17-Year-Old Behind Recent Twitter Worm Offered Job After Claiming Responsibility
By KI MAE HEUSSNER
April 17, 2009—
For the social networking darling Twitter, it was a headache and potential threat. But for the young man behind the computer worm that attacked the micro-blogging site this week, it was a fast track to a job.
Called both "Mikeyy" and "StalkDaily," the pesky computer program crashed the tweet-fest for the first time over the weekend, leaving thousands of unwanted messages in its wake.
Infected accounts not only displayed posts left by Twitter users and their followers, but messages directing users to StalkDaily.com and saying things such as "Mikeyy I am done&," "Twitter please fix this" and "Twitter hire Mikeyy."
Well, Twitter did not hire "Mikeyy." But, it looks like someone else will hire 17-year-old Michael "Mikeyy" Mooney.
The teenage programmer told ABCNews.com that after claiming responsibility for the attacks, two companies contacted him with job offers.
And though leading computer security experts do not endorse hacking as way to gain the attention of potential employers, Mooney is hardly the only young programmer to score a job after making headlines for a hack.
A Way to 'Get My Name Out There'
The Brooklyn, N.Y., high school senior told ABCNews.com that he started programming in the sixth grade and over the past few years he's developed about five computer worms. In the ninth grade, he says he was expelled from school for half a year after breaking into the county's school network.
Creating worms is something of a hobby, he said. But in the case of the Twitter worm, it was also something else. "It was a little bit to show the developers of Twitter that there was a problem," Mooney said. "I did the worm to get my name out there & to like companies, not just general people. Since Twitter is so big they'll know who I am for the future."
Mooney said he created the worm because he wanted to prove to Twitter that its site was vulnerable before someone else exploited the flaw and caused more harm.
'Grey Hack' Was a Service?
His attack was a "grey hack," he said, that went over the line but didn't pilfer or store any personal information belonging to Twitter users. Mooney said Twitter hasn't contacted him but said he and his parents have retained a lawyer.
"I'm really getting a bad reputation from it but at the same time people are taking into consideration that even though I did some harm I didn't cause any damage," he said.
Among the negative comments and e-mails, he said, he's also received a number of positive ones, including the job offers.
Travis Rowland, founder and CEO of exqSoft Solutions, a custom Web applications development company, confirmed that he'd offered and that Mooney had accepted a job with his company, starting immediately.
"I contacted him after I saw what he did to Twitter and asked him," Rowland said, adding that Mooney will be doing security analysis and Web development.
The way he sees it, Twitter wasn't paying attention to a basic vulnerability in its system and Mooney's hack was a service.
Mooney Could Have Caused More Trouble But Didn't
Twitter did not immediately respond to requests for comment from ABCNews.com, but said on its blog that it "takes security very seriously and we will be following up on all fronts." It also said that it has identified and secured all of the compromised accounts.
With the knowledge Mooney obtained, Rowland said he could have caused more trouble but chose not to.
"In my opinion, he could have stored the user information on their profiles but he didn't," Rowland said. "He didn't use it to steal personal information."
By hiring Mooney, Rowland isn't only getting new talent but publicized talent, "and I think that's a good thing for our company," he said.
Although some companies might be wary of hiring a rogue programmer, Rowland said he himself could have fallen in a similar category. Now 24 years old, he started programming in his teens.
He couldn't disclose many details but said he once worked in military intelligence and "landed that position in a similar fashion." He said he couldn't disclose what agency he worked for or any other details.
Hacker Have Valuable Skills
And Rowland and Mooney have company.
Just last month, a New Zealand teenager, Owen Thor Walker, who helped a crime gang hack into more than 1 million computers worldwide and skim millions of dollars from bank accounts, landed a job as a security consultant for a telecom company, The Associated Press reported.
In hiring Walker, the company said Thor had the skills that senior executives needed to understand security threats.
And one of the most notorious hackers of all time, Kevin Mitnick, was just 17 when he was first arrested for computer crime.
He broke into computer systems at Novell, Motorola, Sun, Fujitsu and other firms, stealing their software and crashing their machines. He was caught, for the last time, in 1995.
He served four years but now runs his own computer security firm and has written two books including "The Art of Intrusion."
Highly-Publicized Hacking Stories Not the Norm
But many computer security experts caution that these examples aren't the norm.
"Anybody that would release any kind of thing into the wild is not someone we'd ever want to be associated with," said Kevin Haley, the director of security firm Symantec's security response team.
He told ABCNews.com that while security firms obviously look for smart people who understand what unlawful hackers do, there's no need to actually let a worm go out into the wild.
Chris Boyd, the director of malware research for FaceTime, a Belmont, Calif. IT security, management and compliance company, said if young programmers like Mooney spot flaws, there are better ways of alerting companies than exploiting them to make a point.
"Part of security research -- part and parcel of it -- is that companies will ignore you when you bring [flaws] to their attention," he said. "It takes time. If he doesn't want to deal with that, maybe this isn't the field for him."
Yet there are hundreds of thousands of teenagers wreaking all kinds of havoc online, he said, and the ecosystem that supports their Internet mischief rewards illicit hacking.
"There is something that's being perpetuated -- if you go on any number of teen hack forums, there's a section on there that lists the top ten hackers that ever lived. Quite a few of those guys made their ways into a respectable living," Boyd said.
Black Hat Route Is a Myth
But by no means, he emphasized, is the recommended or most effective route. Of the hundreds of people he knows in the security world, none were ever black hats. (In computing lingo, black hats are those who penetrate computers without authorization for profit, fun or protest. White hats, sometimes called "ethical hackers," are computer security professionals hired by companies whose intent is to keep computers and networks safe.)
"It's a bit of a myth, I think that you have to go down the black hat route," he said.
Dan Kaminsky, a computer security consultant for Seattle-based IOActive, Inc., who unveiled a major Internet flaw to the security community last summer, agrees.
"Building a serious career is about giving people reasons to hire you, not reasons not to," he said.
He also highlighted that hackers will likely make less money because the firms hiring them know that they're likely blackballed from other companies.
The public only hears about the hackers that went on to successful careers -- not the ones that never recovered from digital transgressions -- but they're hardly in the majority.
"It's easy to blow something up. But how many people can really crank down to do substantial research to help remedy a problem?" he asked. "That's harder, that makes it more impressive."