Feds say Lamo inspired other hackers

'Palpable fear'

The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders.

In a hearing in New York last July, Lamo, 23, was sentenced to six months of house arrest followed by two years probation, and ordered to pay $65,000 in restitution, for intruding into the New York Times' internal network and conducting thousands of database searches using the newspaper's Lexis-Nexis account. The hearing was not publicized in advance and no reporters attended.

A transcript obtained this month by SecurityFocus shows an apologetic Lamo professing remorse for the actions that made him famous.

"Since all this started, I have had a great deal of opportunity and time to see many of the effects of the things that I have done, how they have harmed the companies that I compromised, how they harmed me, how they harmed my family, how really they have harmed so many people around me," Lamo told federal judge Naomi Reice Buchwald.

"I've hidden behind a facade of words in some of the statements that I have made and some of the things that I have said, and for me really it's been an alternative between seeming flip or walking around in constant gloom," Lamo said. "This is a process I want no further part in. I want to answer for what I have done and do better with my life."

The Homeless Hacker

Lamo began publicly exposing security holes at large corporations in May, 2001, when he warned the now-defunct broadband provider ExciteAtHome that its customer list of 2.95 million cable modem subscribers was accessible to hackers. He worked with the company at its California office to close the hole before going public with the hack. He followed that up that with high-profile hacks of Yahoo!, Microsoft, Worldcom, Blogger, and other companies, usually using nothing more than an ordinary web browser, and often offering to help the companies close the holes he exploited. Some of Lamo's victims have even professed gratitude for his efforts: In December, 2001, he was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

In February, 2002, Lamo penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their web browser. Once inside he hacked passwords to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders. He capped off the hack by adding himself to a database of 3,000 contributors to the Times op-ed page.

Unemployed and frequently found living out of a backpack and traveling the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the press, and he inspired an online "Free Lamo" movement by his admirers after he was finally hit with a federal indictment for the Times intrusion last year. He pleaded guilty in a deal with prosecutors in January.

"Palpable Fear"

At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo had caused serious financial harm, and was responsible for "a great deal of psychological injury" to his victims. "Until they got to the bottom of what Mr. Lamo had done, they were put in real fear, and I can tell your honor, from speaking to those victims, that it was palpable."

The prosecutor then zeroed in on Lamo's Robin Hood image.

"For better or worse, Mr. Lamo has become a source of attention not only to the public and press at large, but also to members of his generation and other individuals in the computer community," DeMarco continued. "Whether or not Mr. Lamo sought to inspire those people or was neutral on that subject, the fact remains that we really won't know how many computer hackers Mr. Lamo has inspired by his misdeeds. We won't know what damage those hackers will do."

Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of growing up to continue to do," but emphasized that the hacker had stopped talking to the press, was attending counseling sessions, and was doing well as a journalism student at a local community college.

Lamo could have gotten as much as a year in prison under the terms of his plea agreement. In passing down the lighter sentence, Buchwald said it shouldn't be mistaken for slap on the wrist.

"Anyone who thinks that this is a light sentence simply because there is a harsher alternative I think is sorely mistaken," said Buchwald. "Mr. Lamo is now I think 22, 23. He will have a felony conviction on his record the rest of his life."

Copyright © 2004, 0

Related stories

NY Times hacker sentencing delayed
Lamo pleads guilty to NY Times hack
Fame, Infame, All the Same
FBI bypasses First Amendment to nail a hacker
Lamo denies $300,000 database hack
NY Times hacker surrenders, is released
NY Times hacker set to surrender
FBI reportedly hunting Adrian Lamo
Point! click! get! root! on! Yahoo!
Google closes Blogger security holes
Lamo bumped from NBC after hacking them
NY Times sicks FBI on MSNBC journo
Panel debates Samaritan-hack amnesty
New York Times internal network hacked
Lamo strikes again: WorldCom

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022