telling the computer to play footsteps on the right speaker rather than the left speaker?
Because that means there’s positional information there, that someone is on the right side versus the left side. Sure enough, I started learning about packet sniffing, and then memory injection, and intercepting function calls within the DLLs of Counter-Strike itself, and intercepting basically everything between the binary, the Counter-Strike executable, and the DLLs that it used so that I could intercept things like footsteps. Once I would hook that function, I was then able to get exact coordinates of everyone, because everyone’s footsteps is actually being sent to you, at least within some range. You will then get that and that’s just telling your computer where to play that sound, but that location is exactly where that person is located. At that point, I started using OpenGL at the time and just drawing where the user is on the map in a little heads-up display, in a little radar. Then I started sort of jumping into writing Counter-Strike cheat software. That was a lot of fun.
JACK: What were some of the cheats you could do?
SAMY: Just writing aim bots, so being automatically aiming at people, being able to make any smoke bomb or smoke grenade, or flash bang, just make those transparent to me. I could go into a room that I knew was full of opposing team members and throw in a flash bang. They’re all gonna see white for three seconds and I’m gonna run in there and see absolutely nothing because I’ve hooked that function and said do nothing; just return out, do a return before you actually do any of the visualization to wipe my screen. Little things like that became really fun. I couldn’t actually modify my health. That was controlled by the server so I couldn’t actually make myself invincible. Adding zoom to every weapon, so weapons that didn’t normally have zoom or might have a scope on them so you’d lose a lot of the screen because it’s now blacked out. I would just remove those – there’s no reason that a screen needs to be blacked out. I would remove that. There’s no reason that zoom should be better in one weapon and not the other, so I added zoom to all weapons. This is all totally unfair, and pretty quickly it actually became not fun at all. All the fun of the game went away entirely because all of a sudden it was practically god-mode.
JACK: Samy released the Counter-Strike cheats as open-source software. He was beginning to get bored playing the game. Then PunkBuster came out. PunkBuster is a program that’s designed to scan the memory to see if anyone is cheating in the game. PunkBuster stopped Samy from using his cheats, but now the new game was for Samy to try to circumvent whatever PunkBuster was using to detect him.
SAMY: All of a sudden, this game was fun again because I was no longer playing the game. I was now playing against these engineers on PunkBuster. They were doing their own memory inspection; they were looking for my process. They were doing all sorts of things to stop my cheats and other people’s cheats as well. That became fun. At that point, I was probably fifteen years old. I was so attached to this that I stopped going to high school and I started updating my cheats because this was just so fun, and it would be cat and mouse. I would release a new version that defeated their software and two days later, they would release a new version and then I would have to figure out what did they do? How did they figure it out? That was like, training. It was sort of very rapid training in how does, at the very least, software networking work? I think I probably learned a ton just during that short stint when I was writing this cheat software.
JACK: At sixteen, you dropped out of high school.
JACK: What did you do after that?
SAMY: I wasn’t good at school. I didn’t care about most classes so I did not do well. I was not a good learner. No one ever taught me how to learn something. I think that was something that I learned later in life. I just wish there were tools that were taught at school for me. I think I would have been a much better student. However, if I’m enjoying something, then I’ll absolutely learn it, right, I’ll spend all my time on it. I’m still not necessarily a fast learner; I’ve always known that people can pick up stuff much faster than me but if there’s something I enjoy, then I’m just gonna spend all my time on it. I’m very persistent.
JACK: Samy was living at home with his mom in Los Angeles at the time. She had recently lost her job and now that she was home more often, she noticed Samy wasn’t going to school and told him if he’s not gonna go to school, he needs to get a job to help pay the rent. So, Samy started applying for [00:10:00] any job he thought he could get.
SAMY: I got an e-mail out of the blue from a company in San Diego and said hey, we saw your cheat software, your Counter-Strike stuff. [MUSIC] Will you be willing to contract and just write code for us remotely? I was blown away. I was like wait; someone will pay me to write code? I thought this was just useful for basically writing cheat software. I had no idea that you could use it for other things. It was obvious that you could program things but I just didn’t know someone would pay me money to do that. I was really, really fortunate in getting that e-mail. I started working with them and remotely writing code for them. They never met me; we never even talked on the phone.
It was just all over e-mail. They said hey, do you want to move to San Diego and work full-time with us? I said absolutely. So, I took my mom’s car and then I just drove down and I met them. I think they were kind of weirded out because they didn’t expect a fifteen-year old to show up. They weren’t even sure if that was legal. I was like oh no, don’t worry, I looked into it. It’s totally legal. Here’s a work permit that I got from my school, which was really just a work permit I had forged and printed out. I just started working with this company down in San Diego. That was really cool. That allowed me to support myself and my mom, and she continued to live in LA but I got to start my own life down there which was really great.
JACK: That is incredible. In San Diego as a teenager, Samy was working as a programmer but eventually took on the responsibilities of a systems administrator. He was making pretty good money for his age. Then someone in LA tried to recruit him to work at a startup. This was the deal; quit your job and come work for us. Initially we can’t pay you but you can have some equity in the company and sleep on the founder’s couch while the startup gets off the ground.
SAMY: I said uh, well, thanks for that offer; no, no thank you. He said well, what do you want to do with your life? What do you want to do in the next few years? I thought that was a really good question. I honestly had not thought about it. It’s not something I’d normally think about. I thought about it for a while and I was like well, I want to learn how to start a company. I want to learn how to start a successful company that employs people and works on cool projects. He said okay, well, I just sold my last company for thirty million dollars cash. I’ve started multiple companies. I’ve done this before, so why don’t you meet my co-founder and learn with me and you can handle the technical side? I thought about that for a second and was like well, I probably won’t get that opportunity ever again, so I jumped in. I said okay, let’s do that. [MUSIC] I quit my job in San Diego, came back up to LA, slept on his couch, and that’s when we started a company called Fonality.
JACK: Fonality was creating voiceover IP solutions for companies. Samy wasn’t getting paid at first. He had some savings but was blowing through it pretty quick and living as cheap as possible, sleeping on a couch. But eventually the company started making money which meant Samy started getting paid.
SAMY: Then, I think after we were actually making money, ‘cause we had become profitable at some point, and then I had a salary. Then that salary grew as we became more profitable. At some point I was really fortunate to be able to still support my mom and also have some nice toys.
JACK: Things were really looking good for Samy at this point. He was nineteen years old, making great money at a company that he helped create. Samy was a smart young lad, but eventually he got bored. What do you get when you have a bored hacker? Yeah, you guessed it; trouble.
SAMY: [MUSIC] That’s when I started playing with MySpace. MySpace was the number one site on the internet and all my friends had it. I held off for a while and then one day I said okay, pretty much all my friends have it so I should just go on there, make an account, see what this is about. I made an account; I was like oh, this is pretty cool. It’s a social network. You can post pictures and you can post on people’s – I guess you called them profiles back then. We didn’t call them walls. You’d have music that auto-played which is terrible. You could do really awful CSS things to your page, but you could also do cool things and I really liked that. I actually really appreciated the fact that you could style the page in any way you wanted. You really could theme it and show a little personality.
I thought that was really cool and not something you get to do everyday anymore. I made a profile and at this point, pretty technically competent, or I felt that way. I thought well, maybe I can make my profile cooler than some of my friends’, just more interesting or unique. I started saying alright, well, I can do all the CSS stuff but how can I really do something interesting? I started looking and I think I had gotten a digital camera and I found that the limitation on the profile pictures was – you could only have twelve photos. I thought it would be funny just to have a thirteenth photo. It’s just a limitation that they had. No one would really notice. You’d really have to think about it or know this limitation even to realize, but I thought that would be subtle and funny.
JACK: Samy figured out that the limitation on the number of photos that MySpace users were allowed to post was set by client-side validation. He realized he could bypass this validation and talk directly to the API server, [00:15:00] and he could submit as many photos as he wanted to MySpace. It worked. Unbelievable. So cool. But now that he had bypassed one validation check, he wondered what else could he do? When you look at a MySpace user’s profile, you can see what birthday they have displayed, what their favorite foods are, their music, and movies, but there’s also a place to describe your relationship status. It was a little drop-down box. You could pick Single, Married, Engaged, or In a Relationship, but you were bound to only be able to pick one of these that were in the drop-down box. There was no way to enter your own relationship status.
SAMY: At that point, it’s like what else could I do that could be fun? I started playing around. I was just doing silly things. I wanted to see okay, if someone visits my profile and we’re not already friends, can I make them add me as a friend? I could. Then I found well, if I can control their browser, couldn’t I just update their own profile? I found yeah, whenever they visit my profile, I can make them update anything on their profile. I didn’t want to be malicious; I just wanted to do something that I thought was funny. I made it so that if you visit my profile, not only would you add me as a friend, but then you would add ‘but most of all, Samy is my hero’ to the bottom of your profile. I thought that would be kind of funny. After a few days, maybe a few of my friends would have it on their profiles and I could just be like hey, cool, point that out to them.
I release this and a few days go by, and nothing really happens. Virtually none of my friends have hit it because a lot of people aren’t going to my profile. I think okay, well, how do I make this spread a little faster? I’m thinking alright, if I can make you add me as a friend and add me as a hero to your profile, couldn’t I just copy the code to your profile as well? That way, if someone visits that profile, they’ll also add me as a friend, add me as a hero, and then the code will copy to their profile. Within my friend group, it should probably hit them all within a week or so and that’ll be pretty funny. Someone will complain and it’ll get taken down and no big deal. I launch it one night and I go to sleep. I wake up hoping to get at least a couple of hits and unfortunately, I wake up to 10,000 new friends.
JACK: 10,000 new friends? Samy was just trying to have some fun. He didn’t intend to be malicious, but then it dawned on him; he’s actually created a virus on MySpace. Anyone who visited his profile would immediately add him as a friend, but then the code to add Samy as a friend was copied to that person’s profile, so anyone who visited that person’s profile now had the code to add Samy as a friend. It just kept spreading. A virus that spreads itself like this is not just a virus; it’s a worm. Samy has just created a MySpace worm and it’s spreading way beyond what he thought it would become; perhaps he could get a few dozen friends or even a hundred new friends, but now he’s got 10,000 new friends and it’s just constantly going up.
SAMY: At that point I just freak out. I have no idea what to do. I’m sitting in my apartment and I’m kind of baffled. I realize oops, I just wrote a virus. What should I do? The problem with a virus is you can’t just remove it. I could remove it from my own profile but that doesn’t mean it’s gonna stop spreading because it’s already spread to thousands of profiles.
JACK: Were you getting flooded with messages as well? Like, you know, you’re just really popular at the same time as having friends?
SAMY: People were messaging me; they were like [00:20:00] hey, why are you on my profile? Hey, every time I try to delete you, you come back. That’s because every time they would delete me from their profile, it would return them to their own profile which re-executed the code, which re-added me as a friend. They couldn’t actually delete the virus either, themselves. They really needed MySpace to do that. At that point, I’m like okay, it’s time for damage control, as much as I can do. I e-mail MySpace anonymously.
BOT: Hi, I’m a random user of MySpace. I have no idea what’s going on. There’s some weird stuff on my profile. It looks like a bunch of obfuscated code and I’m not really sure what it does.
SAMY: But I think it does detailed explanation of exactly what was going on. I think you could fix it by; here’s a detailed explanation of exactly how to fix this problem. I just prayed that they got it. I just continued my day. At that point, I really couldn’t think. I drove to the office.
JACK: The whole time he was at work, he’s looking at his MySpace profile and just watching the number of friends he has rising higher and higher and higher.
SAMY: It went 50,000, 100,000. I could not think about anything. It was just refreshing. Went home; 500,000, 600,000.
JACK: 600,000 new MySpace friends? This is going way out of control. This has to be stopped. Samy tried to stop the worm by removing the code on his profile.
SAMY: I removed the code from my own profile but that doesn’t do anything, right? It only removes it so that anyone who visits my profile doesn’t get it, but it’s already spreading from anyone else. Once someone else has it, it would just continue to spread. There was no other way to really control it. MySpace would have to remove it themselves.
JACK: Samy goes off to work, does his shift, comes back home.
SAMY: 600,000, 700,000. It hits a million. I just take a screenshot because now I’m just like, that’s a lot of people. I had no idea that many people were even on MySpace. I just had no idea how big it was. I was hoping it would hit a hundred max over the course of a week or a month or something. Once it hit 10,000, I knew I had done something wrong. I was like oh, I did not think this through. I was just freaked out the entire time. I was super concerned because if it hit 10,000 overnight, then at that point it was obvious; oh yeah, it’s just gonna grow ridiculously out of proportion. Now I’m refreshing purely because I’m curious how fast it’s spreading. I refresh, I refresh, I refresh. At this point it’s spreading at about 3,000 people per second. As I’m doing this little test of how fast it’s moving, I refresh once again and finally, my profile’s been taken down. I’m pretty happy about this. Then I was wondering okay, the virus was probably out for about twenty hours and I’m thinking alright, does it still say ‘Samy is my hero’ on other people’s profiles?
How did they take this down? [MUSIC] I go to someone else’s profile and then I see that that profile is also down. I’m like, oh no. So, I go to myspace.com, just to the website, and it says the whole site is down; the whole team is here working on it. I felt absolutely awful. I know what it’s like to have servers that are down and I would never want to do that to somebody and I’m thinking okay, the number one site on the internet is down, and I also recall that MySpace had just been purchased by Fox for half a billion dollars. I didn’t really want Fox to come after me so I was like oh no, what do I do? I thought about it and MySpace is in LA so maybe I should just drive over there with some coffee and donuts and be like hey guys, I’m Samy. I’m so sorry. Can I help do anything? Can I write some SQL queries? What can I do? But I thought that would be a bad idea in case they were just really upset, which I would totally understand. I was worried I’d go to jail. I had no idea what the ramifications of something like this was. I really had no idea.
JACK: Did you tell anyone then? What did your friends think of this at this point? ‘Cause I mean, the people you work with and stuff, did they know that day, like hey…
JACK: …it’s going crazy. Your friends, did they know? And you’re like hey, and call one of them and say I think I just took MySpace down?
SAMY: I messaged like, one or two friends about it. I actually remember explicitly one friend I messaged just before doing it and he’s like hey, don’t do that. He was much smarter than I was. I think during the thing, I don’t think I talked to anyone about it. Maybe my girlfriend; I told her and she thought the whole thing was funny. Really, back then, it was just a social network. It was a small social network, right, nothing compared to the networks we have today like Facebook and Twitter. Granted, it was the largest at the time but it was 2005; smart phones had not come out. It was a much smaller – people on the internet just didn’t seem as serious.
JACK: At this point, MySpace is down. Like, the whole website. Samy is worried and scared. The team at MySpace is probably totally freaking out. This was the largest social networking site in the world at the time, and it’s down because Samy decided to have a laugh? This is not good. Samy’s anxiety is growing every minute that the site is down. He can’t focus on real life right now. Forget about work, forget about going out with friends. What the heck happened to MySpace? Was it his worm that took down MySpace? How much trouble will he be in if it was? Hours went by and the [00:25:00] site was still down. He was getting more and more anxious as he kept refreshing the page, waiting for it to come back up. Then, hours after the site went down, MySpace came back online.
SAMY: Actually, I feel very good that the site is up a few hours later. At this point I don’t really know what to do. I sit around, I just start working on other things. I’m kind of just waiting for the police to come knock on my door. A day goes by and a week goes by. I start getting e-mails from random people on the internet; blog writers and magazines that are like hey, we heard about this worm you wrote. I’m like, I don’t know what you’re talking about. They said, is your name Samy? I’m was like yeah, my name’s Samy but I’m not sure what you’re talking about. Then they sent me a picture and they’re like, is this you? It was my profile picture so of course it’s me. I’m like, okay, fine. That was me. They start asking me what was this about? What was your intention? I was like, this is just a prank gone terribly wrong. They ask has MySpace contacted you? I said no. Have the police contacted you? I said no. A week goes by, two weeks, three months. Finally, after three months, I’m like okay, I’m super fortunate. No one from MySpace or the police or anything ever contacted me so I’m really, really lucky. I did something pretty dumb and I’m never doing that again. I got away scot-free.
JACK: What a lesson learned, huh? To accidentally take down the largest social network in the world and not hear from MySpace or the police? Lucky guy, because you know what? Samy’s fingerprints are all over this worm. I mean, the worm follows Samy and then the worm actually says above all, Samy is my hero, so it would be really easy for MySpace to track this back to Samy, but nothing. So, Samy just goes back to his regular life, back to his job at Fonality which is starting to pay him even more now. In fact, he was making enough to buy his dream car.
SAMY: I got a Porsche Boxter.
JACK: At the age of nineteen. Anyway, he got a brand-new car and one day, he’s leaving his apartment. He goes down the elevator to the parking garage.
SAMY: I’m walking down to it. [MUSIC] It was a brand-new car, and I see two guys basically standing next to it, or sitting on it. I’m like oh no, I’m getting car-jacked. Two more guys walk up behind me and then they say Samy? I was like, oh no. I realized that car jackers, they don’t know your name. They said Samy? We have a search warrant for you.
JACK: This was a surprise. Six months ago is when he launched the MySpace worm and now they’re coming for him? Ugh. These were representatives from the Secret Service’s Electronic Crimes Task Force, the LA District Attorney’s office, and the California Highway Patrol. The Highway Patrol was there because they had suspicion that Samy’s fancy new car might have been stolen. [MUSIC] The agents took Samy into custody and head back up to his apartment.
SAMY: We all walk up and as we go into my place, there’s a dozen agents already there, going through everything. What they’re doing is they’re taking everything, so anything that has data; CD, DVD, my laptop, my computer, my Xbox, even my iPod. That was probably the worst; they took my iPod. All my music was gone. I love music so that was actually somewhat challenging because all my MP3s and any legitimate or illegitimate music I had was gone. I was kind of terrified but also somewhat go with the flow. Things happen in life and you deal with them. I’m just waiting for all this to be over and now I’m reading the search warrant because I really want to find out is this about MySpace? Is this about something else? Is this about some computers I hacked into? I had no idea. I’m reading through, reading through, and then finally I see the words myspace.com. Okay, good. So, it’s about that. At least that was one was a prank. Then I’m reading, reading, reading, and then I see another address that they’re allowed to search, and it’s my office.
So, I ask them are you guys gonna search my office? They’re like oh, we’re already there. One of the agents asked me what’s that on your counter? So, in my living room there was a table and it had some equipment on it, some smart card reader/writer stuff, and some smart cards and stuff. He’s like, what are you doing with that? At this point, I’m thinking okay; the Secret Service agent just asked me what these smart cards are. In my head I’m like, should I tell them or should I lie about what this is? My friend was staying at my apartment to work at my company. I was showing him that I had hacked the laundry machines in our apartment building so that I could get free laundry. I was basically cloning smart cards or replaying the information from a smart card to make it appear that it had more money than it did. I decided I should not lie to these people so I just told them that and fortunately, they all just laughed. Nothing else came of that.
Afterwards, they collected everything and then they walked out. I’m like hey guys, are you taking me with you? They said no, no, you’re not under arrest, at least for now. I said oh, okay. Then they walked away. All of a sudden, I just had no computers. I went to the office and fortunately, somehow the CEO was able to convince them that I was an intern and that I had no access to anything because when they came in, they said hey, what does Samy Kamkar have access to? [00:30:00] The CEO was like well, everything. They’re like alright guys, take everything. This is a Cloud-based company, so you take everything. Back then we ran all the servers, so they were about to take all of our servers which would just bankrupt us instantly. Fortunately, he convinced them something else, that I was an intern or something weird, and they only took my stuff; just my computer and my phone. At that point I got an attorney and we ended up basically fighting with the LA DA for about six months.
JACK: The Los Angeles DA charged Samy with modifying data on a remote machine. In settlement talks, prosecutors proposed that Samy serve some time in prison and not be able to use his computer for the rest of his life. Keep in mind that Samy was supporting his mother and as a high school dropout, his only skill set and his livelihood were entirely dependent on using a computer. Samy was so bright and gifted and passionate about computers and technology and the internet and hacking. You can imagine how scary it was for him to face the prospect of having to live the rest of his life without ever being able to use a computer again.
SAMY: [MUSIC] Probably the hardest part, really, the hardest part of anything, I think at least for me, is not knowing what an outcome will be. I think it’s much easier to deal with maybe even the most challenging outcome if I know that’s going to happen. You just tell me okay, I’m gonna go to the prison for the rest of my life, then I can at least mentally try to prepare for that but not knowing was just really difficult to deal with. But ultimately, I took a plea agreement with them and the plea agreement was no prison time, so that was nice. However, I would not be able to touch a computer for the rest of my life. That was still in there, and probation indefinitely. I would have to pay some restitution, I’d have to do a ton of community service, like picking up so much trash.
Glad I could really help make those streets cleaner. But the silver lining was that if I was on good behavior, if my probation officer said I was a good person, after some number of years I could get everything removed. As long as I completed my community service, I would be able to get rid of the probation and be a normal citizen again and be able to touch a computer and the internet. I said okay, well, that at least is a known quantity. I don’t think I’m going to be writing anymore viruses. I can do a couple years of no computers, no internet. So, I agree to that. I was probably twenty at this point because this process was just such a long process. One day, I went to court and all of a sudden, I can no longer touch a computer or touch the internet. In fact, it also explicitly stated I could not access myspace.com, in case I was somehow able to access it without the internet or a computer.
JACK: That was it. Samy had lost everything. I mean, forget about the Porsche at this point because on top of all this, they gave him a $20,000 fine. Between having to pay all the lawyers and the fine and still having to support his mom, yeah, he was almost completely wiped out, almost back to zero, living as cheap as possible. But still, forget all that. I don’t think Samy cared about the money at this point. He was back to trying to figure out what he should do with his entire life. No internet for life? Everything he’s been working towards, all his skills and knowledge, are useless now. Samy had 720 hours of community service he had to complete, so every Saturday morning he’d get up at 5:00 a.m. and go clean trash on the side of the highway for years. Even if he did six hours every Saturday, that’s still just 300 hours a year. Everything about Samy’s life was changed and he had to find new things to do that didn’t involve a computer to keep himself busy.
SAMY: But I was really fortunate; I met new people. I spent all that time just doing other things that I had never really spent time doing. I went outside, I saw the sun. I was like ah, it’s so bright, but I got used to it. I made friends. I turned twenty-one so I could start going out meeting people. I started learning to socialize a lot more so it was really, really beneficial to me and something I wouldn’t really change today. I learned so much from that experience and I think it was good for someone so introverted and so stuck to a computer to be able to go out and experience other things.
JACK: So, Samy spent years of his life offline doing his community service and trying to socialize with his friends. But the story doesn’t end here. After the break, Samy gets to use computers again. [00:35:00] After two years of probation, Samy has served all 720 hours of his community service. He had great behavior. The probation officer didn’t find anything wrong that Samy did and since he had such great behavior, they went back to court to see if he could get the probation lifted.
SAMY: After a few years, I went back to the court and said hey, my probation officer loves me. It says I’m her favorite client. They said okay, you are allowed to touch computers again. [MUSIC] That was a very interesting experience. I felt really weird touching a computer afterwards. You kind of just get used to the rules that you’re abiding by and it’s definitely an awkward feeling, jumping back in.
JACK: What happened on that day that you got it back?
SAMY: I definitely remember that day because I drove to the LA courthouse and after I left the courthouse, I drove to the Apple store and found whatever the latest top-of-the-line – I don’t even think it was a MacBook. It might have been a PowerBook at that time. I bought the top-of-the-line PowerBook and I went to a coffeeshop. I pulled it open, I connected to the WiFi, and I visited a couple websites. I think I visited Slashdot just to see what’s going on. I just felt really weird and I just shut the laptop and I went to go hang out with friends.
JACK: This started the next chapter in Samy’s life. Now that he was free to use the computer again, he eventually got back into it, way into it. Even though he hadn’t been allowed to use a computer for the last two years, he had spent that time thinking of all sorts of things he can do with them.
SAMY: During that time that I had no internet, I had no computers, I started thinking about new exploits, new ways to really manipulate more systems and exploit routers and exploit firewalls, and just had some concepts literally just in my head and I couldn’t confirm whether they were accurate or not, whether they would work after I came back online. I started thinking well, this stuff is fun. Maybe I can do this stuff but not impact websites, not impact people negatively. How can I investigate the technology around us, look for the vulnerabilities around us and then share that information publically in an entirely legal way? People actually understand the problems and can use solutions.
JACK: So, just six months after Samy had completed his probation for hacking MySpace, it was 2018. Samy was around twenty-one years old and he starts looking into hacking credit cards, specifically the NFC and RFID chips on them.
SAMY: Yeah, some other researchers and myself, we were looking at these NFC credit cards which are becoming a lot more ubiquitous today, but back then – it was kind of funny, they actually came out with these credit cards with NFC and pretty quickly – they were encrypted, some were encrypted. However; you could actually just buy a chip with the decryption key. You would just buy a chip from a company and you could then decrypt anyone’s credit card, access their credit card info, and then literally steal stuff with it. That was not my intention but I wanted to show that this stuff is not secure. I just created a proof-of-concept that opened up this to some additional credit cards. There were some other tools that did similar things for other types of credit cards. I know mine was a VISA Chase card that no one had done this for yet.
JACK: How close to someone do you have to be to get their credit card details? Does it work from far away?
SAMY: I haven’t really experimented with how far you can do it. I’m not sure. You do need to be close to them; it’s very easy to be within proximity of many, many people. You just go to a crowded place and now you can steal many, many credit cards and then you can go home and buy a ton of stuff online or you can sell those credit cards online and steal money.
JACK: Even just bumping up against someone in a line, if they have an NFC or RFID vulnerable credit card in their pocket, that would be good enough to steal their credit card, right?
SAMY: That’s correct.
JACK: That’s such a trip.
SAMY: You know what’s funny is after releasing that and demonstrating that, NFC then disappeared from our credit cards. It only recently re-emerged in the past few years and now with much stronger cryptography and additional safeguards from these sorts of attacks. However, there are other attacks. It will always be cat and mouse. Nothing is ever perfectly secure and to be fair, it’s much easier to be the attacker.
JACK: While Samy studied how to hack the chips within credit cards, he never did anything malicious with this. He never actually stole anyone’s credit cards that he didn’t have permission to steal. [MUSIC] Instead, he started blogging about this and teaching others about the safety involved with these products in an attempt to make them more secure. From then on, Samy would continue to research the security of so many more things, but always in an ethical and safe way. He would do this on his own equipment and disclose what he found to vendors. For instance, Samy recently released a proof-of-concept to show how you can steal passwords and encryption keys by just listening.
SAMY: This sort of stuff has been done for years by [00:40:00] other people, by researchers, and I’m just trying to see can I do this on a two-dollar chip or an Arduino that many people know how to use and many makers can just buy off the shelf, and then can they perform these types of attacks? There’s attacks out there where researchers have demonstrated just taking a phone, a regular phone, putting it near a computer and when a computer is doing some sort of cryptographic operation and maybe it’s encrypting an e-mail, maybe it’s trying to send some Bitcoin, maybe it’s doing a financial transaction, maybe it’s logging into a bank. When any of these things are being done and the processor is processing those instructions in a certain order, well, that processor requires power and different instructions require different amounts of power. Addition will be less power than a multiplication which is really just a bunch of additions.
You can then measure that power but if you have a phone, you can use the microphone. Let’s say I put a phone next to someone’s laptop and they’re encrypting and e-mail with a secret key. Well, when that CPU is pulling power from all these capacitors, those capacitors are going through this thing called electrostrictive effect and they’re physically moving inside your computer. They’re moving at a speed, a rate, against the circuit board inside that produces ultrasound. [MUSIC] You and I can’t hear ultrasound but the phones that we have, the mobile devices we have, those microphones actually can listen all the way into the ultrasound range. If you have, say, an Android device with the microphone enabled and it listens to that ultrasound, you can then look at that sound, that amperage or the volume of the sound, and then correlate it and say well, the higher the sound, the more power those capacitors are using and feeding to the CPU.
If I know it’s this much power for this long, well, I can do timing and power analysis and say well, that means you’re doing an addition here or you’re probably doing a jump or a branch here, or a comparison here. This looks like you’re doing an AES encryption, a 128-bit key. If you’re encrypting with a 0-bit versus a 1-bit, that’s gonna take different instructions with a different amount of power and then I can fully recover that key. It’s pretty impressive, and these are the types of attacks that are really exploiting physical phenomena, things that a software developer might implement something perfectly, but there’s still these other attacks.
JACK: Samy continued finding new areas to do security research in and at some point, he got interested in cookies. [MUSIC] Cookies are what web browsers use to remember who you are so when you return to a website, they can log you in or show you content that’s just for you. Cookies are a tracking mechanism and browsers store these cookies on the user’s computer in a very specific location. But as Samy looked into it, he was noticing some websites figured out a way to track users without storing the cookie in that traditional location. For instance, some sites ran Flash to display fancy graphics. Well, when you get to that website, the Flash video is downloaded and stored on your computer and the next time you go to that website, your browser checks to see if you already have that video or if you need to download it.
SAMY: But people were really concerned because some researchers found that some companies were using Flash to store cookies on people’s computers. The benefit of this was that if a user deletes their normal cookies, their normal web browser cookies, which is what advertisers use to track you, well, then the Flash cookie was essentially acting as a backup and really surreptitiously because they obviously did that intentionally because they knew users might delete their normal cookies. I was thinking well, your processor’s a pretty powerful piece of software. It does a lot of things. I wondered what other mechanisms where I could actually store information locally, and again, this is sort of a proof-of-concept to demonstrate what are all the ways that we can store information on a person’s computer whether they know it or not?
JACK: This Evercookie project that Samy made really demonstrated how easy it is for websites to track their users even if they delete their cookies. This was a really effective technique, so effective that when Snowden released a bunch of classified documents about what the NSA is doing, in there it even said that the NSA sometimes uses Evercookie to track its users through Tor.
SAMY: A couple people pointed out to me over the years that different governments have been using Evercookie to try to track people. It definitely feels good that federal governments are using my software; granted, they’re doing it for a reason that I’m not into. But I actually think the net gain of the entire project is extremely positive because what Evercookie really provided and still provides today, is an asset test. Now, browsers essentially [00:45:00] can use Evercookie to see okay, does my private mode, does my incognito mode, does that provide the necessary protection to make it challenging to track this user at least using local storage mechanisms? Before Evercookie, there was nothing like that so no one knew about many of these techniques. It’s very trivial for any company or government to then generate their own techniques.
But by consolidating it into a very simple to use library and always trying to keep it up to date – people today are still updating Evercookie with new techniques. Modern browsers that want to provide consumers and users and businesses privacy, it gives them that capability because they know okay, I’ve tested it at least against Evercookie which is sort of state-of-the-art and local storage mechanisms. Evercookie can’t track it, so at least it makes it very difficult. Governments who are using it, they’re really only able to track all browser users who don’t upgrade their browsers or operating systems, where people who actually do care about their privacy, those people typically know to use modern, up-to-date software. I think the overall net gain is extremely beneficial.
JACK: Let’s talk about Skyjack then, ‘cause I think this is a really cool project. What is Skyjack?
SAMY: Skyjack started when I started hearing that Amazon was potentially going to use drones to deliver packages. I thought that was really cool. I think it’s really awesome that we have drones. I think drones are super interesting. They’re low-cost and they’ll probably enable a lot of really useful things for humans. [MUSIC] However, I was somewhat concerned that that was the idea, I was like, delivering just packages because I don’t really know if there was any security on drones. I wasn’t sure. I really didn’t know anything about drones so I went out and I bought the most ubiquitous consumer drone. Then soon after, I also bought industrial drones, the type of drones that police use. Immediately I started looking to see what are the protection mechanisms, at least in the consumer drone. Immediately I found absolutely zero; literally none. One drone was using essentially WiFi to be controlled and you could hijack that connection.
You could only have one person controlling the drone at a time so if – I would just essentially kick that person off and then I would take over. Then I would modify the drone’s software so that the person could never log back in and then I would have full control. I found that I could do that, and then I started looking at more industrial drones and found that they did have encryption. However, that encryption was not good at all. Basically, if you sat on a radio frequency channel, essentially, it’s doing frequency-hopping. The transmitter is jumping around to different frequencies for various reasons; partially security, partially to prevent jamming or if there’s a lot of interference, that interference will disappear after it hops to the next frequency. But that was also based off the encryption key. I found if I could sit on a single frequency and I see two packets come in from that drone, essentially it would have hopped hundreds of times, and then I jump onto another frequency and I see it hop on that frequency two times. All of that would typically take a couple seconds, tops. I would then be able to reverse the key within a second.
I would be able to understand what the encryption key is, and then I would be able to hop along and take over that drone as well. At that point, I put all of this into an open-source project called Skyjack. I put it on GitHub and I took a Raspberry Pi Linux computer, I put my software on it, I added some WiFi transceivers and some Sub-Gigahertz transceivers for the industrial drones. You would then attach this Raspberry Pi to your own drone and you’d fly your own drone around. While you’re flying your drone around, if Skyjack ever saw another drone on any of these wireless frequencies or within wireless range, it would then hijack and take over that drone. You would now be in control of both drones. In fact, any wireless drones that you found in the vicinity, you would take over all of them and you’d be controlling a swarm of zombie drones, entirely under your control from one transmitter. That was the proof-of-concept there. It was a really fun project, especially fun to be testing it. Of course, I was testing only on my own drones that I owned, but it of course affected pretty much all models of all major drones at the time.
JACK: Now, I’ve flown a drone and one of the scariest feelings I’ve ever had is when you lose control of the thing and it just starts doing its own thing for whatever reason, right. I mean, that’s a little bit evil what you’re doing here.
SAMY: I’m not taking over anyone else’s drone; I’ve only taken over my own.
JACK: Okay, but giving the world the ability to do it? I don’t know.
SAMY: I would disagree with that statement because the world has always had that capability of doing it, right? How do you know other people aren’t doing it already? I would actually suspect that there are plenty of organizations who are doing it. They’re just not gonna tell you about it. They’re not gonna put it on the internet. They’re not gonna put it on GitHub and let you know that they’re taking over people’s drones or that they’ve developed the software and hardware necessary to do it. They’re just going to create that and they’re going to stockpile it so that they can use it against people or companies or governments at their will. That’s what we found when the NSA leaks came out; we found out that they were stockpiling all of these vulnerabilities including major, major vulnerabilities that affected many – and even the NSA that wants to protect America knows that everyone’s running, say, Windows computer – or many people are running Windows computers. They stockpiled Windows vulnerabilities, zero-days that nobody knew about.
It was only when one of these databases from the NSA was leaked that [00:50:00] criminals were then able to use those exploits and actually attack many, many millions of computers around the internet, Americans and non-Americans. I don’t think it matters where you’re from. What I’m doing by releasing this stuff is demonstrating that yes, this is the issue and you can patch it. If I don’t release it, then the issue will continue to exist. You might ask well, why don’t I just directly communicate with the companies? Often, I do and I found over time that when you communicate directly with companies, they typically don’t resolve these sorts of things unless you’re talking maybe existing, specific software vulnerabilities in their architecture. But if you’re saying hey, you’re not using encryption or you’re using it really wrong or it’s really the underlying protocol that is the issue, I found that that’s when people don’t actually resolve anything.
That’s when I started releasing stuff publically and finding oh, if you release a cool proof-of-concept that demonstrates the real problem, the underlying, core problem, even if it’s not necessarily an issue with maybe the manufacturer but rather a problem with the underlying protocol and just assumptions that were made, there is enough public pressure that causes that company to then resolve that issue due to the public pressure, not due to the vulnerability itself because that’s often what companies are trying to do and no fault to them; they’re trying to do what their customers want. They’re trying to do what might move the needle for them and I found that this is an effective and appropriate way, I believe, to move the needle in a direction that I believe will help many people overall rather than just the manufacturer or company or specific organization.
JACK: Has any company gotten upset with you and tried to come after you for some reason of disclosing vulnerabilities in their system publically?
SAMY: I’ve gotten cease-and-desists many times and that makes it extremely fortunate that the EFF, the Electronic Frontier Foundation, they have actually been very helpful to me. They’re a non-profit of attorneys who are really just looking out for consumers and digital rights. Your ability to have free speech online, your ability to inspect the software and hardware you use, the ability to own the things that you purchase. There are companies who are trying to take this away from us but the EFF, I’ve been really fortunate where they’ve defended me in some of these regards. I’ve never had to succumb to and actually agree to a cease-and-desist to this day.
JACK: [MUSIC] For the last decade, Samy has continued to take on very interesting projects; hacking into stuff and exposing vulnerabilities. Like, another thing he found was that smart phones were tracking their users without their knowledge which was a revelation that led to a class action lawsuit.
SAMY: This all started because I was looking at, I think a beta version of Firefox at the time. I was looking at the release notes and it talked about geo-location. I said well, that’s interesting. I’ve always been interesting in location, like being able to locate where someone is whether it’s on their cell phone or their computer or their laptop or whatever. There’s always been these geo-IP databases that sort of give you a geography but really, they’re maybe accurate to the city but often not. Even city accuracy is not that great. I saw this thing about HTML 5 geo-location in a Firefox beta and I started investigating. I wrote some code according to their API of how it worked. I ran it and all of a sudden, my browser showed me exactly where I was. Like, literally, it showed me the physical address of my home. I was like, that’s absolutely crazy. I’m on the laptop and my laptop does not have GPS. I know that for a fact. So, how does it know where I am?
I started sniffing the packets to see where it was going and granted, you could just look at the source code. It’s Firefox, so it’s open-source. After sniffing and I think maybe intercepting the TLS, I saw that it’s taking all of the wireless MAC addresses, all of the unique MAC addresses of all the routers around you, NAPs, and sending that to Google. Even if your wireless routers are encrypted, and even if you don’t have one and there are other people who have them, even if they’re encrypted, the MAC address is a unique identifier that is unencrypted. Your computer sends all of those to Google, and Google returns the exact location that you’re located. You’re also sending not only the wireless routers but the signal strength of each of them, so then they can actually perform what’s called trilateration. [MUSIC] It’s like triangulation but essentially, they use that signal strength to then really accurately determine where you are. I’m like, this is absolutely crazy. How are they figuring all this out? I found that you’re basically sending all of these unique MAC addresses of all these routers around you and Google would send back your exact location. Then, I’m wondering well, how does Google know where all these routers are?
I thought about it some and I thought about it some more, and I realized oh, there’s these Google street-view cars and these Google street-view cars are driving around and they have cameras on them. That’s where you get street-view from, that really helpful feature of Google Maps where you can see a street-view. I realized that they must have computers and WiFi systems on there that are also monitoring for these WiFi MAC addresses and then correlating it with the GPS of the street-view car, and then uploading it all to Google. That’s how they’re getting this information. I was like, that’s really clever. I started doing talks about this because I then found a way that I could essentially abuse that API and use it for myself whenever someone visits my website and I could see exactly where they were. [00:55:00] I could even show them; you’d come to my website. Without your authorization, I could then send your MAC address and find where you are. I was talking about this in Bratislava in Slovakia, and afterwards someone said hey Samy, it’s interesting but fortunately this does not apply to us because Google street-view cars are not allowed here. [MUSIC] Interesting, so I’ll just give it a shot and try running it just to confirm.
Oddly enough, it still worked. It actually worked very accurately. I was like, wait a second. I don’t think Google’s lying; I don’t believe that they’re doing something illegal. I don’t think they have street-view cars when they say they’re not doing that, and you would notice. Those cars would stick out with these massive sensors on top of them. So, what else might Google have access to, especially in somewhere random like Bratislava? I thought a little bit more and then realized oh wait, Android phones. There are Android phones everywhere and I wonder if these Android phones are actually wardriving machines. After reverse-engineering some binary blobs on Android devices, this was not actually in the source code that I could find. I found these binaries that were essentially grabbing all WiFi MAC addresses and sending the signal strength of all these wireless routers up to Google, along with GPS coordinates. Essentially, every Android phone in existence is a wardriving machine for Google that’s grabbing all this information, grabbing all this location data. So, even if you don’t use an Android phone, other Android phones near you are then taking your router’s information and sending it up with their location.
JACK: Samy also figured out that iPhones were doing the same thing but sending the data to Apple instead of Google. What’s worse is that in some cases, this was happening even after users turned off the location services or GPS.
SAMY: Well, this was encrypted so it took a little time to really understand what was going on and reverse-engineer some of that stuff. To really just demonstrate this as a fun proof-of-concept, I created a tool; really just a simple mobile app that behaved just like Google Maps. I found that Google was actually doing something really clever with their information. Not only were they collecting where everyone was at all times via Android devices, but that’s also how they collect traffic. That’s how you know whether a street is green, yellow, or red and whether there’s traffic or not in Google Maps, is because all of the phones are constantly delivering their GPS location. If you time that, if you say alright, I’m here now and in ten seconds I’m here, well, you can calculate the distance they traveled over that time and know how fast they’re moving. That’s how they get Google Maps traffic.
JACK: Samy thought about this for a minute and realized if the Android phones are the ones that are delivering data to Google and giving the traffic updates for the Google Maps, could he somehow exploit that? Could he somehow trick Google’s servers into thinking there’s a traffic jam when there’s really not?
SAMY: I created an app that was just like Google Maps. You’d start from point A and say I’m at this location and I want to drive to wherever, to West Hollywood. It would give you turn-by-turn directions but on those turn-by-turn directions of my route, it would simultaneously pretend to be thousands and thousands of other Android devices. All those devices, all those fake devices, would send up information to Google saying hey, I’m one of these Android devices and I’m moving zero miles per hour. All of a sudden, my route, the route that my app gave me, would turn red and black for everyone else and they would get diverted to different routes on Google Maps. Hopefully, my route would be a little bit faster as there would be less cars on the road. That was sort of my proof-of-concept of demonstrating this issue. [MUSIC] Some of it is good to even continue even when you’ve turned off these features, like location.
JACK: I love this hack. To make it so wherever you drive, Google Traffic is diverting drivers to go away from you because it’s congested wherever you are, even though it’s not congested where you are. You’re just sending fake data to Google. It’s just brilliant.
SAMY: Yeah, it’s a proof-of-concept just to poke fun at the information and just demonstrate what this information is capable of doing.
JACK: While this is cool, the underlying issue here is that users were unknowingly sending their exact location to Google. I don’t know about you, but I don’t personally like that Google knows exactly where my phone is at all times. I just think it’s a violation of privacy of some sort. You know what? I’m not the only one who thinks that.
SAMY: Yeah, so ultimately the biggest issue was that people weren’t accepting that A, they were sending all this data up, so ultimately both Google and Apple had to appear on Capitol Hill because they previously said no, we’re not tracking you. This research demonstrated that yes, in fact, they were tracking exactly where you are virtually at all times. In some cases, against your consent when you’ve turned off location services on Apple. Again, those devices were still sending information that allowed full location of where you were because it was sending MAC addresses which they already knew where those were. It’s simply one-step correlation in a database they already have. It’s not really fair to say that they’re not grabbing at information. Ultimately, they did resolve these things. It’s funny; the same thing is still happening, right? All these phones are still doing the same things. The only difference is now you click OK when they say they do it. But the benefit here is that for people who don’t want this sort of technology to run, they can say no on their phone. The scarier thing though is that even if you don’t even have one of these phones, [01:00:00] it’s all the phones around that are still collecting that information of your router, of the devices on your network even though it’s somebody else’s device.
JACK: I saw a video the other day about a guy who put like, a hundred Android cell phones all in a wagon and slowly walked down the road. This triggered the Google location API thing to make it show that the road was really congested and made it turn red, as well. It looks like this API is still under attack just by researchers and people doing weird stunts and stuff. So, yeah, Samy has a pretty cool YouTube channel. You should check that out. He’s also given a lot of talks at various conferences like jeez, all over the world. How many talks have you given at this point, Samy?
SAMY: I don’t know; maybe fifty or so.
JACK: Where are you working now after all this? I mean, this is just such a whirlwind life you’ve had so far.
SAMY: I’ve started a company called Openpath with some friends and we’ve been growing quite a bit. I’ve done some research in RFID and cloning badges and being able to demonstrate how to break into buildings many years ago. We found that technology has not changed in the ten years since I’ve looked, wrote software that was able to clone badges and break into various levels of security for physical access for buildings. We were sitting around and thinking well, why is it still a problem and it’s still inconvenient? Why do I have to carry around this thick card in my wallet? I’m trying to get rid of my wallet. We ended up building this business called Openpath where you can essentially have physically access control for businesses and buildings where A, you don’t need a card. You could use a card if you wanted but you could just use your phone.
Your phone actually has really strong encryption. We have things like TLS, we have AES, we have open encryption standards that people have been trying to break for many, many years and haven’t, that are entirely open and can be inspected by anyone. We’re using those technologies to essentially unlock doors and you don’t even need to pull your phone out. You literally just get within Bluetooth range of one of these devices and you can walk right in as long as you have authorization. We’re trying to really make a modern and Cloud-based and secure way of getting into buildings that is just really convenient ‘cause I’m just trying to get rid of the things in my wallet and this kind of technology, it’s just really interesting.
JACK: Yes, that technology is interesting but so much technology is interesting and we live in a time where technology is in abundance, all around us. If you think about technology as much as Samy does, it’s like a playground for him; to be able to tinker with it all and take it apart, and put it back together in ways it was never intended. Samy’s hacker mindset is still going strong today and it will probably be strong for decades more to come, provided he doesn’t accidentally launch another worm and take down the largest social networking website once again.
JACK (OUTRO): [OUTRO MUSIC] A big thank you to Samy Kamkar for coming on and telling us all this. To learn more about what Samy’s up to, check out his website. It’s samy.pl. This show is created by me, a replicant, Jack Rhysider. Production assistance from John Kalish. Sound design by Andrew Meriwether. The theme music was created by the mysterious Breakmaster Cylinder. Even though some bro is gonna ask me how to make money on the darknet every time I say it, this is Darknet Diaries.
[OUTRO MUSIC ENDS] [END OF RECORDING]