Twitter Worm-Writer Gets a Gig
An Oregon-based Web application developer Friday confirmed he has hired the teenager who admitted attacking Twitter with several different worms last weekend.
Travis Rowland, of Hammond Ore. said that he had offered a job to Michael "Mikeyy" Mooney, a 17-year-old who said last week he had written at least two of the worms that struck Twitter starting on April 11.
In a telephone interview on Friday, Rowland, the CEO of exqSoft Solutions, described his company as doing "custom Web application development, primarily geared toward businesses."
Mooney came to his attention because of the Twitter worms, Rowland acknowledged. "I contacted him and saw his Web site, and thought it was interesting," said Rowland. "Then I talked to him and found out he did it all by hand, so I asked him if he wanted to work as a programmer."
Rowland said that Mooney would also be involved doing "security analysis for us, to make sure our applications are as secure as they can be."
The attacks against Twitter began early last Saturday and continued in several waves through parts of Monday. Mooney, who goes by the nickname "Mikeyy," assumed responsibility for the first two worms, dubbed "StalkDaily" and "Mikeyy" in a message posted to his Web site and in later interviews.
StalkDaily and Mikeyy exploited one or more cross-site scripting or cross-site request forgery vulnerabilities in Twitter to infect user profiles. The first attack relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts' profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.
Rowland denied that hiring Mooney was a publicity stunt, but admitted the buzz was a nice benefit. "Any publicity is good publicity, he said. "I can't argue with that, but it's just a perk. If I can get [Mooney] on the right track, it works out for everybody." Mooney, who reportedly lives in Brooklyn, N.Y., is currently work for exqSoft. "He's already started, he's working from his computer, more as an apprentice," said Rowland. "I outsource to developers all around the world."
Rowland said that he has about 20 people on the payroll.
Earlier this week, Rowland had asked Stone not to take legal action against Mooney. "@biz hope u guys don't file lawsuit against him, hope u understand Mikeyy did u favor and could have compromised personal information," Rowland wrote in a tweet sent last Sunday.
At least one security researcher had a problem with Mooney's hiring. "It appears largely to get publicity for this company [exqSoft]," said Graham Cluley, a senior technology consultant with U.K.-based security vendor Sophos. "This is a real dangerous message, that if you're a young lad, the way to get noticed and get a job is to do something incredibly irresponsible."
"The last thing we want is a wave of other kids exploiting software and Web sites, in the hope that they might be rewarded with a job offer," Cluley said. "If that's what it takes to get a job, we're headed for chaos."
Mooney should have disclosed the vulnerability to Twitter before going public, Cluley argued. Doing anything else opened not just Twitter, but its millions of users, to attack. "The potential was there to expose a lot of peoples' information," said Cluley. "We have to be grateful, I suppose, that that didn't happen.
Mooney's hiring wasn't the first for a hacker, or even a teenaged hacker. In 2004, German security firm Securepoint hired then-18-year-old Sven Jaschan as a security software programmer. During his trial a year later, Jaschan admitted to creating Sasser, a worm that crashed hundreds of thousands of Windows PCs when it started spreading in April 2004.
"These hackers are praised as geniuses, but that's nonsense," said Cluley.