Darknet Diaries - 61: Samy
Episode Date: March 17, 2020Samy Kamkar is a hacker. And while he’s done a lot of stuff, he’s best known for creating the Samy Worm. Which spread its way through a popular social media site and had crazy results.Tha...nks to our guest Samy Kamkar for telling his story. Learn more about him by visiting https://samy.pl/.SponsorsThis episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.Sources Samy’s YouTube Channel Video: MySpace Worm Animated Story https://samy.pl/myspace/ https://www.vice.com/en_us/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
When I was a kid, I got an ant farm for my birthday.
It's like two panes of glass with some sand in between,
and you can watch the ants dig tunnels and go about their day.
It was really cool.
But when you get the ant farm, it doesn't contain any ants.
You have to order the ants, and they're mailed to you.
And the first thing I thought about when I was a kid and I heard about this was,
wait a minute, I can mail ants to anyone I want? And I think that is basically the hacker mindset,
to completely ignore something's intended use and find new ways to employ it. Today,
we're going to talk with a hacker who sees the world this way,
and we'll hear all the joy and trouble it's brought him over the years. These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless
and it's not a fair fight. But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your
data and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to join delete me.com slash darknet diaries and enter code darknet at
checkout. That's join delete me.com slash darknet diaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response and active monitoring to help keep businesses secure. I know a few people who
work over there, and I can vouch they do very good work. If you want to improve the security
of your organization, give them a call. I'm sure they can help. But the founder of the company,
John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Okay, today we're going to have a chat with someone so infamous.
He has his own worm named after him, the Sammy Worm.
That's right, today we're talking with Sammy Kamkar.
Sammy is a hacker in almost every way.
He does things he's not supposed to do.
He's the kind of guy that thinks buttons are toys,
and you push them for fun just to see what they do,
which often ends up breaking something.
I was never a malicious person at all.
So all this hacking, all of this exploitation, it's really about a puzzle.
To me, this was all a puzzle, a really fun puzzle.
There's a lot of reasons to call Sammy infamous. exploitation, it's really about a puzzle. To me, this was all a puzzle, a really fun puzzle.
There's a lot of reasons to call Sammy infamous. But to tell his story,
we need to go back to his childhood.
When I was nine years old, my mom bought me my first computer. Sort of spent everything she had so I'd have something to do during the summer. She knew I loved computers. I'd always go to the
library with her or to her university
and go and just spend all day at the library on the computers that they had.
And immediately I went online and I started searching for The X-Files,
which was obviously the best TV show of the time.
I found some message boards and that quickly became really frustrating
to have to refresh and refresh and wait for people to update that message board.
So then I found something called IRC, Internet Relay Chat.
And I jumped on.
I went into a channel and said, hey, he wants to chat about the X-Files.
And immediately someone told me, get out.
And I'm thinking, that's weird.
This is like a random person I don't know on the Internet.
And they're telling me to do something?
No.
So I told the guy no.
And then he said, you have 10 seconds to get out of this chat room.
And I said no.
And 10 seconds later, the brand new computer that my mom spent everything on crashes.
I had a blue screen and I freaked out.
I had no idea what to do.
I pulled the power from the back of the computer.
I waited about half an hour for all the bad stuff to get out of the computer. I think that's what
you're supposed to do. And then I plugged it back in. And fortunately, it came back up. Everything
was fine. But really with the adrenaline still rushing through my veins, I was thinking that
is the coolest thing ever. How do I do that?
From that point forward, Sammy was addicted to computers. This was so fascinating to him.
He wanted to understand how this had been possible. So he began studying computers and practicing programming. Since he now had a computer at home, he got into video games too.
Counter-Strike was his favorite game. You know, the first person shooter. He played it a lot. He was addicted to it.
It was fun. I mean, it was a ton of fun. I've had a clan and was playing with a bunch of friends in
high school. And I remember just one day I was playing and I heard some footsteps. My computer
has two speakers, you know, one on the left side, one on the right side. So some stereo sound and I hear some footsteps coming from the right speaker.
And then I hear them panning to the left speaker.
So that immediately tells me, oh, there's someone behind me because I can't see them in my visual field of view in the game.
So immediately I'm like, wait, that means someone is behind me in the game.
This is a live person, someone else on the Internet playing Counter-Strike with me.
But I can't see them in my radar, which means they're on the opposing team. So I wondered right then, couldn't I really use that information, that sound information on the computer
itself? I'm sure that person killed me pretty quickly. But afterwards, I exited Counter Strike
and I started looking into how can I pull that information? What's telling the computer to play footsteps on the right speaker rather than the left speaker? Because
that means there's positional information there that someone is on the right side versus the left
side. And sure enough, I started learning about packet sniffing and then memory injection and
intercepting function calls within the DLLs of Counter-Strike itself and intercepting basically
everything between the binary, the Counter-Strike executable and the DLLs that Counter-Strike itself and intercepting basically everything between the binary,
the Counter-Strike executable and the DLLs that it used so that I could intercept things like footsteps. And once I hooked that function, I was then able to get exact coordinates of everyone
because everyone's footsteps is actually being sent to you, at least within some range. You will
then get that. And that's just telling your computer where to play the sound. But that
location is exactly where that person's located. At that point, I started using OpenGL at the time and
just drawing where the user is on the map in a little heads up display and a little radar.
And then I started sort of jumping into writing Counter-Strike cheat software.
That was a lot of fun.
What were some of the cheats you could do?
Just writing aim bots. So being automatically aiming at people, being able to make any smoke
bomb or smoke grenade or flashbang, just make those transparent to me. So I could go into a
room that I knew is full of opposing team members and throw in a flashbang and they're all going to
see white for three seconds. And I'm going to run in there and see absolutely nothing because I've
hooked that function and said, do nothing, just return out, you know, do a return before you
actually do any of the visualization to sort of wipe my screen.
Little things like that became really fun.
I couldn't actually modify my health that was controlled by the server.
So I couldn't actually make myself invincible.
Adding zoom to every weapon.
So weapons that didn't normally have zoom or might have like a scope on them.
So you'd lose a lot of the screen because it's now blacked out.
I would just remove those.
There's no reason that screen is blacked out. I would remove that. There's no reason that the screen needs to be blacked out.
I would remove that.
There's no reason that zoom should be better in one weapon and not the other.
So I hadn't zoomed to all weapons.
And this is all totally unfair.
And pretty quickly, it actually became not fun at all.
Like all the fun of the game went away entirely
because all of a sudden, it was practically god mode.
Sammy released the counter
strike cheats as open source software he was beginning to get bored playing the game and then
punk buster came out and punk buster is a program that's designed to scan the memory to see if
anyone is cheating in the game and punk buster stopped sammy from using his cheats but now
the new game was for sammy to try to circumvent whatever Punk Buster
was using to detect him. All of a sudden, this game was fun again, because I was no longer playing
the game. I was now playing against these engineers on Punk Buster. They were doing their own memory
inspection. They were looking for my process. They were doing all sorts of things to stop my
cheats and other people's cheats as well. And that became fun. At that point, I was probably 15
years old. I was so attached to this that I stopped going to high school and I started updating my
cheats because this was just so fun and it would be cat and mouse. So I would release a new version
that defeated their software. And two days later, they would release a new version. And then I would
have to figure out what did they do? How did they figure it out? And that was like training. It was sort of very rapid training in how does at the very least
software and networking work. And I think I probably learned a ton just during that short
stint when I was writing this cheat software. At 16, you dropped out of high school.
Yeah. What did you do after that?
I wasn't good at school. I didn't care about most classes. So I did not do well.
I was not a good learner. No one ever taught me how to learn something.
I think that was something that I learned later in life.
I just wish there were tools that were taught at school for me.
I think I would have been a much better student.
However, if I'm enjoying something, then I will absolutely learn it, right?
I'll spend all my time on it.
I'm still not necessarily a fast learner.
Like I've always known that people can pick up stuff much faster than me. But if there's something I enjoy, then I'm just going to spend all my time on it. I'm still not necessarily a fast learner. Like I've always known that people can pick up stuff much faster than me. But if there's something I enjoy, then I'm just going to spend
all my time on it. And, you know, I'm very persistent. Sammy was living at home with his
mom in Los Angeles at the time. She had recently lost her job. And now that she was home more often,
she noticed Sammy wasn't going to school and told him if he's not going to go to school,
he needs to get a job to help pay the rent. So Sammy started applying for any job he thought he could get. I got an email
out of the blue from a company in San Diego and said, hey, we saw your cheat software, your
camera strike stuff. And will you be willing to contract and just write code for us remotely?
And I was blown away. I was like, wait, someone will pay me to write code.
Like, I thought this was just useful for basically writing cheat software.
Like, I had no idea that you could use it for other things.
I mean, it was obvious that you could sort of program things, but I just didn't know if someone would pay me money to do that.
So I was really, really fortunate in getting that email.
And I started working with them and just remotely writing code for them,
and they never met me.
We never even talked on the phone.
It was just all over email. And they said, Hey, do you want to move to San
Diego and work full time with us? And I said, absolutely. So I took my mom's car and I just
drove down and I met them. And I think they were kind of weirded out because they didn't expect a
15 year old to show up. And they weren't even sure if that was legal. And I was like, Oh no,
don't worry. I looked into it. It's totally legal. Here's a work permit that I got from my school,
which was really just a work permit I had forged and printed out. And I just started working with
this company down in San Diego. And that was really cool. And that allowed me to support
myself and my mom. And she continued to live in LA, but I got to start my own life down there,
which is really great. That is incredible.
In San Diego, as a teenager, Sammy was working as a programmer,
but eventually took on the responsibilities of a systems administrator.
He was making pretty good money for his age.
Then someone in L.A. tried to recruit him to work at a startup.
And this was the deal.
Quit your job and come work for us.
Initially, we can't pay you, but you can have some equity in the company and sleep on the founder's couch
while the startup gets off the ground. And I said, oh, well, thanks for that offer. No,
no, thank you. And he said, well, what do you want to do with your life? What do you want to
do the next few years? I thought that was a really good question. I honestly had not thought about it.
It's not something I normally think about. And I thought about it for a good question. I honestly had not thought about it. It's not something I normally think about.
And I thought about it for a while.
And I was like, well, I want to learn how to start a company.
All right.
I want to learn how to start a successful company that employs people and works on cool
projects.
He said, okay, well, I just sold my last company for $30 million cash.
I've started multiple companies.
I've done this before.
So why don't you meet my co-founder and learn with me and you can handle the technical side.
And thought about that for a second.
And it's like, well, I probably won't get that opportunity ever again.
So I sort of jumped in.
I said, OK, let's do that.
I quit my job in San Diego, came back up to L.A., slept on his couch.
And that's when we started a company called Funality.
Funality was creating voice over IP solutions for companies.
Sammy wasn't getting paid at first.
He had some savings, but was blowing through it pretty quick and living as cheap as possible, sleeping on a couch.
But eventually the company started making money, which meant Sammy started getting paid.
Then I think after we were actually making money, because we had become profitable at some point,
and then I had a salary and then that salary grew as we became more profitable and did more rounds and stuff. So at some point, I was really fortunate to be able to still support
my mom and also have some nice toys. Things were really looking good for Sammy at this point. He
was 19 years old, making great money at a company that he helped create. Sammy was a smart young lad, but eventually he got bored.
What do you get when you have a bored hacker?
Yeah, you guessed it.
Trouble.
That's when I started playing with MySpace.
MySpace was the number one site on the internet.
And all my friends had, and I sort of, I held off for a while.
And then one day I said, okay, pretty much all my friends had and i sort of i held off for a while and then one day i said okay
pretty much all my friends have it so i should just go go on there and make an account see what
this is about and i made an account i was like oh that's pretty cool it's a social network you can
post pictures and you can post on people's i guess you call them profiles back then they didn't have
they wouldn't call them walls if you could have music that auto played which is terrible
you'd have to do really awful awful CSS things to your page.
But you could also do cool things.
And I really like that.
I actually really appreciated the fact that you could style the page in any way you wanted.
You really could beam it and show a little personality.
I thought that was really cool and not something you get to do every day anymore.
So I made a profile.
And at this point, you know, pretty technically competent.
I felt that way.
And I thought, well, maybe I can make my profile cooler than some of my friends, just more interesting or unique.
So I started saying, all right, well, I could do all the CSS stuff, but how can I really do something interesting?
And I started looking and I think I had done like a digital camera.
And I found that the limitation on the profile pictures was you can only have 12 photos.
And I thought it'd be funny just to have a 13th photo.
Like it's just a limitation that they had.
No one would really notice.
You'd really have to think about it
or know this limitation even to realize.
But I thought that would be subtle and funny.
Sammy figured out that the limitation
on the number of photos that MySpace users
were allowed to post was set by client side validation.
He realized he could bypass this validation
and talk directly to the API server. realized he could bypass this validation and talk directly
to the API server, and he could submit as many photos as he wanted to MySpace. And it worked.
Unbelievable. So cool. But now that he had bypassed one validation check, he wondered,
what else could he do? When you look at a MySpace user's profile, you can see what birthday they have displayed,
what their favorite foods are, their music and movies.
But there's also a place to describe your relationship status.
There was a little drop-down box.
You could pick single, married, engaged, or in a relationship.
But you were bound to only be able to pick one of these that were in the drop-down box. There was no way to enter your own relationship status. I wanted mine to say
in a hot relationship. That would be funny. And again, a subtle change. You couldn't really do
that, at least back then with that version of CSS. But I started playing around and said, well,
maybe I can execute JavaScript because JavaScript should be able to modify the DOM, modify the page in any way I want. And I started playing around and found that they pretty
much block JavaScript in any possible way. So then I started saying, okay, well, maybe I can
mess with the browser. So I started looking to exploit the browser's interpretation of tags and
found that, yes, there's actually a way that I could execute JavaScript that technically isn't
compliant with, say, the W3C spec of how HTML should be interpreted.
But browsers happen to be pretty lenient and they want web pages to work, even if the developer made an error.
So I found a way to execute JavaScript within a CSS tag and then access some data somewhere else on the page and execute JavaScript code.
And this was really cool.
So this allowed me to now
change my inner relationship to inner hot relationship.
Well, another fun and awesome win for Sammy. At this point, he's conducted two hacks against
MySpace and is looking to see what else he can do. He realized that when he changed the
relationship status, he could get the browser to execute whatever JavaScript he wanted.
But it's not just that. He could get whoever visited his browser to execute whatever JavaScript he wanted. But it's not just that.
He could get whoever visited his profile to execute the JavaScript code that he wrote.
To be able to control the browser of whoever visits his page, this was a seriously big deal.
At that point, it's like, what else could I do that could be fun?
I started playing around.
I was just doing silly things.
I wanted to see, okay, if someone visits my profile and we're not already friends can i make
them add me as a friend and i could and then i found well if i can control their browser couldn't
i just update their own profile and i found yeah whenever they visit my profile i could make them
update anything on their profile and i didn't want to be malicious i just want to do something that i
thought was funny so i made it so that if you visit my profile, you'd not only would you add me as a friend, but then you would add, but most of all, Sammy is my hero to the
bottom of your profile. I thought that would be kind of funny. And after a few days, maybe a few
of my friends would have it on their profiles and I could just be like, Hey, cool. You know,
point that out to them. So I released this and a few days go by and nothing really happens. Like
virtually none of my friends have hit it because a lot of people aren't going to my profile.
So I think, okay, well, how do I make this spread a little faster?
And I'm thinking, all right, if I can make you add me as a friend and add me as a hero to your profile,
couldn't I just copy the code to your profile as well?
So that way, if someone visits that profile, they'll also add me as a friend, add me as a hero,
and then the code will copy to their profile.
So within my friend group, it should probably hit them all within a week or so.
And that'll be pretty funny.
Someone will complain and you'll get taken down and no big deal.
I launch it one night and I go to sleep.
And I wake up hoping to get at least a couple of hits.
And unfortunately, I wake up to 10,000 new friends.
10,000 new friends?
Sammy was just trying to have some fun.
He didn't intend to be malicious, but then it dawned on him,
he's actually created a virus on MySpace.
Anyone who visited his profile would immediately add him as a friend, but then the code to add Sammy as a friend was copied to that
person's profile. So anyone who visited that person's profile now had the code to add Sammy
as a friend and it just kept spreading. A virus that spreads itself like this is not just a virus. It's a worm.
Sammy has just created a MySpace worm.
And it's spreading way beyond what he thought it would become.
Perhaps he could get a few dozen friends or even a hundred new friends.
But now he's got 10,000 new friends and it's just constantly going up. At that point, I just freak out.
I have no idea what to do.
I'm sitting in my apartment and I'm kind of baffled.
So I realized, oops, I just wrote a virus.
And what should I do?
And the problem with the virus is you can't just remove it.
Like I could remove it from my own profile, but that doesn't mean it's going to stop
spreading because it's already spread to thousands of profiles.
Were you getting flooded with messages as well?
Like, you know, you're just really popular at the same time as having friends. People were messaging me. They're like, Hey,
why are you on my profile? Hey, every time I try to delete you, you come back. That's because every
time they would delete me from their profile, it would return them to their own profile,
which re-executed the code, which re-added me as a friend. So they couldn't actually delete
the virus either themselves. So they really needed MySpace to do that. So at that point,
I'm like, okay, it's time for damage control as much as I can do. So I email MySpace anonymously.
Hi, I'm a random user of MySpace. I have no idea what's going on. There's some weird stuff
on my profile. It looks like a bunch of obfuscated code, and I'm not really sure what it does.
But I think it does detailed explanation of exactly what was going on.
And I think you can fix it by here's a detailed explanation of exactly how to fix this problem.
I just prayed that they got it.
Well, I just continued my day.
I mean, at that point, I really couldn't think.
So I drove to the office.
And the whole time he's at work, he's looking at his MySpace profile and just watching the number of friends he has rising higher and higher and higher.
Went 50,000, 100,000.
I could not think about anything.
It was just refreshing.
Went home, 500,000, 600,000.
600,000 new MySpace friends?
Oh, this is going way out of control.
This has to be stopped.
Sammy tried to stop the worm by removing the code on his profile. I removed the code from my own profile, but that doesn't do anything, right?
It only removes it so that anyone who visits my profile doesn't get it.
But, I mean, it's already spreading from anyone else, right?
Once someone else has it, it will just continue to spread.
So there's no other way to really control it.
Really, MySpace would have to remove it themselves.
Sammy goes off to work, does his shift, comes back home.
600,000, 700,000.
It hits a million.
I just take a screenshot because now I'm just like,
that's a lot of people.
I had no idea that many people were even on my space.
I just had no idea how big it was.
I was hoping it would hit 100 max
over the course of a week or a month or something.
Once it hit 10,000, I knew I had done something wrong.
That was, I was like, oh, I did not think this through. I was just freaked out the entire time. I was super, super
concerned. Because I mean, if it hit 10,000 overnight, then at that point, it was obvious,
oh yeah, it's just going to grow ridiculously out of proportion. And now I'm refreshing purely
because I'm curious how fast it's spreading. So I'm refresh, I refresh, I refresh. And at this
point, it's spreading at about 3,000 people per second. And as I'm sort of doing this little test of how fast it's moving,
I refresh once again, and finally, my profiles have taken down. So I'm pretty happy about this.
So then I was wondering, okay, the virus was probably up for about 20 hours. And I'm thinking,
all right, well, does it still say Sammy's my hero on other people's profiles? Like,
how did they take this down? So I go to someone else's profile. And then I see
that that profile is also down. Like, oh, no. So I go to myspace.com, just to the website.
And it says the whole site is down. The whole team is here working on it.
I felt absolutely awful. I know what it's like to have servers that are down. And I would never
want to do that to somebody. And I'm thinking, okay, the number one site on the internet is down.
And I also recall that MySpace had just been purchased by Fox for half a billion dollars.
And I didn't really want Fox to come after me. So I was like, oh no, what do I do?
So I thought about it and MySpace is in LA. So maybe I should just drive over there with
some coffee and donuts and be like, hey guys, I'm Sammy. I'm so sorry. Can I help do anything? Can I write some SQL queries?
What can I do? But I thought that would be a bad idea in case they were just really upset,
which I would totally understand. I was worried I'd go to jail. I had no idea what the
ramifications of something like this was. I really had no idea.
Did you tell anyone then? What did your friends think of this at this point? Because I mean,
the people you work with and stuff, did they know that day? Like, hey, it's going crazy.
Your friends, did they know? And you're like, hey, and call one of them and say,
I think I just took MySpace down.
I messaged like one or two friends about it. I actually remember explicitly one friend
I messaged just before doing it.
And he's like, hey, don't do that. He was much smarter than I was. And I think during the thing,
I don't think I talked to anyone about it. Maybe my girlfriend, Greg, told her.
And she thought the whole thing was funny. And really back then, it was just a social network.
It was a small social network, really nothing compared to the networks we have today like Facebook and Twitter. Granted, it was the largest at the time, but it was 2005.
Like smartphones had not come out as a much smaller group of people.
And the internet just didn't seem as serious.
At this point, MySpace is down like the whole website.
Sammy is worried and scared.
The team at MySpace is probably totally freaking out.
This was the largest social networking site in the world at the time.
And it's down because Sammy decided to have a laugh? This is not good. Sammy's anxiety is
growing every minute that the site is down. He can't focus on real life right now. Forget about
work. Forget about going out with friends. What the heck happened to Myspace? Was it his worm that
took down Myspace? How much trouble would he be in if it was?
Hours went by, and the site was still down.
And he was getting more and more anxious as he kept refreshing the page, waiting for it to come back up.
And then, hours after the site went down, MySpace came back online.
Actually, I feel very good that the site is up a few hours later.
And at this point, I don't really know what to do.
I sit around.
I just start working on other things.
I'm kind of just waiting for the police to come knock on my door.
And a day goes by and a week goes by.
And I start getting emails from random people on the Internet, blog writers and magazines that are like, hey, you know, we heard about this worm you wrote.
I'm like, I don't know what you're talking about.
And they said, is your name Sammy?
I was like, yeah, my name's Sammy. But, you know, not sure what you're talking about.
And then they sent me a picture and they're like, is this you?
That's my profile picture.
So it's, of course, it's me.
And I'm like, okay, fine.
That was me.
And they started asking me, you know, what was this about?
Like, what was your intention?
This is just a prank.
I'm terribly wrong.
They asked, has my state contacted you?
I said, no.
Have the police contacted you?
I said, no.
And a week goes by, two weeks, three months.
Finally, after three months, I'm like, okay, I'm super fortunate.
No one from MySpace or the police or anything ever contacted me.
So I'm really, really lucky.
I did something pretty dumb and I'm never doing that again.
And sort of got away scot-free.
What a lesson learned, huh?
To accidentally take down the largest social network in the world
and not hear from Myspace or the police?
Ugh, lucky guy.
Because you know what?
Sammy's fingerprints are all over this worm.
I mean, the worm follows Sammy.
And then the worm actually says, above all, Sammy is my hero.
So it would be really easy for Myspace to track this back to Sammy.
But nothing.
So Sammy just goes back to his regular life, back to his job at Funality,
which is starting to pay him even more now.
In fact, he was making enough to buy his dream car.
I got a Porsche Boxster.
At the age of 19.
Anyway, he got a brand new car.
And one day he's leaving his apartment, and he goes down
the elevator to the parking garage.
I'm walking down to it, and there's a brand new
car, and I see two guys
basically standing next to it,
sitting on it. I'm like, oh no.
I'm getting carjacked.
And two more guys walk up behind me.
And then they say, Sammy?
And I was like, oh no.
And I realized that carjackers they don't know your
name and they say Sammy we have a search warrant for you this was a surprise six months ago is when
he launched the MySpace worm and now they're coming for him these were representatives from
the secret services electronics crimes task force the LA District Attorney's Office, and the California
Highway Patrol. The Highway Patrol was there because they had suspicion that Sammy's fancy
new car might have been stolen. The agents took Sammy into custody and head back up to his apartment.
We all walk up and as we go into my place, there's a dozen agents already there going through
everything. And what they're doing is they're taking everything. So anything that has data, CD, DVD, my laptop, my computer, my Xbox,
and even my iPod, it was probably worse.
They took my iPod.
All my music was gone.
I love music, so that was actually somewhat challenging
because all my MP3s and any legitimate or illegitimate music I had was gone.
And I was kind of terrified, but also somewhat go with the flow.
You know, things happen in life, and you deal with them,
and I'm just waiting for sort of all this to be over,
and now I'm reading Search 1 because I really want to find out, like,
is this about MySpace? Is this about something else?
Is this about some computers I hacked into? I have no idea.
And I'm reading through, reading through, and then finally I see the words MySpace.com.
I'm like, okay, good, so it's about that.
At least that one was a prank.
Then I'm reading, reading, reading, and then I see another address that they're allowed to search.
And it's my office. So I asked them, are you guys going to search my office? They're like,
we're already there. One of the agents asked me, what's that on your counter? So in my living room,
there was a table and it had some equipment on it. Some like smart card reader, writer stuff,
and some smart cards and stuff.
And it's like, what are you doing with that?
And at this point, I'm thinking, OK, the Secret Service agent just asked me what these smart cards are. And in my head, I'm like, should I tell them or should I lie about what this is?
And my friend was staying at my apartment to work at my company.
And I was showing him that I had hacked the laundry machines in our apartment building
so that I could get free laundry and I was basically cloning smart cards or like replaying
the information from a smart card to make it appear that it had more money than it did
and I decided I should not lie to these people so I just told them that and fortunately they
all just laughed and nothing else came of that. Afterwards, they collected everything. And then they walked out.
And I'm like, hey, guys, like, are you taking me with you? And they said, no, no, you're not
under arrest, at least for now. I said, Oh, okay. And they walked away. And all of a sudden,
I just had no computers. I went to the office. Unfortunately, somehow the CEO was able to
convince them that I was like an intern and that I had no access to anything. Because when they came
in, they said, Hey, what does Sammy Camp Carve access to?
CEO was like, well, everything. And they're like, all right, guys, take everything.
This is a cloud-based company. So when you take everything back then we ran all the servers. So
they were about to take all of our servers, which would just bankrupt us instantly.
Fortunately, he convinced them something else that I was an intern or something weird.
And they only took my stuff, just my computer and my phone. And at that point, I got an attorney and we ended up basically fighting with
the L.A. D.A. for about six months. The Los Angeles D.A. charged Sammy with modifying data on a remote
machine. In settlement talks, prosecutors proposed that Sammy serve some time in prison and not be
able to use his computer for the rest of his life. Keep in mind that Sammy was supporting his mother,
and as a high school dropout, his only skill set and his livelihood
were entirely dependent on using a computer.
Sammy was so bright and gifted and passionate about computers
and technology and the internet and hacking,
you can imagine how scary it was for him to face the prospect
of having to live the rest of
his life without ever being able to use a computer again. Probably the hardest part, really the
hardest part of anything, I think, at least for me, is not knowing what an outcome will be. I think
it's much easier to deal with maybe even the most challenging outcome if I know that's going to
happen. Like if you just tell me, okay, I'm going to go to the prison for the rest of my life, then I can at least mentally
try to prepare for that. But not knowing was just really difficult to deal with. But ultimately,
I took a plea agreement with them and the plea agreement was no prison time. So that was nice.
However, I would not be able to touch a computer for the rest of my life. That was still in there.
And probation indefinitely, I would have to pay some restitution. I'd have to do a ton of community service, like picking up so much trash. I'm glad
I could really help make those streets cleaner. But the silver lining was that if I was on good
behavior, if like my probation officer, you know, said I was a good person, after some number of
years, I could get everything removed. As long as I completed my community service, I'd be able to
get rid of the probation and be a normal citizen again and be able to touch a computer and the internet. And I
said, okay, well, that at least is a known quantity. I don't think I'm going to be writing
any more viruses. I can do a couple of years of no computers, no internet. So I agreed to that.
And I was probably 20 at this point because, you know, this process was just such a long process.
And one day I just went to court and all of a sudden I could no longer touch a computer or touch the internet. In fact, it also
explicitly stated I could not access MySpace.com. So in case I somehow was able to access it without
the internet or computer. So that was it. Sammy had lost everything. I mean, forget about the Porsche at this point,
because on top of all this, they gave him a $20,000 fine. So between having to pay all the
lawyers and the fine and still having to support his mom, yeah, he was almost completely wiped out,
almost back to zero, living as cheap as possible. But still, forget all that. I don't think Sammy
cared about the money at this
point. He was back to trying to figure out what he should do with his entire life. No internet for
life? Everything he's been working towards, all his skills and knowledge are useless now. Sammy
had 720 hours of community service he had to complete. So every Saturday morning, he'd get up
at 5am and go clean trash on the
side of the highway. For years, even if he did six hours every Saturday, that's still just 300
hours a year. So everything about Sammy's life was changed. And he had to find new things to do
that didn't involve a computer to keep himself busy. But I was really fortunate. I mean, I met
new people, I spent all that time just sort of doing other things that I had never really spent time doing. I went outside,
I saw the sun was like, ah, it's so bright, but I got used to it. I made friends. I turned 21.
So I could start going out, meeting people. I started learning to socialize a lot more.
So it's really, really beneficial to me and something I wouldn't really change today.
Learned so much from that experience. And I think it was good for someone so introverted and so stuck to a computer to be
able to go out and experience other things. So Sammy spent years of his life offline,
doing his community service and trying to socialize with his friends.
But the story doesn't end here. After the break, Sammy gets to use
computers again. This episode is sponsored by Vanta. Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit or a seasoned security professional
scaling your GRC program, proving your commitment to security has never been more critical or more
complex.
And that's where Vanta comes in.
Businesses use Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001, centralized security workflows, complete questionnaires
up to five times faster, and proactively manage vendor risk.
Vanta helps you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Thank you. who use Vanta to manage risk and prove security in real time. For a limited time, listeners get $1,000 off Vanta at Vanta.com slash Darknet.
That's spelled V-A-N-T-A, Vanta.com slash Darknet for $1,000 off.
After two years of probation, Sammy has served all 720 hours of his community service.
He had great behavior.
The probation officer didn't find anything wrong that Sammy did.
And since he had such great behavior, they went back to court to see if he could get the probation lifted.
And after a few years, I went back to court and said, hey, you know, my probation officer loves me.
It says I'm her favorite client.
And they said, OK, you are allowed to touch computers again.
That was a very interesting experience.
I felt really weird touching a computer afterwards.
You kind of just get used to the rules that you're abiding by.
It's definitely an awkward feeling jumping back in.
What happened on that day that you got it back?
I definitely remember that day because I drove to the L.A. courthouse.
And after I left the courthouse, I drove to the Apple store and found whatever the latest, you know, top of the line.
I don't even think it was a MacBook. It might have been a PowerBook at that time.
I bought the top of the line PowerBook and I went to a coffee shop.
I pulled it open. I connected to the Wi-Fi. And I visited a couple of websites.
I think I visited a slash shop just to see what's going on.
And I just felt really weird.
And I just shut the laptop and I went to go hang out with friends.
This started the next chapter in Sammy's life.
Now that he was free to use the computer again, he eventually got back into it.
Way into it.
Even though he hadn't been allowed
to use a computer for the last two years, he had spent that time thinking of all sorts of things
he can do with them. During that time that I had no internet, I had no computers, I started thinking
about new exploits, new ways to really manipulate more systems and like exploit routers and exploit
firewalls and just had some concepts literally just in my head. And I couldn't confirm whether they were accurate or not, whether they would work after I came back online.
And I started thinking, well, this stuff is fun. Like maybe I can do this stuff,
but not impact websites, not impact people negatively. So how can I investigate the
technology around us, look for the vulnerabilities around us, and then share that information
publicly in an entirely legal way. So people actually understand the problems and can use solutions.
So just six months after Sammy had completed his probation for hacking MySpace,
it was 2008, Sammy was around 21 years old.
He starts looking into hacking credit cards, specifically the NFC and RFID chips on them.
Yeah. Some other researchers and myself, we're looking at these NFC and RFID chips on them. Yeah.
Some other researchers and myself, we're looking at these NFC credit cards,
which are becoming a lot more ubiquitous today.
But back then it was kind of funny.
They actually came out with these credit cards with NFC.
And pretty quickly they were encrypted.
Some were encrypted.
However, you could actually just buy a chip with the decryption key.
So you would just buy a chip from a company and you could then decrypt anyone's credit card, access their credit card info, and then literally steal stuff with it.
And that was not my intention, but I want to show that this stuff is not secure.
So I just created a proof of concept that opened up this to some additional credit cards.
And there were some other tools that did similar things for other types of credit cards.
I know mine was like a Visa chase card that no one had done this for yet.
How close to someone do you have to be to get their credit card details?
Like, does it work from far away?
I haven't really experimented with how far you can do it.
So I'm not sure.
You do need to be close to them.
It's very easy to be within proximity of many, many people.
You just go to a crowded place and now you can steal many, many credit cards.
And then you can go home and buy a ton of stuff online
or you can sell those credit cards online
and really just steal money.
Even just bumping up
against someone in the line,
if they have an NFC or RFID
vulnerable credit card in their pocket,
that would be good enough
to steal their credit card, right?
That's correct.
That's such a trip.
You know, what's funny is
after releasing that
and demonstrating that,
NFC then disappeared from our credit cards.
And it only recently reemerged in the past few years.
And now with much stronger cryptography and additional safeguards from these sorts of attacks.
However, there are other attacks.
I mean, it will always be cat and mouse, right?
Nothing is ever perfectly secure.
And to be fair, it's much easier to be the attacker.
Well, Sammy studied how to hack the chips within credit cards, he never did anything malicious with this. He never actually stole
anyone's credit cards that he didn't have permission to steal. Instead, he started blogging
about this and teaching others about the safety involved with these products in an attempt to
make them more secure. And from then on, Sammy would continue to research the security of so
many more things, but always in an ethical and safe way.
He would do this on his own equipment and disclose what he found to vendors.
For instance, Sammy recently released a proof of concept
to show how you can steal passwords and encryption keys by just listening.
This sort of stuff has been done for years by other people, by researchers.
I'm just trying to see, can I do this on a $2 chip or an Arduino
that many people know how to use and many makers can just buy off the shelf. And then can they perform these types
of attacks? There's attacks out there where researchers have demonstrated just taking a
phone, a regular phone, putting it near a computer. And when a computer is doing some sort of cryptic
graphic operation, and maybe it's encrypting an email, maybe it's trying to send some Bitcoin,
maybe it's doing a financial transaction, Maybe it's logging into a bank.
When any of these things are being done and the processor is like processing those instructions
in a certain order, well, the processor requires power and different instructions require different
amounts of power.
So addition will be less power than a multiplication, which is really just a bunch of additions.
And you can then measure that power.
But if you have a phone, you can use the microphone. So let's say I put a phone next to
someone's laptop and they're encrypting an email with a secret key. Well, when that CPU is pulling
power from all these capacitors, those capacitors are going through this thing called electrostrictive
effect. And they're physically moving inside your computer and they're moving at a speed,
a rate against the circuit board inside that produces ultrasound.
You and I can't hear ultrasound, but the phones that we have, the mobile devices we have, those microphones actually can listen all the way into the ultrasound range.
And if you have, say, an Android device with microphone enabled and it listens to that ultrasound, you can then look at that sound, that amplitude or the volume of the sound and then correlate it and say, well, the higher the sound, the more power those capacitors are using and feeding to the CPU.
And if I know it's this much power for this long, well, I can do timing and power analysis and say,
well, that means you're doing an addition here, or you're probably doing a jump or a branch here
or a comparison here. And this looks like you're doing an AES encryption, a 128-bit key. And if
you're encrypting with a
zero-bit versus one-bit, that's going to take different instructions with different amount
of power, and then I can fully recover that key. It's pretty impressive. And these are the types
of attacks that are really exploiting physical phenomena, right? Things that a software developer
might implement something perfectly, but there's still these other attacks.
Sammy continued finding new areas to do security
research in. And at some point, he got interested in cookies. Cookies are what web browsers use to
remember who you are. So when you return to a website, they can log you in or show you content
that's just for you. Cookies are a tracking mechanism. And browsers store these cookies
on the user's computer in a very specific location. But as Sammy looked into it, he was noticing some websites figured out a way to track users
without storing the cookie in that traditional location.
For instance, some sites ran Flash to display fancy graphics.
Well, when you get to that website, the Flash video is downloaded and stored on your computer.
And the next time you go to that website,
your browser checks to see if you already have that video
or if you need to download it.
But people were really concerned
because some researchers found that some companies
were using Flash to store cookies on people's computers.
And the benefit of this was that
if a user deletes their normal cookies,
their normal web browser cookies,
which is what advertisers use to track you,
well, then the Flash cookie
was essentially acting as a backup, right? And really surreptitiously, because they obviously did that
intentionally, because they knew users might delete their normalness. And I was thinking,
well, the browser is a pretty powerful piece of software. It does a lot of things. I wonder what
other mechanisms where I could actually store information locally. And again, this is sort of
proof of concept to demonstrate what are all the ways that we can store information on a person's computer, whether they know it or not.
So I created this open source JavaScript library called EverCookie.
And it used normal cookies.
So it essentially generated a random ID to track somebody.
And then you store it in their normal cookies.
You store it in Flash cookies.
But then I tried to find every possible other mechanism that you could use locally.
So there was Silverlight.
So you Silverlight storage. And then Java and HTML5 came out.
So then there was local storage and session storage, global storage, SQLite, local cache, your web history.
My friend Matt came up with a really cool idea of just storing the data in an image that would get cached.
And then you could actually read out the pixels of the image and then convert it back to an ID, all sorts of stuff.
And people like Matt and other people also started contributing to this project,
as it's an entirely open source project on GitHub that anyone can actually contribute to.
This ever cookie project that Sammy made really demonstrated how easy it is for websites to track their users,
even if they delete their cookies.
And this was a really effective technique.
So effective that
when Snowden released a bunch of classified documents about what the NSA is doing, in there,
it even said that the NSA sometimes uses EverCookie to track its users through Tor.
A couple of people pointed out to me over the years that different governments have been using
EverCookie to try to track people. And it definitely feels good that governments are
using my software.
Granted, they're doing it for a reason
that I'm not into,
but I actually think the net gain
of the entire project is extremely positive
because whatever cookie really provided
and still provides today is an acid test.
So now browsers essentially can use
every cookie to see,
okay, does my private mode,
does my incognito mode,
does that provide the necessary protection to make it challenging to see, okay, does my private mode, does my incognito mode, does that provide
the necessary protection to make it challenging to track this user, at least using local storage
mechanisms? And before EverCookie, there was nothing like that. So no one knew about many
of these techniques. And it's very trivial for any company or government to then generate their
own techniques. But by consolidating it into a very simple to use the library, and always trying
to keep it up to date, you know, people today are still updating EverCookie with new techniques.
Modern browsers that want to provide the consumers and users and businesses privacy, it gives them that capability because they know, okay, I've tested at least against EverCookie, which is sort of state of the art and local storage mechanisms.
And EverCookie can't track it.
So at least it makes it very difficult.
So governments who are using it, they're really only able to track all browser users who don't upgrade their browsers or operating systems, where people who actually do care about their privacy,
those people typically know to use modern up-to-date software. So I think the overall
net gain is extremely beneficial. Let's talk about Skyjack then,
because I think this is a really cool project. What is Skyjack?
Skyjack started when I started hearing that Amazon was potentially going to use drones
to deliver packages.
And I thought that was really cool.
I mean, I think it's really awesome that we have drones.
I think drones are super interesting.
They're low cost and they'll probably enable a lot of really useful things for humans.
However, I was somewhat concerned that that was the idea.
I was like delivering just packages because I don't really know if there's any security on drones.
So I wasn't sure. I really didn't know anything about drones.
So I went out and I bought the most ubiquitous consumer drone.
And then soon after, I also bought industrial drones, type of drones that police use.
And immediately I started looking to see what are the protection mechanisms, at least in the consumer drone. And immediately I found absolutely zero, literally none. You know,
one drone was using essentially wifi to be controlled and you could hijack that connection.
You could only have one person controlling the drone at a time. So if I would just essentially
kick that person off and then I would take over and then I would modify the drone software so that the person could never log back in.
And then I would have full control.
And I found that I could do that.
And then I started looking at more industrial drones and found that they did have encryption.
However, that encryption was not good at all.
Basically, if you sat on a radio frequency channel, essentially it's doing frequency hopping. So the transmitter is jumping around to different frequencies for various reasons, partially security, but partially to prevent
jamming or if there's a lot of interference, that interference will disappear after it hops to the
next frequency. But that was also based off the encryption key. I found if I could sit on a single
frequency and I see two packets come in from that drone, essentially it would have hopped hundreds
of times. And then I jump onto another frequency and I see it hop on that frequency two times. All of that would typically take a couple seconds tops.
I would then be able to reverse the key within a second. I would be able to understand what the
encryption key is, and then I would be able to hop along and take over that drone as well.
So at that point, I put all of this into an open source project called Skyjack.
I put it on GitHub and I took a Raspberry Pi Linux computer,
I put my software on it, I added some Wi Fi transceivers and some sub gigahertz transceivers
for the industrial drones. And you would then attach this Raspberry Pi to your own drone.
And you'd fly your own drone around. And while you're flying your drone around,
Skyjack ever saw another drone on any of these wireless frequencies or within wireless range,
it would then hijack and take over that drone. And you would now be in control of both drones. In fact, any wireless
drones they found in the vicinity, you would take over all of them and you'd be controlling a swarm
of zombie drones entirely under your control from one transmitter. And that was sort of the proof
of concept there. And it was a really fun project, especially fun to be testing it. Of course, I was
testing only on my own drones that I owned, but it of course affected pretty much all models of all major drones at that time.
Now, I've flown a drone and one of those scariest feelings I've ever had is when you lose control
of the thing and it just starts doing its own thing for whatever reason, right? I mean,
that's a little bit evil what you're doing here.
I'm not taking over anyone else's drone. I've only taken over my own. Okay. But giving
the world the ability to do it. I don't know. I would disagree with that statement because
the world has always had that capability of doing it, right? How do you know other people
aren't doing it already? I would actually suspect that there are plenty of organizations who are
doing it. They're just not going to tell you about it, right? They're not going to put it
on the internet. They're not going to put it on GitHub and let you know that they're taking over people's drones or that they've developed the software and hardware necessary to do it. They're just not going to tell you about it, right? They're not going to put it on the internet. They're not going to put it on GitHub and let you know that they're taking over people's
drones or that they've developed the software and hardware necessary to do it. They're just
going to create that and they're going to stockpile it so that they can use it against people or
companies or governments at their will. That's what we found when the NSA leaks came out. We
found out that they were stockpiling all of these vulnerabilities, including major, major
vulnerabilities that affected many. I mean, even the NSA that wants to protect America knows that everyone's running,
say, Windows computer, many people are running Windows computers, and they stockpiled Windows
vulnerabilities, zero days that nobody knew about. It was only when one of these databases
from the NSA was leaked that criminals were then able to use those exploits and actually attack
many, many millions of computers around the internet, Americans and non-Americans. I don't think it matters where you're from.
So what I'm doing by releasing this stuff is demonstrating that, yes, this is the issue,
and you can patch it. If I don't release it, then the issue will continue to exist.
You might ask, well, why don't I just directly communicate with the companies?
Often I do. And I found over time that when you communicate directly with companies,
they typically don't resolve these sorts of things. Unless you're talking
maybe existing specific software vulnerabilities in their architecture. But if you're saying,
hey, you're not using encryption or using it like really wrong, or it's really the underlying
protocol that is the issue. I found that that's when people don't actually resolve anything.
And that's when I started releasing stuff publicly and finding, oh, if you release a cool proof of concept
that demonstrates the real problem,
the underlying core problem,
even if it's not necessarily an issue
with maybe the manufacturer,
but rather a problem with the underlying protocol
and just assumptions that were made,
there is enough public pressure
that causes that company to then resolve that issue
due to the public pressure,
not due to the vulnerability itself. Because that's often what companies are trying to do and no fault to them. They're trying
to do what their customers want, right? They're trying to do what might move the needle for them.
And I found that this is an effective and appropriate way, I believe, to move the needle
in a direction that I believe will help many people overall, rather than just the manufacturer
or a company or a specific organization. Has any company gotten upset with you and tried to come after you for some reason of,
you know, disclosing vulnerabilities in their system publicly?
I've gotten cease and desist many times. And I'm extremely fortunate that the EFF,
the Electronic Frontier Foundation, they have actually been very helpful to me. And
they're a nonprofit of attorneys who are really just looking out for consumers and digital rights. So your ability to have free speech online, your ability to inspect
the software and hardware you use, the ability to own the things that you purchase. I mean,
there are companies who are trying to take this away from us. But the EFF, I've been really
fortunate where they've defended me in some of these regards. And so I've never had to succumb
to and actually agree to a cease
and desist to this day. For the last decade, Sammy has continued to take on very interesting
projects, hacking into stuff and exposing vulnerabilities. Like another thing he found
was that smartphones were tracking their users without their knowledge, which was a revelation
that led to a class action lawsuit.
This all started because I was looking at, I think, a beta version of Firefox at the time.
And I was looking at the release notes and it talked about geolocation.
And I said, cool, that's interesting.
Like I've always been interested in location, like being able to locate where someone is,
whether it's on their cell phone or their computer or laptop or whatever.
And, you know, there's always been these geo IP databases that sort of give you a geography, but really they're maybe accurate to the city, but often not.
And even city accuracy is not that great.
So I saw this thing about HTML5 geolocation in a Firefox beta,
and I started investigating.
I wrote some code according to our API of how it worked.
I ran it.
And all of a sudden, my browser showed me exactly where I was.
Like literally, it showed me the physical address of my home. And I was like, that's absolutely
crazy. I'm on a laptop and my laptop does not have GPS. I know that for a fact. So how does it know
where I am? And I started sniffing the packets to see where it was going. I mean, granted, you
could just look at the source code. It's Firefox, so it's open source. And after sniffing and I think maybe intercepting the TLS, I saw that it's
taking all of the wireless MAC addresses, all of the unique MAC addresses of all the routers around
you and APs and sending that to Google. So even if your wireless routers are encrypted, and even if
you don't have one, and there are other people who have them, even if they're encrypted, the MAC
address is a unique identifier that isn't unencrypted. And your computer sends all of those to Google. And Google returns the exact location
that you're located. And you're also sending not only the wireless routers, but the signal
strength of each of them. So then they can actually perform what's called trilateration,
like triangulation. But essentially, they use that signal strength, then really accurately
determine where you are. And I'm like, this is absolutely crazy.
How are they figuring all this out?
And I found that you're basically sending all these unique MAC addresses of all these routers around you.
And Google would send back your exact location.
So then I'm wondering, well, how does Google know where all these routers are?
And I thought about it some and I thought about it some more.
And then I realized, oh, there's these Google Street View cars. And these Google Street View cars are driving around
and they have cameras on them. And that's where you get Street View from, right? That really
helpful feature of Google Maps where you can see like a Street View. And I realized that they must
have computers and like Wi-Fi systems on there that are also monitoring for these Wi-Fi MAC
addresses and then correlating it with the GPS of the
street view car and then uploading it all to Google. And that's how they're getting this
information. And I was like, that's really clever. And I started doing talks about this because I
then found a way that I could essentially use that API and use it for myself whenever someone
visits my website and I could see exactly where they were. And I could even show them, I'd be
like, you'd come to my website without your authorization. I could then send your MAC
address and find where you are. And I was talking about this in Bratislava and Slovakia.
And afterwards, someone said, hey, Sammy, it's interesting, but fortunately, this does not apply
to us because Google Street View cars are not allowed here. Interesting. So I'll just give it
a shot and tried running it just to confirm. And oddly enough, it still worked. It actually
worked very accurately. And I was like, wait a second. I don enough, it still worked. It actually worked very accurately.
And I was like, wait a second. I don't think Google's lying. I don't believe that they are doing something illegal. I don't think they have street view cars when they say they're not doing
that. And you would notice, I mean, those cars stick out with these massive sensors on top of
them. So what else might Google have access to, especially in somewhere random like Bratislava?
And I thought a little bit more and then realized, oh, wait, Android phones.
There are Android phones everywhere.
And I wonder if these Android phones are actually, were driving machines.
And after doing reverse engineering some binary blobs on Android devices,
this was not actually in the source code that I could find.
I found these binaries that were essentially grabbing all Wi-Fi Mac addresses
and sending the signal strength of all these wireless routers
up to Google along with GPS coordinates.
So essentially every Android phone in existence
is a war driving machine for Google
that's grabbing all this information,
grabbing all this location data.
So even if you don't use an Android phone,
other Android phones near you
are then taking your router's information
and sending it up with the location.
Sammy also figured out that iPhones were doing the same thing,
but sending the data to Apple instead of Google.
And what's worse is that in some cases,
this was happening even after users turned off the location services or GPS.
Well, this was encrypted, so it took a little time to really understand
what was going on and reverse engineer some of that stuff.
And to really just demonstrate this as a fun proof of concept,
I created a tool,
really just a simple mobile app that behaved just like Google Maps. And I found that Google was
actually doing something really clever with their information. Not only were they collecting where
everyone was at all times via Android devices, but that's also how they collect traffic. So that's
how you know whether a street is green, yellow, or red, and whether there's traffic or not in
Google Maps is because all of the phones are constantly delivering their GPS location. And if you time that, if you say,
all right, I'm here now, and in 10 seconds, I'm here, well, you can calculate the distance they
traveled over that time and know how fast they're moving. So that's how they get Google Maps traffic.
So Sammy thought about this for a minute and realized if the Android phones are the ones that
are delivering data to Google and giving the traffic updates for the Google Maps.
Could he somehow exploit that?
Could he somehow trick Google servers into thinking there's a traffic jam when there's really not?
I created an app that was just like Google Maps.
And you start from point A and say, I'm at this location and I want to drive to wherever, to West Hollywood.
And it would give you turn by turn directions. But on those turn by turn directions of my route, it would simultaneously
pretend to be thousands and thousands of other Android devices. And all those devices, all those
fake devices would send up information to Google saying, Hey, I'm one of these Android devices,
and I'm moving zero miles per hour. So all of a sudden my route, the route that my app gave me
would turn red and black
for everyone else. And they would get diverted to different routes on Google maps. And hopefully my
route would be a little bit faster as there would be less cars on the road. And that was sort of my
proof of concept to demonstrating sort of this issue. And some of this could even continue even
when you turned off these features like location. I love this hack to make it so wherever you drive, Google traffic is diverting drivers to go away from you because it's congested wherever you are,
even though it's not congested where you are, you're just sending fake data to Google.
It's just brilliant. Yeah. And you know, it's the proof of concept just to poke fun at the
information and kind of just demonstrate like what this information is capable of doing. While this is cool, the underlying issue here is that users were unknowingly sending their exact
location to Google. And I don't know about you, but I don't personally like that Google knows
exactly where my phone is at all times. I just think it's a violation of privacy of some sort.
And you know what? I'm not the only one who thinks that.
Yeah. So ultimately, you know, the I'm not the only one who thinks that. Yeah. So ultimately,
you know, the biggest issue was that people weren't accepting that, A, they were sending all this data. So ultimately, both Google and Apple had to appear on Capitol Hill because they
previously said, no, we're not tracking you. And, you know, this research demonstrated that, yes,
in fact, they were tracking exactly where you are virtually at all times. And in some cases,
against your consent, when you turned off location services on Apple, again, those devices were still sending information that allowed full
location of where you were because it was sending Mac addresses, which they already knew where those
were. So it's simply one step correlation in a database they already have. So it's not really
fair to say that they're not grabbing that information. And ultimately, you know, they
did resolve these things. You know, it's funny that the same thing is still happening, right?
All these phones are still doing the same things.
The only difference is now you click okay
when they say they do it.
But the benefit here is that for people
who don't want this sort of technology to run,
they can say no on their phone.
The scary thing though,
is that even if you don't even have one of these phones,
it's all the phones around
that are still collecting that information of your router,
of the devices on your network, even though it's somebody else's device.
I saw a video the other day about a guy who put like 100 Android cell phones all in a
wagon and slowly walked down the road.
And this triggered the Google location API thing to make it show that the road was really
congested and made it turn red as well. So it looks like this
API is still under attack
just by researchers and people doing
weird stunts and stuff.
So yeah, Sammy
has a pretty cool YouTube channel. You should check that
out. And he's also given a lot of talks
at various conferences
like, jeez, all over the world.
How many talks have you given
at this point, Sammy?
I don't know, maybe 50 or so.
Where are you working now? And after all this, I mean, this is just such a whirlwind life you've had so far.
I've started a company called OpenPath with some friends and we've been growing quite a bit.
I've done some research in RFID and cloning badges and being able to demonstrate how to
break into buildings. Many years ago, we found that technology has not changed in the 10 years since I've looked. I wrote software that was able to sort of clone badges and
break into various levels of security for physical access for buildings. And we were sitting around
and thinking, well, why is this still a problem? And it's still inconvenient. Why do I have to
carry around this thick card in my wallet? I'm trying to get rid of my wallet. And we ended up
building this business called OpenPath where you could essentially have physical access control for businesses and buildings
where, A, you don't need a card. You could use a card if you wanted, but you could just use your
phone. Your phone actually has really strong encryption. We have things like TLS. We have
AES. We have open encryption standards that people have been trying to break for many,
many years and haven't, that are entirely open and can be inspected by anyone.
So we're using those technologies to essentially unlock doors and you don't even need to pull your phone out.
You literally just get within Bluetooth range of one of these devices and you can walk right in as
long as you have authorization. So we're trying to really make a really modern and cloud-based
and secure way of getting into buildings that is just really convenient because I'm just trying
to get rid of the things in my wallet. And this kind of technology, it's just really interesting.
Yes, that technology is interesting, but so much technology is interesting. And we live in a time
where technology is in abundance all around us. And if you think about technology as much as Sammy
does, it's like a playground for him to be able to tinker with it all and take it apart and put
it back together in ways it was never intended. Sammy's hacker mindset is still going strong today, and it will probably be strong for decades more to
come, provided he doesn't accidentally launch another worm and take down the largest social
networking website once again. A big thank you to Sammy Kamkar for coming on and telling us all this.
To learn more about what Sammy's up to, check out his website.
It's samy.pl.
This show is created by me, a replicant, Jack Recider.
Production assistance from John Killish.
Sound design by Andrew Merriweather.
The theme music was created by the mysterious Breakmaster Cylinder.
And even though some bro is going to ask me how to make money on the Darknet, every time I say it, this
is Darknet Diaries.