Lamo bumped from NBC after hacking them

'Helpful hacker' demonstrates techniques on camera


How did a mediagenic hacker like Adrian Lamo get himself bumped last week from a scheduled appearance on the NBC Nightly News with Tom Brokaw? Perhaps with his impromptu on-camera intrusion into the peacock network's own computers.

The vagabond hacker known for his drifter lifestyle and his public forays into large and poorly-secured corporate intranets sat down at a Washington D.C. Kinko's laptop station earlier this month with a freelance NBC news producer to show-off his particular style of hacking -- the 21-year-old typically uses little more than an ordinary browser, possessing an eerie knack for finding undocumented Web servers and open proxies at large organizations.

That method has gotten Lamo deep into the electronic infrastructures of such companies as troubled telecom giant Worldcom, Internet portal Yahoo, and most recently the New York Times, where last February he exploited lax security to tap a database of 3,000 Times op-ed contributors, culling such tidbits of information as Robert Redford's social-security number, and former president Jimmy Carter's home phone number. But unlike most intruders, Lamo eventually goes public with his discoveries, and offers to help those he's hacked tighten their security pro bono -- an offer that's been accepted by several of his corporate targets. So far Lamo's managed to avoid prosecution, though federal officials in New York are believed to be investigating him for the Times hack.

Lamo says NBC was taping him at Kinko's while he demonstrated security holes in a telecommunications company's systems, when the interviewer asked him if he'd be successful hacking NBC.

Five minutes and one guessed password later and Lamo was surfing the television network's private messaging system and an affiliate scheduling application that included internal memos and information on advertising rates. Screen shots of the hack provided by Lamo and reviewed by SecurityFocus Online include a page from an NBC vendor database with the network's trademark "living color" peacock and the warning, "All information contained on this Web site is to be held in the strictest confidence," in all capital letters. "It was a very full service system," recalls Lamo.

The videotaped intrusion was rushed onto the NBC Nightly News schedule, where it was slated to run last Thursday. But it was abruptly yanked off the schedule at the last minute. NBC News' spokesperson didn't return repeated phone calls on the segment, but a source close to the production, speaking on condition of anonymity, says network lawyers pulled the plug on the Lamo package out of concern that NBC might have acted improperly in filming the hacker committing computer crimes for the sake of the camera.

Legal Pitfalls?
The hacker says he wasn't coerced into doing anything illegal, and that he'd have likely wound up at the same Kinko's cracking corporate networks even without the camera crew -- an assertion that few who've met Lamo would dispute. But former federal computer crime prosecutor Matt Yarbrough, now an attorney with Fish & Richardson, says NBC's barristers did the right thing anyway, given broad federal conspiracy and computer crime laws. "If I was their lawyer, I'd be concerned if they were sitting there filming it," says Yarbrough. But the attorney adds that spiking the story may not entirely solve the problem. "Arguably, the crime has already taken place whether they air it or not."

It's not entirely clear what that crime would be. Other journalists (including this reporter) have observed lawbreaking for the purpose of reporting on it, and Lamo's intrusion into NBC's systems may not have been illegal to begin with, since the producer arguably gave Lamo permission to proceed. As for the telecom company, "It's not aiding and abetting a crime just because you had an appointment to get together and be shown," says Jennifer Granick, director of the Center for Internet and Society at Stanford Law School. "Apparently, he already has access to these systems, so it was something he was able to do, and was inclined to do, and the reporter was just watching... Being witness to somebody else breaking the law is not itself a violation."

But Kelly McBride, an ethics instructor at the Poynter Institute, a journalism research center, calls the taping "borderline lawbreaking," and says NBC News should have checked with their legal department before shooting, and found another way to tell the story if necessary.

"If the journalistic motivation is to show the public how easy it is or how vulnerable we all are... it's a good story and it's one of holding powerful people accountable," says McBride. "Maybe they should have just talked to the lawyers first. It's not like this is so urgent that they have to get it on the air, it's not the Pentagon Papers. ... A little front end work to identify the pitfalls would have made it a good story."

For his part, Lamo, who's not known for shrinking from controversy, charges the network with a failure of courage. "I can understand where they're coming from," says Lamo, in a telephone interview from somewhere on the East Coast. "But I like to think that in their place I'd take more of a risk."

© 2002 SecurityFocus.com, all rights reserved.


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022