
17-year-old claims responsibility for Twitter worm  - peter123
http://www.bnonews.com/news/242.html
======
Alex3917
While this is probably illegal, Twitter clearly does need people to help them
fix their system. The last two years worth of my tweets got deleted yesterday
for no reason. That's an outright embarrassment to them, and it makes me angry
as well.

~~~
andr
A quick calculation shows that all of Twitter's tweets come to about 260GB
uncompressed (including 40 bytes of metadata for each tweet). The social graph
would be about another 200GB. Given that the entire Twitter could fit on a
high end laptop's drive, it's weird that they wouldn't have enough replication
to avoid data loss. Even if you assume the data is doubled because of
denormalization, it still seems fairly manageable.

~~~
Dilpil
You know we would love to see the calculation.

~~~
staunch
My guess is he's looking at a recent Twitter status_id from the public
timeline[1] and multiplying it by 180 bytes. Wildly inaccurate no doubt.

1\. <http://twitter.com/public_timeline>

~~~
andr
About a week ago there were 1.4 billion tweets and 27 million registered
users, based on the tweet and user IDs. If anything, that number is slightly
more than the real thing, because of deleted tweets and spam. I multiplied the
tweets by 200 bytes (I added 40 bytes of metadata, and a 20 byte premium for
any unicode tweets).

The size of the social graph is harder to estimate. Out of a sample of 459,000
"more influential" Twitter users, the average user follows 262 other
twitterers. So the information in the social graph is about 30 GB, assuming
64-bit IDs. They potentially store an edges table of the form
(user1_id,user2_id) (60GB), and a denormalized list of followers and friends
for each user (30GB each). This comes to about 120GB (I revise my earlier
number).

Yes, it's a very rough estimation, but it is in the right ballpark.

------
buugs
I know a large number of people here are against using vulnerabilities to do
anything but in all honesty we need more of these kind of deviants (the ones
who do little to no harm while exposing bugs and glitches). Sure we could all
wish for a world where everyone followed rules and respected everyone else so
much they could leave their doors unlocked but I think everyone would settle
for more people like this.

That is if he was honest in the interview and what he did.

~~~
pxlpshr
The problem with that assumption is the same problem people make with
consumers; you're expecting them to be rational. This guy was launching a
Twitter-clone and blatantly attacked the Twitter service. If it wasn't for the
fear of repercussions in regard to JAIL TIME, I doubt he would have ever come
clean.

“I am the person who coded the XSS which then acted as a worm when it auto
updated a users profile and status, which then infected other users who viewed
their profile. I did this out of boredom, to be honest. I usually like to find
vulnerabilities within websites and try not to cause too much damage, but
start a worm or something to give the developers an insight on the problem and
while doing so, promoting myself or my website.”

OH RLY?! Promoting yourself and your website by writing code that, despite his
ridiculously naive belief, reflects what MILLIONS OF CONSUMERS COMPLETELY
DESPISE in the form of disruptive viri, malware, spam, etc. Absolutely
everything a consumer hates, he decided to be a marketing gimmick to attract
people to his web site. In case he didn't get the memo, honest twitter-app
developers have a difficult enough time convincing users to give them their
l/p for value-added services that have no intention of creating disorder.
Thanks for making that job easier.

Jesus h...

~~~
zaidf
>he decided to be a marketing gimmick to attract people to his web site.

(1) At least it was only a marketing gimmick. Do you not know how much more
damage a worm such as this could do if the author chose to?

(2) You make it sound like it was some well thought out scheme for him to
become a millionaire. No, it was something he seems to have launched and it
just caught fire and spread like crazy.

For a 17-year old, I would say this is pretty expected behavior.

Edit: Just read that the worm apparently deleted buncha tweets. If that is the
case, that is pretty bad and crossing the "funny" line.

~~~
pxlpshr
(3) If you're going to quote anybody, at least quote the source.

 _Mikeyy explained to BNO News that he created Stalk Daily from “boredom” and
because he “needed a way to make money.”_

Sounds to me like premeditated criminal intent.

------
bbuffone
Yeah he probably should not have create the worm. I got bit by the worm today.
But... the real problem is Twitter, they constantly demonstrate their
inability to run a prime time website.

Outages, security issues, multiple times a day the page renders in different
unusable ways. The only real reason they get a free pass is the site is mostly
an entertainment product and has marginal usefulness.

I use the site to communicate but if it doesn't work I just go to Google
trends to see what is happening or just ask people via skype whats going on.

------
cstejerean
Can someone elaborate on what the following paragraph is trying to say? I
can't seem to follow.

Through looking at the code behind Twitter, Mikeyy was able to produce a
similar site to Twitter with some additional features. “I used my past
knowledge to gain an insight on how Twitter worked and outputted to a user.
Although both of the sites are coded in different languages I was able to give
my site the same features as Twitter, while coding some of my own.”

~~~
andr
He built a Twitter clone (StalkDaily.com) which completely copies Twitter's
HTML.

~~~
cstejerean
Understood, although a sentence like "Although both of the sites are coded in
different languages I was able to give my site the same features as Twitter,
while coding some of my own."

don't make any sense to me. It sounds like I'm either not understanding
something or that it's not a very coherent sentence.

------
chaosmachine
Myspace was targeted by something similar a few years ago. The worm creator
was hit with a lawsuit and "three years probation, 90 days community service
and an undisclosed amount of restitution."

<http://en.wikipedia.org/wiki/Samy_(XSS)>

------
antipax
While his hack was (semi-)cool, his motives and actions post-attack were not.

------
qeorge
Hadn't he put a message up yesterday saying he wasn't responsible?

~~~
tlrobinson
Yeah.

 _"For everyone wondering, I did NOT promote and/or was involved with the
spamming ON Twitter. All bad things you are hearing about this site is not
true. Please reconsider as I am not the person who did this…StalkDaily is a
website that follows the same functions as Twitter, except more advanced How?
Well, instead of just adding an “update status”, people can add pictures and
videos. Then you can stalk them, so when they upload a video or picture, or
comment someone, you’ll know!"_

[http://www.techcrunch.com/2009/04/11/twitter-hit-by-
stalkdai...](http://www.techcrunch.com/2009/04/11/twitter-hit-by-stalkdaily-
worm/)

Pretty lame, if you ask me.

------
gojomo
It's hard to tell if this is a credible news source.

~~~
tlrobinson
The kid admitted to it on <http://www.stalkdaily.com/>

~~~
gojomo
Thanks for the independent confirmation... call me paranoid, but I wasn't
going to visit stalkdaily, an alleged source of XSS attacks, myself.

~~~
Zev
You could just, you know, log out first. Especially if you know exactly what
it's going to do beforehand.

~~~
gojomo
Log out from _every_ account that might have an XSS vulnerability? That's a
tall order. You don't know what an proven-untrustworthy site is going to do
before you visit.

I suppose I could visit with lynx/curl/etc., if my curiosity were strong
enough.

But either of those strategies are a lot of trouble for very little payoff.

