Lamo pleads guilty to NY Times hack

Faces jail


Hacker Adrian Lamo plead guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April.

In a plea deal with prosecutors, Lamo, 22, admitted to cracking the Times network and recklessly causing damage exceeding $5,000. Both sides agreed on the six to twelve month sentencing range which, under federal guidelines, could permit Lamo to serve his sentence under house arrest or confined to a halfway house, at the court's discretion. The judge is not bound by the sentencing recommendation, and could technically sentence Lamo to as much as five years in custody-- though it's unlikely. The hacker also potentially faces $15,000 to $20,000 in fines, and could be ordered to pay financial restitution.

Clad, uncharacteristically, in a sports coat and loafers, Lamo answered federal judge Naomi Buchwald in a calm and clear voice Thursday as she meticulously reviewed his rights as a defendant, and asked if he wished to waive his right to a jury trial. Lamo told Buchwald that he regretted causing the Times financial harm. "I knew that I crossed the line," said Lamo. "I am genuinely remorseful."

"He has always indicated that he's willing to accept responsibility for what he did," said Lamo's defense attorney, federal public defender Sean Hecker, after the appearance.

In a statement, Times spokesperson Christine Mohan said Lamo's intrusion "was a serious offense, and we appreciate that it was treated as such by the authorities."

The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the New York Times hack on SecurityFocus, which first reported on the incident. Lamo said at the time that he penetrated the Times after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.

He also added his real name, phone number and e-mail address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence."

Financial losses disputed

Prosecutors charged Lamo with the intrusion last September, and in an affidavit Mohan accused the hacker of racking up $300,000 in charges by conducting 3000 searches on the Lexis-Nexis news and legal databases service under the Times' corporate account. Lamo said at the time that the figure had "no basis in fact", and Thursday's plea suggests that it was at least exaggerated: both sides stipulated that the hacker caused between $30,000 and $70,000 in losses through a combination of his unauthorized Lexis-Nexis use, and his access to an unprotected Microsoft customer service database. (The Microsoft incident, which took place in 2001, was unrelated to the Times intrusion, but was included in the plea as "relevant conduct" for sentencing purposes)

Thursday's guilty plea caps an aggressive FBI investigation that generated controversy last September when the Bureau notified a dozen journalists who had covered the hacker's antics that it intended to subpoena reporters' notes-- a threat that was later withdrawn as inconsistent with Justice Department policy.

In the months that followed, the probe saw FBI agents contacting a Who's Who of figures in the computer security and hacking community, some with no obvious connection to Lamo, like @stake's Chris Wysopal, and Tsutomu Shimomura, the researcher who helped the FBI track then-fugitive hacker Kevin Mitnick in 1995. Field agents also interviewed the nomadic hacker's friends and associates around the country, toting a list of questions that covered everything from Lamo's motives as a hacker, to queries about his social life. "They kind of tried to make me feel like I did something," said Lamo friend Matt Griffiths. "They asked if I was a hacker, if I ever hacked anything, what kind of programs I used."

The FBI didn't return a phone call on the case.

Lamo has become something a tech-media darling for his rootless, wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" -- combined with his habit of publicly exposing security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited, sometimes visiting their offices or signing non-disclosure agreements in the process.

Until the Times hack, Lamo's cooperation and transparency kept him from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered then helped close security holes in their intranet.

Lamo said after the court appearance Thursday that his plea agreement does not preclude the government charging him for some of his other intrusions, but, "there's sort of an understanding, which may or may not hold."

The hacker also says he's through committing computer crimes. He remains free on bail, obliged by court order to live with his parents and either work or attend school. He's now a student at a community college in Sacramento, California, where he's studying journalism.

Copyright © 2004, SecurityFocus logo


Other stories you might like

  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022