The “Name Dropping” Worm

Anyone that has used Linked In knows that there is a subset of people who simply want to collect the largest number of "contacts" they possibly can (I actually get nervous by the amount of people who are apparently willing to "recommend" me even though they barely know me). I am pretty sure the issue of quantity vs. quality with these types of community networks has been brought up, probably a number of times.

Now, you don’t even need anyone’s permission to become a "contact" – just write a little javascript worm. "samy" did just that on myspace.com and apparently had over a million best friends within a day or so. Read his whole story – on the surface, it is pretty funny.

Of course, my security professional hat knows how painful it must have been for the security folks at myspace.com to recover. I can only imagine the costs involved. Actually, I can estimate them – since Intermix Media did $79 million in its most recent fiscal year (year ended March, 2005), that translates out to about $65k an hour of revenue (assuming all revenue is generated online). Samy says the servers were down for about 2.5 hours for about $160k in lost revenue. I don’t know what their burn rate is, but it is not uncommon for it to be higher than revenue, so I will take the $160k and reduce it by half to account for unrelated costs (I would include IT salaries and IT cost of capital, so I think for an ebusiness, 50% of expenses is reasonable). For a grand "back of the napkin" total of $240k.

The impact on global networks is even more interesting: the more reputation economics, or Whuffies if you like Cory Doctorow, are leveraged for some sort of status, the more important they become to everyone and the more significant the damage.

The technique used is interesting as well. It looks like samy used a lot of obfuscation techniques just to get his script to run. In addition, he leveraged XML-RPC. It isn’t too hard to begin to imagine what could possibly happen in an online marketplace like eBay, for example, if some of these techniques were used. Or B2B marketplaces where thousands or millions of dollars are changing hands. The heck with reputation, now its a money thing…