The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders.
In a hearing in New York last July, Lamo, 23, was sentenced to six months of house arrest followed by two years probation, and ordered to pay $65,000 in restitution, for intruding into the New York Times' internal network and conducting thousands of database searches using the newspaper's Lexis-Nexis account. The hearing was not publicized in advance and no reporters attended.
A transcript obtained this month by SecurityFocus shows an apologetic Lamo professing remorse for the actions that made him famous.
"Since all this started, I have had a great deal of opportunity and time to see many of the effects of the things that I have done, how they have harmed the companies that I compromised, how they harmed me, how they harmed my family, how really they have harmed so many people around me," Lamo told federal judge Naomi Reice Buchwald.
"I've hidden behind a facade of words in some of the statements that I have made and some of the things that I have said, and for me really it's been an alternative between seeming flip or walking around in constant gloom," Lamo said. "This is a process I want no further part in. I want to answer for what I have done and do better with my life."
The Homeless Hacker
Lamo began publicly exposing security holes at large corporations in May, 2001, when he warned the now-defunct broadband provider ExciteAtHome that its customer list of 2.95 million cable modem subscribers was accessible to hackers. He worked with the company at its California office to close the hole before going public with the hack. He followed that up that with high-profile hacks of Yahoo!, Microsoft, Worldcom, Blogger, and other companies, usually using nothing more than an ordinary web browser, and often offering to help the companies close the holes he exploited. Some of Lamo's victims have even professed gratitude for his efforts: In December, 2001, he was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.
In February, 2002, Lamo penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their web browser. Once inside he hacked passwords to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders. He capped off the hack by adding himself to a database of 3,000 contributors to the Times op-ed page.
Unemployed and frequently found living out of a backpack and traveling the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the press, and he inspired an online "Free Lamo" movement by his admirers after he was finally hit with a federal indictment for the Times intrusion last year. He pleaded guilty in a deal with prosecutors in January.
At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo had caused serious financial harm, and was responsible for "a great deal of psychological injury" to his victims. "Until they got to the bottom of what Mr. Lamo had done, they were put in real fear, and I can tell your honor, from speaking to those victims, that it was palpable."
The prosecutor then zeroed in on Lamo's Robin Hood image.
"For better or worse, Mr. Lamo has become a source of attention not only to the public and press at large, but also to members of his generation and other individuals in the computer community," DeMarco continued. "Whether or not Mr. Lamo sought to inspire those people or was neutral on that subject, the fact remains that we really won't know how many computer hackers Mr. Lamo has inspired by his misdeeds. We won't know what damage those hackers will do."
Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of growing up to continue to do," but emphasized that the hacker had stopped talking to the press, was attending counseling sessions, and was doing well as a journalism student at a local community college.
Lamo could have gotten as much as a year in prison under the terms of his plea agreement. In passing down the lighter sentence, Buchwald said it shouldn't be mistaken for slap on the wrist.
"Anyone who thinks that this is a light sentence simply because there is a harsher alternative I think is sorely mistaken," said Buchwald. "Mr. Lamo is now I think 22, 23. He will have a felony conviction on his record the rest of his life."
NY Times hacker sentencing delayed
Lamo pleads guilty to NY Times hack
Fame, Infame, All the Same
FBI bypasses First Amendment to nail a hacker
Lamo denies $300,000 database hack
NY Times hacker surrenders, is released
NY Times hacker set to surrender
FBI reportedly hunting Adrian Lamo
Point! click! get! root! on! Yahoo!
Google closes Blogger security holes
Lamo bumped from NBC after hacking them
NY Times sicks FBI on MSNBC journo
Panel debates Samaritan-hack amnesty
New York Times internal network hacked
Lamo strikes again: WorldCom