Adrian Lamo Charged With Hacking

retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."

Fit? Stops. R

Adrian : Rule #1 : If you seek credible, first hack your own personal details to requisition a new surname.

Re:Fit? Stops. R

Yep, how do you think the New York Times felt when they'd heard that their site had been hacked by some Lamo? Of course they're going to take it personally! Now if they'd heard that Max Power had hacked into their site... that could have been another matter.

Re:Fit? Stops. R

[jbottero]

There is no such thing as "White Hat" hacking. Hacking is hacking, and when you break into someones network, you are breaking the law.

"OH, I saw you front door was secured with a cheap lock, so I thought I'd come in and drink all your beer and try on all your clean underpants. By the way, I ate all your pizza."

Yeh, those "white hats", all they want is "secure networks"!

Re:Fit? Stops. R

[krymsin01]

I'm sorry, but I think your analogy is unsound. A true white hat hacker doesn't drink the beer, try on the underpants, eat the pizza. More like someone you would drive by with your trunk door open, and they tell you that it's open so that all your stuff, which might be your private underclothes, doesn't end up in the middle of the road for everyone to see.

People often make the assumption that morality dictates law. This is simply not true. In other words, if someone breaks into your system and tells you about it and helps you fix the holes instead of using your system for their own personal gain, then he's done you a favor by doing your job for you and saving your employers money if someone ever did exploit you maliciously.

Re:Fit? Stops. R

[zootread]

I agree that the analogy does not work. I think a better analogy is:

You happen to figure out the combination for the lock of my safe. You open it up, look at all the nudie photos of my girlfriends (and maybe watch one of the videos). So then you tell me you figured out the combination to my safe and opened it. I know what you've seen.

So say a someone breaks in but doesn't appear to do anything malicious. How do you know he didn't look at anything? How do you know he didn't read everyones personal mail, or log any credit card numbers or passwords? You don't. Sure, a true white hat should not be doing these things, but do you really trust someone to be a true white hat?

When I was a teenager, I used to gain unauthorized access to systems for fun, but never did anything malicious. I was a bit of a white hat, and got rid of other people who had cracked the systems. However, I was keenly aware of the fact that I could be arrested and charged heavilly for what I was doing. If you do something illegal, you can be charged for it. Sometimes the law isn't right, but I'm finding it hard to side on Adrian Lamo's case here.

I would love to go around cracking systems for fun and telling the admins how to fix the problems without having to worry about getting arrested. But this is simply not the case.

Re:Fit? Stops. R

[zootread]

I'd also like to add, I don't think the term "white hat" can apply to people who illegally break into systems. A white hat would be someone who sets up his own systems and tests security on them, or has permission to work on a system. He would announce vulnerabilities when he finds them, usually contacting the author of the vulnerable software first. He's the true "good guy" who has done nothing wrong.

There's another term for someone who breaks into systems illegally, but does not do anything malicious, who may or may not do anything to help fix the problems. I believe they are called "grey hats." Hence the grey area here.

Of course the black hats are the true criminals, who are doing other illegal activities besides the break-in (stealing credit card numbers, desctruction/defacing of the systems, etc).

Re:Fit? Stops. R

Well hacking may be hacking but at least he was good enough to help them fix it. He should have trashed their system then everybody wouldn't be discussing him they would just be discussing the fact that the site was fubar from a hacker.

Re:Fit? Stops. R

"A white hat would be someone who sets up his own systems and tests security on them, or has permission to work on a system."

This is hardly practical or applicable to the real world. If you set up your own system, you know where the security flaws are (or aren't). Any server admin. knows there are a hundred ways to set up a server, and only by going into systems set up by someone else can one learn about all the possible flaws.

As for getting permission in advance, how many sysadmins do you know would give a hacker permission to try to get in through security? Nothing good can come from it from the I.T. department's point of view, because a good hacker will get in somewhere and when they do it makes I.T. look bad.

Before all of you get high & mighty and denounce what Adrian did, realize that his way of doing things is probably the only one that works. If the NYT would just check their egos at the door, perhaps they could have benefitted from the experience instead of becoming the laughing stock of the hacker world. And they'd better hire a few more security experts to handle the onslaught of hackers who will now be targeting them as hacker enemy #1...

Re:Fit? Stops. R

[zootread]

This is hardly practical or applicable to the real world.

I disagree. A lot of vulnerabilities are found the way I described. They are only exploited after they've been found and the script kiddies know about it. Doing something illegal is hardly practical, in my opinion.

As for getting permission in advance, how many sysadmins do you know would give a hacker permission to try to get in through security?

I'm talking about hiring a professional to try and penetrate your network in order to determine where the vulnerabilities are. This is what is practical and applicable in the real world. I'm not talking about giving some random kid permission to screw with your network.

Before all of you get high & mighty and denounce what Adrian did, realize that his way of doing things is probably the only one that works.

You mean the one where you get caught?

Re:Fit? Stops. R

[bareminimum]

Next time I'm on the street I'll try to open your door, and then every window, in an attempt to get into your house. Once I'm in, I'll let you know what the problem was so that you can "fix" it.

I'm sure you would like that.

Re:Fit? Stops. R

[CakerX]

Ha, trolls....

The Real Problem

[Goo.cc]

Maybe the real problem that the New York Times has with Lamo is that he was able to read stories without having to register for a free account. (Hell, that stupid registration requirement make me want to hack them too.)

Re:The Real Problem

[Surak]

Yep. That whole &partner=GOOGLE thing will get the FBI after ya. Watch out!

Re:The Real Problem

What the fuck!! Those bastards.

And I thought one of these days, he would be given a medal. Just goes on to show there is no justice in the world.

--Black-By-Pubic-Demand

Re:The Real Problem

[SunPin]

In that case, I'm about to become a fugitive.

Re:The Real Problem

[FsG]

No need to look for new exploits when the existing ones suffice..
1. Click on URL, you're redirected to registration/login page
2. Go to URL bar, replace "www" with "archive" in the URL, leaving the rest alone, and hit ENTER
3. The system will bounce you around a few erroneous URLs, before returning you to the homepage
4. All NYT links will now work without registration, thanks to a special cookie set by the bouncing process

Re:The Real Problem

Nah, the NY Times is ashamed that someone actually found true facts on their web site.

Re:The Real Problem

But in this case, Adrian Lamo used &partner=in_crime

Re:The Real Problem

How did SecurityFocus bring up this security flaw to the the NY Times..??? Did they come right out and say "My Client Adrian Lamo hacked your environment and would like to help you fix it???".. or did they say "My Client believes your Website is vulnerable to hacking and would like to help you correct the problems (for a fee (optionally)). Would you like his help?" Note the two distinctions.. The former is putting blame on Adrian and the other is not.

In my opinion, from a societal point of view, what Lamo did was wrong.. From a humanistic (helping humanity) point of view, he was right. But the point I'm trying to make is that right or wrong the problem was not Adrian.. The problem was SecurityFocus for not portraying Mr Lamos exploits in a manner enabling the NY Times to be more acceptable of his actions (Whether they knew what he did or not).

Just my two cents.

Re:The Real Problem

[shfted!]

I always use &partner=EVILHACKER. They seem to like that too!

Re:The Real Problem

[twofidyKidd]

That's awesome. Just don't be surprised if you end up with a Fed agent at your door serving you with a DMCA complaint.

Re:The Real Problem

Too bad that hack no longer works, atleast with Mozilla

Re:The Real Problem

[Digitalexikon]

LMAO-i agree 110%...to hell with those bastards and their wack registration requirements!!

Re:The Real Problem

Ain't working for me neither:( On Mozilla and IE.

Re:The Real Problem

[dmuth]

5. ???
6. Profit!

Re:The Real Problem

[CodeGorilla]

Why worry about registering at the NYT? Are you wanting to read the latest fiction?

Re:The Real Problem

[crucini]

You're kidding, but maybe it could. The article says Lamo performed almost all his hacking with an ordinary web browser. So it probably consisted of URL modification.

you got beat

[xeeno]

By fark.

Re:you got beat

[LostCluster]

By TechTV... The Screen Savers last night had a live 10 minute phone call with Lamo at 7pm ET.

Re:you got beat

Is that really your webstie, xeeno?

If so, you're kinda cute...in an open sorta way.

Re:you got beat

...and "Preview" obviously means nothing to me.

And good riddance.

[JeffTL]

Who needs more greyhats running around testing security without so much as permission?

Re:And good riddance.

[SerpentDrago]

If you ask and tell theam your going to try to hack. Then they will tighten security. Thats exactly why you can't tell theam. You have to just do it. at a random time without theam knowing , then see if they catch it. Thats the only true way to "test" Do it Blind or it is not real. A BlackHat will never ask or tell you when.

Re:And good riddance.

You are such a moron.

If you ask and tell theam your going to try to hack. Then they will tighten security.

Wait but I thought all you hax0r d00dz where just trying to help people tighten their security?

A BlackHat will never ask or tell you when.

Ya and neither will a burglar or rapist. Most common criminal dirtbags won't and that includes "blackhat hax0rz".

Re:And good riddance.

[the_2nd_coming]

and that is why you for a company like mitnik did that has the job of going to CEOs and COOs and CIOs, setting up a contract with them and then doing it at a random time.

if anyone is interested in the true security of their corprate network, it is the C*Os

Re:And good riddance.

[Shoten]

I think you're confusing what Lamo did with something that the NYT actually gave permission for. I agree with you, that a penetration test should be performed in such a way as to be unexpected, so paranoid admins can't do stupid things to improve the results (like turn off all inbound access for a day). But this wasn't a penetration test, it was nothing more than an uninvited and deeply illegal intrusion plus some spin control for the media.

I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about? I wouldn't, and the resulting cleanup to make sure that nothing more was done is an expensive and disruptive process. This is part of why the damages for relatively minor hacks end up being so enormous in many cases.

We're always pushing ourselves to question what we're being told by the media, by our leaders, by our educators, by big business...we should really question anyone who might have an ulterior motive.

Re:And good riddance.

Ya exactly has anyone ever been busted for hacking that didn't have good intentions?

It's like everyone on trial for shooting someone during a robbery. "Oh I didn't mean to shoot him I just wanted his money..."

Ya, sure, that's what they all say.

Re:And good riddance.

I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about?

If they were up to no good, THEY WOULDN'T HAVE TOLD ME!

Re:And good riddance.

[HidingMyName]

If you ask and tell theam your going to try to hack. Then they will tighten security. Thats exactly why you can't tell theam. You have to just do it. at a random time without theam knowing , then see if they catch it. Thats the only true way to "test" Do it Blind or it is not real. A BlackHat will never ask or tell you when.

Let's try a little analogy and see how you like tha argument.

If I ask you and tell you that I'm going to access your bank account, then you will just tighten security. This is exactly why I need to access your bank account at a random time without you knowing, then see if you catch it. That's the only true way to "test".

It would seem that this argument is weak, because if some whitehat got your social security number, bank info, etc. you'd be upset. How would you know it is really a white hat and NOT a blackhat?

Re:And good riddance.

..Just step away from the keyboard, ok?

Re:And good riddance.

[arose]

Better have them as blackhats...

Re:And good riddance.

[xplenumx]

The University of Washington had a "student run" program where returning students could volunteer to help freshmen move into their dorm room. In return for their help, the UW would supply the volunteers with free food (Usually through SubWay, Dominos, etc, with a student leader ordering the food using UW budget codes). After everyone moved in, the group would disband and everyone would forget about it until the following fall. Approximately six years ago, the student leader who was in charge of ordering food decided in Winter quarter that he would use the budget codes and try to order up some food for him and his friends (http://tinyurl.com/mhck) . What was Eric's excuse when he was eventually caught? "I was just trying to show how insecure the system was" and "I was really doing Res. Life a favor". Sound familiar? Eric Feigenbaum then wrote a series of articles to the student newspaper, The Daily, regarding his experience and how the university didn't appreciate his 'generous act'. Personally I become extremely nervous when someone decides to conduct some unannounced public service, especially through illegal means. Usually the "I'm just misunderstood. I was really trying to help out" excuse comes out after the individual gets caught, but some individuals will come forward first, hoping that it'll cover their tracks. For example, I had one employee to came up to me and said that they learned how to use the copier without first putting in their copy code. Turns out the employee decided to "test" his method by making over 5000 copies over a period of three days (all after hours). Another employee within the firm reported that some equipment was missing (it would have been discovered later that week). It was eventually discovered that the very same employee had stolen the equipment the night before. I don't know the first thing about Adrian Lamo besides what's written in the referenced article. He may be the most honest, altruistic, and generally nice guy in the world. Good for him. The problem is that the next Adrian Lamo may not be.

Re:And good riddance.

How would you know it is really a white hat and NOT a blackhat?

Umm, the Whitehat contacts you and lets you know of the problem, while the Blackhat doesn't?

Duh.

Re:And good riddance.

[HidingMyName]

How would you know it is really a white hat and NOT a blackhat? Umm, the Whitehat contacts you and lets you know of the problem, while the Blackhat doesn't?

Ah, but there's the rub. Often the so called white hat tells everyone, and even if they tell only you, your privacy and security have been compromised without your consent. If some guy tells your significant other about the color of their lingerie, and tells them that they were just testing their security, your going to be cool with that because they are a white hat, right?

Re:And good riddance.

[Planx_Constant]

Except that what Adrian Lamo does is find holes, leave some proof of their existence, and then notify the parties concerned.
Eric's case would be parallel if he ordered the food, and then walked into Res. Life with the food in his hand, before he got caught.

Re:And good riddance.

Often the so called white hat tells everyone ...usually because big companies don't FIX the F^%$ing problem- they'd rather sweep the whole thing under the rug.

So, by releasing the details, the whitehat FORCES the company to do their job and thereby actually HELPS those who would be affected by a security breach.

If some guy tells your significant other about the color of their lingerie, and tells them that they were just testing their security, your going to be cool with that because they are a white hat, right?

Peoiple like you just LOVE to use the 'break into someone's house' or similar analogy.

Hint: A PUBLICALLY ACCESSABLE web server is not the same as someone's house!!

Reading a file off a computer is not the same as pawing through someone's underwear drawer!

Get a better analogy and try again.

Re:And good riddance.

[frater_corvus]

I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are.

While I agree with the content of your post, I would wager that this would be treated like any other criminal charges. By reviewing his public track record at Security Focus most people investigating Mr. Lamo's public past would deduce that he probably wasn't doing anything vindictive or with ill intent. For example, as quoted from the previous link:

WorldCom is the latest target of a clean-cut 20-year-old hacker who's already drawn national attention discovering, exploiting, and then warning about serious security lapses at AOL, Excite@Home, Yahoo! and Microsoft. Like those other companies, security staff at the $20 billion communications giant might be surprised to learn they were compromised by a lone vagabond hacker who lives out of a weathered L.L. Bean backpack and does most of his work from Kinko's 'laptop stations,' using little more than a Web browser and his wits.

While it doesn't make his activities any less illegal, it lends evidence that he had no motive other than exposing a security flaw with the NYT. Provided that's what Mr. Lamo is actually being charged with.

Personally, I think people like Mr. Lamo make the world a better place. Sometimes, you don't know about an insecurity ( or don't care ) until someone actually does something to your information. Much like how I was raised to always lock doors and windows, but a lot of my friends don't seem to see the point. When their belongings go missing, I won't even bother saying, "I told you..."

Re:And good riddance.

[JeffTL]

Yep. They do as much damage, but noone tries to defend them.

Re:And good riddance.

"But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about?"

Neither. I'd kick myself in the pants and be utterly pissed at my ineptitude to control my own network. I'd be pissed someone owned my network, but ultimately, it's MY fault and I'm not going to pass the buck.

I'm sick of the "victim" society we have and the physical world analogies. A break in in computer terms is hardly like a break in in meatspace. If someone can reach into your network without violating the laws of trespass or entering in the physical world and law (iow, without physical access), I consider it the person running the network admin's fault.

Particularly if I was owned over a wireless network or through a phone line. That's my incompetence.

Anything else is just asking for trouble. Much like that stupid law restricting cell phone frequencies--now you have a bunch of dumb ass devices running around that are half-baked in operation, easily bypassed, and didn't solve the problem.

It's not an intrusion of the damn network is passively open. You can hammer the "illegal" and "the law is the law" like arguments all you want, but the reality is, the law sucks in this arena--it is inaccurate NOW, slow to adapt, and caters to economic, not practical and responsible sanity and interests.

And it's not about intentions per se as you put it, because if you have such a network for YOUR use, intentions mean squat if someone else can get to it in the first place. Baby. Bathwater. If NYT has a network that can be hacked remotely, that's NYT freakin fault, regardless of the intentions of the white or black hat hacker.

More accurately, the law puts the entire "problem" as the hacker's. That's not only wrong, that's a lie.

Re:And good riddance.

[HidingMyName]

Peoiple like you just LOVE to use the 'break into someone's house' or similar analogy.

Bzzt, Wrong Answer, Thanks for Playing!

People like me HATE situational ethics and presumptious fools telling us what we must like and dislike.

Hint: A PUBLICALLY ACCESSABLE web server is not the same as someone's house!! Reading a file off a computer is not the same as pawing through someone's underwear drawer!

Let me be real clear (but surely some a public disclosure is made that discloses a vulnerability of your banks web server, telling 3vil h4x0rz a cool 'sploit that they use to get your personal identification numbers which they release to some L33T DOODZ. If I tell people how to break into your house, you should be mad, even if I don't do it myself. Similarly, if I disclose how to break into your personal information, you should also be mad, because it is personal private and possibly even valuable like say the kind of stuff found in someones house. That aspect of the analogy is not flawed.

Re:And good riddance.

[madcow_ucsb]

More accurately, the law puts the entire "problem" as the hacker's. That's not only wrong, that's a lie.

Ok, the problem's a little bit of A, a little bit of B. Just because the system was insecure doesn't mean you should let just anybody waltz on in.

If I accidently left my keys in my car and someone took it for a joy ride, I'd be damn sure I called the cops.

I'm sick of people defending these guys. If you find an open system you shouldn't go poking around in it any more than you should take a nap in my car if the door's unlocked. Or if it just had poor security (all it takes is a slim-jim to get into a lot of cars...should it be legal to mess around with those?)

So yeah, the sysadmin needs to take some responsibility. But so does the hacker, he's far from being a victim for getting busted himself...

Great Excuse

[Pave+Low]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

Maybe I didn't install a deadbolt and an alarm system, but who made this guy the "helper" of my problems?

There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

Re:Great Excuse

[UWC]

An interesting point. I wonder how much trouble he would be in if he had asked the companies' permissions before plying his trade, and simply moved to others if refused. I dunno, though. Maybe there wouldn't have been many to acquiesce.

Re:Great Excuse

[hattig]

Agreed. If he wanted to perform white hat hacking, he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.

But he did commit a crime - he broke into and entered their systems without permission. Sure, he did it for a good reason in his own head, and wasn't going to be malicious ... but it isn't as if he was doing the internet equivalent of rescuing the baby in a house fire.

Re:Great Excuse

[themassiah]

And that, my friend, is *EXACTLY* what THE MAN wants you to believe. Unfortunately, the world really isn't so binary. There are more than two states of existance.

Re:Great Excuse

[LostCluster]

There's no question that he's broken a law or two in the process here, the question now is more of whether he'll be doing 100 hours of community service of 100 years to life in jail. This has the potential of turning into the Kevin Mitnick case all over again, where the government starts spewing false charges and forgets basic things like telling the accused what they're accused of.

Lamo did the electronic version of breaking and entering, he certainly should get less of a sentance than a bank robber, rapist or murder gets...

Re:Great Excuse

[Spicerun]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

You'll feel much worse if someone breaks into your house and steals everything, the POLICE tell you that you should have installed a deadbolt and an alarm system, and the neighbor (who probably asked you to get security advice) is mad at you because the keys to his house he let you borrowed are also gone.

But if that is the only way you'll bother to get advice that could help you.....

Re:Great Excuse

There are more than two states of existance.

Life and death are all I'm aware of; please tell me what the others are.

Re:Great Excuse

[nearlygod]

How different is this from the investigative reporters on your local news broadcast. In many cases a white hat my find that customer's CC numbers or SS numbers are accessable via an exploit or weak security. In a way, he/she would be helping the public by giving the company and opportunity to correct the situation or at least take it public. An investigating reporter may find that a company or governemnt office is throwing out sensitive info without shredding it or taking the proper preventative measures. If I am giving a company like Amazon my CC#, I want to oknow that they are going to protect that info. Who is going to watch/audit the company if they get lazy?

Re:Great Excuse

[AArmadillo]

It depends. Perhaps you left a door unlocked, and because he told you that it was unlocked you were able to fix it. Then when the real thieves came next week you would be protected against them.

The assertation that there are only criminals and law-abiding citizens is a horrible bifurcation. If you speed when you're taking a loved one to the hospital, are you a criminal? If you kill someone in self defense or in defense of another, are you a criminal? Maybe this guy's actions aren't as noble as these examples, but he did no harm and from the words of the system admins he did a lot of good.

Re:Great Excuse

[moonbender]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

That analogy doesn't have a lot of merit. You're a private person, he didn't break into private computers. If a bank has a door to their vault which they don't know of and which is never locked, then yeah, they should be grateful for being told about it. Obviously, there's no bank so stupid, but that just goes to show that banks have a lot more experience dealing with real-world break-ins - another reason why this guy should be acknowledged for his deeds, he's making people aware of problems which they are not experienced in dealing with.

Re:Great Excuse

[alienw]

I think that the reason he didn't ask for permission is because no company would have permitted hacking their systems, regardless of purpose. Yahoo does not need super-secure systems, so they have no need for a security consultant. In my opinion, the guy only wanted publicity.

It seems like people don't quite understand that hacking someone's system and then "helping" them fix the holes is not a positive thing. If you steal my car, return it a month later, and then "helpfully" point out that I should get a security system, you deserve to be in jail.

Re:Great Excuse

hey Neo..we don't need you to free us from the Matrix. Go back to Zion, and your Real World.

Re:Great Excuse

[qtp]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?

The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.

OTOH, your mention of the deadbolt and alarm does apply, but only in the sense that if I did buy/install a deadbolt and alarm, I'd be royally pissed if they didn't work.

Re:Great Excuse

Yahoo doesn't need super secure servers? Well they at least need servers that he can't break into, or else someone else might break in and actually do bad things to them.

Re:Great Excuse

If you run over somebody with your car while on hurry, then yes, you are a criminal. Because you are in an emergent state that does not mean that your fellow citizens should be in danger because of you. If the ambulance has not been there, then you have to settle that with the state.

The thing with that guy is that he wants to be a helper without asking for a permission to be a helper. Actually, he excercised his helping on foreign property. I don't feel very comfy with people that self-authorize themselves of accessing my property. I for one, would like to see that guy locked away for a while till he fixes his attitude.

Re:Great Excuse

"broke into my house"

Enough of this physical-world comparison nonsense.

You are browsing Slashdot right now: are you going into "Slashdot's house" and "hangin' out" there? No, you are sitting on your fuckin' couch, eating your greasy Lays with crumbs all over your pot belly, and whining.

The digital world is NOT the same are the physical world. Deal with it.

What Lamo (bad choice of a name, no doubt) did was akin to using a telescope to peer into someone's house from a window where the curtains weren's drawn.

Morons like you should get a clue. Here's a nickel, kid: buy yourself one.

Re:Great Excuse

[maggard]

But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?

But he didn't just "look in", he went and altered files. And the curtians were down, the door closed, he didn't just happen to glance in but broke in.

The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.

Breaking & Entering doesn't mean anyone has to be home or their life directly threatened.

Re:Great Excuse

[Agent+Deepshit]

But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?

No, that's why people are not getting busted for scanning ports.

If you crawled in through the doggy door and took a look at the porn collection in my bathroom I would be pissed.

Re:Great Excuse

[SSJVegeto2001]

I don't feel too much pity for the victim of a robbery if they left their door open. I don't see why this is too much different. I doubt he really had to do much "hacking" at all to do what he did. Is it breaking and entering if you just wander into a building with an open door? Of course, whether your door is locked or not, it's still illegal to steal. However, he didn't take anything. So if he didn't break into anything, and he didn't steal anything, trespassing is all that's left, and that would imply that where you are on the internet can be considered your real location as well as where you physically are. It seems as if these people are afraid of technology, and by extension, afraid of those who know how to use it to their advantage.

Re:Great Excuse

[dirk]

Except we was in the systems and could have done anything while in there. Maybe he is a true "white hat" and didn't do anything bad and told them everything. But it is just as likely that he left a trojan or backdoor in the system. They can't tell what he did or didn't do, so they now have to not only secure their systems against whatever hacks he used to get in, but they have to scour everything on the system to make sure he didn't change any data or leave anything behind (and there is no way to tell whether he copied anything from the system).

Re:Great Excuse

[Have+Blue]

But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?

No, but if he calls me up and says "I was watching you through your bedroom window last night" I would.

Re:Great Excuse

[pantropik]

That's a really awful analogy.

If someone steals your car they are doing you a serious disservice and actively depriving you of something you cannot easily do without.

To use your analogy in a way that actually makes sense:

He isn't stealing your car. He is walking up and seeing if the door is unlocked and the keys are in the ignition. At the very MOST he is starting the car to prove he COULD steal it if he wanted to. But he never actually steals the car or harms you in any way (except maybe making you feel really stupid for having such an easily stolen car). He doesn't deprive you of it "for a month".

Basically he's checking to see if he COULD steal your car, NOT stealing it. Then he tells you what to do to keep others from stealing it.

Doesn't sound like evil incarnate to me. If I was being a total idiot as regards security I think I'd appreciate it if someone pointed that out to me before someone else came along and took advantage of it and ended up doing real harm.

The shame would be worth it in the end, I think. Unless you happen to be the NY Times, which is probably pretty sick of being shamed at this point.

Re:Great Excuse

[xenoandroid]

The difference is that he didn't hijack the servers and use them for his own deeds for a month and returned them. He got in, observed how severe the exploit was, got out, and told the admins that they need to fix it. If someone broke into my car without doing any damage to it and then left a note giving me suggestions I'd welcome it, it's not like they drove off with the car and they might have saved my car from future theft.

Re:Great Excuse

Breaking & Entering doesn't mean anyone has to be home or their life directly threatened.

BreakingM/b> and entering does mean physical damage.

Re:Great Excuse

[practicalista]

As I have pointed out elsewhere, the open door analogy is basically lame because the problem here is not the crime but, society's response to the crime. A trespasser remains a trespasser. In computer crime, a trespasser can suddenly become an armed robber if the person whose property was invaded has enough political muscle.

Also there is a third party issue here too. One of the files he gained access to contained personal information of another person. Where is the New York Times' legal responsibility to protect the information that it holds from others in this whole discussion?

Or, to extend you analogy, if you borrow you friends laptop and then leave it in an unlocked car, do you not share some responsibility?

Re:Great Excuse

[qtp]

altered files

Where'd you read that? Must've been a different article.

Breaking & Entering doesn't mean anyone has to be home or their life directly threatened.

Yeah, but using a remote to erase the programs on your neighbor's VCR does not = "Breaking and Entering" as long as you stay out of the house when you do it.

Re:Great Excuse

[frankjr]

I'd be a little disturbed if someone actively tried to find a spot where they can see into my bedroom and bathroom.

Re:Great Excuse

[moonbender]

Healthy, sick, somewhat healthy, happy, unhappy, everything between those extremes, nervous, imprisoned and so on ad infinitum. "State of existance" is not a very clearly defined term.

Re:Great Excuse

[qtp]

If you crawled in through the doggy door and took a look at the porn collection in my bathroom I would be pissed.

How bout if I just looked at your porn using that Windows fileshare you've got open to your cablemodem?

Was that "breaking and entering"

Re:Great Excuse

A) It's not a house

B) It's not secured by a deadbolt

C) If you insist on making analogies with the old world (I assume this is because you're either old or a conservative and unable to think about new things in new ways) a better analogy would be that there are all these organizations out there that have a teleport portal into the center of your living room and they are insecure. Lamo wanders into one of these organizations -- in an entirely different physical location from your house, however you've secured it -- wanders through the portal into your living room, disturbs nothing and leaves a note saying "XYZ company has a completely insecured portal into your living room, you might want to do something about it"

Still feel the same? (I mean, assuming your ossified brain was able to follow and understand the revised analogy)

In each and every of Lamo's intrusions he has demonstrated that the involved organization was being negligent in their securing of OTHER PEOPLE'S data.

Not that I would expect you or anyone who (un)thinks like you to have noticed that or to understand the ramifications.

And did you miss the other big headline this week, that ONE OUT OF EIGHT americans have been a victim of identity theft?

It's nice to make neat little absolute statements about issues, isn't it? feels so good and satisfying. Thinking is much harder. No one blames you too much for not bothering, don't worry. It's standard procedure.

Re:Great Excuse

[lactose99]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

Maybe I didn't install a deadbolt and an alarm system, but who made this guy the "helper" of my problems?

I'm sure you'd be singing a very different tune if you were alerted to this before some crazed psychopath used the same method to break into your house and murder your family. There is a great deal of difference in education versus exploit, and paranoid types who don't know the difference only serve to make the matters worse.

There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

That's the biggest sham I've ever heard. Do you believe every picture government prosecutors paint for you? mindless sheep

Re:Great Excuse

[mod_parent_down]

Yeah, but if someone broke into your house, they'd have to go to JAIL.

This guy turns himself in, it's what?- 30 floggings with a wet noodle, a dog-and-pony trial with a suspended sentence?

Seriously, what's the going rate for a hack? (It's not like he went Mitnick on that ass.)

Re:Great Excuse

Ok so the person breaks into my car, proves he could steal it, and tells me how to keep others from breaking in.

In the meantime he has taken my credit card number off an old bill I have in the glove compartment, gotten my mother's maiden name from a birthday card I sent to me by my grandmother that's stuck in the visor, and taken my SSN# off a job application I had sitting in the passenger seat. Somehow magially 3 months later my CC is maxed out with charges I never made.

Ok so we let Adrian off. Can you promise all those people on the NYT list that he didn't do anything with the information he had access to?

Re:Great Excuse

[sms]

This was modded "Insightful"??

Okay, you're right that he probably wanted publicity. Hey, he may even have wanted said publicity to lead him to a paycheck...or a stream of paychecks. It's not unheard of and hardly insightful.

There are a lot of companies that hire white-hat hackers to hack their systems and point out security flaws. My company is doing exactly that right now. So "no company would have permitted," etc., is wrong.

As far as "without permission," you say it's a bad thing and then give Today's Worst Analogy on Slashdot (tm). You have a promising career as a trial lawyer.

Re:Great Excuse

[laing]

"Yahoo does not need super-secure systems, so they have no need for a security consultant. In my opinion, the guy only wanted publicity."

Yahoo *DOES* need super secure systems. They are running many different kinds of commerce and all depend upon good security. Some examples; Auctions, Retail Partners, Personal Finance (e.g. Money Manager). These all need the highest levels of computer security.

Re:Great Excuse

[rblancarte]

Bogus argument. Fact is breaking into my car is ILLEGAL. If I walked up and he was breaking into my car, do you think I would care or not if he said he was doing it to show the problems with my car? No, I would bust his skull open with my tire iron, then call the cops.

I have said it before (and others have too) - YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!

Re:Great Excuse

[MrHanky]

An interesting analogy.

After drinking heavily in a bar, a friend of mine and I bought some slices of pizza at a shop, and went outside to eat. Since we were too drunk to stand up, we sat down on the steps outside another shop, which was closed for the night. That is, it should have been. My friend was leaning his back on the door, which was open. He fell right in.

Now, the right thing to do, according to you, would be to go away, minding his own business. And what the hell was he doing, trespassing on the steps outside the shop and all. If this was in Texas, he would be rightfully shot. However, my friend, being both an imbecile and a crook with neither morals, nor respect for private property, went inside to look for a telephone and hopefully the phone number to the owner (we were both too tired to do any serious looting). And so the owner was noticed and the door was closed, and my friend got a serious hangover.

The moral of this story is: if you drink, you get a hangover, so alchohol is bad, 'mkay?

Re:Great Excuse

I'm sure you'd be singing a very different tune if you were alerted to this before some crazed psychopath used the same method to break into your house and murder your family.

Somehow, I doubt any judge or jury would buy that reasoning and you certainly would not get a break for "educating" a victim.

Re:Great Excuse

Yahoo does not need super-secure systems

Yes they do. They offer more then web pages and a search engine. They also offer online bill payment and money transfer options. There is enough information stored on there servers to warrent a full time securtiy staff.

Re:Great Excuse

[Sycraft-fu]

Well it would depend on how that door was found. Now if you are walking out on the street and notice the door to the vault swinging open, and go in and tell them, you've done nothing wrong. However, if this door is in an underground tunnel system that requires you to break in to a neighbouring building, crawl under ground, bypass some security, pick a lock, THEN get in, yes, they'd have good reason to have you arrested.

For that matter, most people aren't very experience in physical security. I'd bet that you and just about every other /. user protects their house with normal pin-tumbler locks. Great, except these have a known weakness: You can pick them. A practised locksmith can actually do it pretty quick. Even if you have a good one, designed to be pick resistant (like a Medeco, which is expensive incedentally) it can still be picked, it is just harder. Well this does NOT give people license to pick your lock to show you that it can be done and that you are insecure.

The same is true of computer security. Just because someone has weak security does not give you leave to break in just to show it is weak.

Re:Great Excuse

[Angram]

The door isn't open, the keys aren't in the ignition - he's picking locks and hotwiring. This sort of 'hacking' isn't about going through the front door - there's no link on their webpage to get you in - it's about finding unguarded entry points, etc.

If someone left a note in my car saying that they could have stolen it, I wouldn't be pleased (to say the least). It's my job to ensure the security of my car, not his. If a company wants better security, they can put out a call for white hats - it's their decision to make. You can't just break laws because you want to, and it doesn't matter whether the victim suffers a physical loss or not (though it's quite possible some security personnel could lose jobs for leaving holes open).

Vigilante justice isn't justice at all - leave policing to the police, and security to the owner. No matter your intentions or potential benefits of your actions, you have no right to violate others. If someone pre-emptively murdered Hitler because they saw his terrible potential, they would still be a murderer and criminal - that's the way the legal system works.

Re:Great Excuse

[Agent+Deepshit]

As long as you don't change the file permissions we'll be good.

take a look at yr_mom.jpg in the \sheman folder.

Re:Great Excuse

[Shanep]

YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!

I would bust his skull open with my tire iron, then call the cops.

Okay, so busting this guys skull open is breaking the law for:

a) A good reason.
b) A bad reason.
c) No reason at all.
d) None of the above.

BTW, the thief will sue you from here to eternity. Maybe if you make it out of jail alive some day, you might be able to find a job to pay off that lifetime of debt to him.

; )

You can't just go around breaking open skulls because someone pisses you off. YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!

Re:Great Excuse

[jeffasselin]

There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

Yes, of course, we all know the world is black or white, that there are no grey areas.

And you probably believe anyone who's against Bush or the war in Iraq is a traitor to his nation and should be killed too?

Or that reading certain books automatically makes you an anarchist/communist/whatever?

No. Everything is grey, black and white are just illusions that happen when we can't see well enough to realize it's really grey... When we don't know or understand all the issues, we categorize events in the way you do, or we make flawed analogies and believe that all the characteristics of the analogy apply to the case.

Re:Great Excuse

[moonbender]

The average Slashdotter probably has those locks, the average bank certainly doesn't.

I could start arguing now whether what this "white-hat" did was analogue to what you describe in "hidden bank door" terms or if maybe the neighbouring building didn't need to be broken in but was a public toilet or something - but I won't. Maybe it's not a very good analogy - I wouldn't have brought it up if it wasn't in response to the original poster's even worse one.

Re:Great Excuse

We all know how a bank treats security break-ins. Like when a certain bank had their bankcard system cracked? Somewhere in France I believe.

Re:Great Excuse

[lactose99]

Agreed. My main point (which after looking over my original post is rather hidden) is that intent should have a much greater weight on these sorts of activities. Some prosecutor is going to try and make an example out of Lamo and get him 20 years, all for trying to educate people for their lack of security.

I honestly don't agree with his methods of education, but I think his intent will go largely unnoticed if he gets caught.

Re:Great Excuse

[Shanep]

I don't feel too much pity for the victim of a robbery if they left their door open. I don't see why this is too much different. I doubt he really had to do much "hacking" at all to do what he did. Is it breaking and entering if you just wander into a building with an open door?

If he had to do any hacking, then the door was not left open. It's more like he picked the lock (perhaps an easy lock to pick) of a closed door. If that is the case, he's circumventing a protection device. This could get really ugly for him.

Re:Great Excuse

Ok so the person breaks into my car, proves he could steal it, and tells me how to keep others from breaking in.

In the meantime he has taken my credit card number off an old bill I have in the glove compartment, gotten my mother's maiden name from a birthday card I sent to me by my grandmother that's stuck in the visor, and taken my SSN# off a job application I had sitting in the passenger seat.

If he was doing all this, why the fuck would he come to you and tell you he broke in???

Re:Great Excuse

[Asmodean]

That analogy doesn't have a lot of merit. You're a private person, he didn't break into private computers. If a bank has a door to their vault which they don't know of and which is never locked, then yeah, they should be grateful for being told about it.

Who cares what the corporation that owns the unsecure servers feels? He is not doing this for the benefit of the corporation, he is doing it for the benefit of the people that have information contained on those servers.

Your bank, wal-mart, radio shack, and damn near every other company in the world collects information about you wether you like it or not. The least they can do is secure that information. Not leave it on a public network with the door wide open.

Re:Great Excuse

[shepd]

Okay, so if I leave my house unlocked, and you just walk in, sit on the sofa, and wait for me to arrive, that's ok too, right?

Wrong. In some parts of the US that could even get you shot to death, legally too.

Re:Great Excuse

[ScooterBill]

A smart person will discern the difference between a malicious hacker and a whistle blower.

Who is served by putting this guy in jail? Does this mean the next MS security loophole will be found by someone with less than honorable intentions? There is a reality to situations like this and yes, sometimes a literal infringement of the law is a good thing.

M

Re:Great Excuse

The thing with that guy is that he wants to be a helper without asking for a permission to be a helper.

Don't worry- the next time I see you lying unconscious, bleeding to death, I won't bother to help you. After all, I don't have your permission....

Re:Great Excuse

[morissm]

The home invasion analogy is a very bad one. A home is by its very nature badly protected (you don't spend millions securing it, do you?) but it is also a sanctuary, a place where a break-in results in a certain emotional stigma.

A better analogy would be this one: Suppose that somebody is waiting in an airport's lobby. He has not gone through the security checks yet. While waiting, he notices airport personnel going through what seems to be an unlocked employee-only door. A thought flashes in his mind: "This doesn't seem very secure. I thought airports were supposed to be secure." So he goes to the door and lo and behold, it is unlocked! He goes through it and find a bunch or corridors and doors.

Naturally curious and a little adventurous, our guy wonders how far he can go. He goes forward and manages to get to the departure area WITHOUT going through security. He feels a little proud of having easily broken a system on which governements and airlines has spent millions.

Being a good citizen, our guy then goes to the security counter and shows his finding to the cop. But suddenly, the cop puts cuffs on him and charges him with trespassing and attempting to bypass security in an airport. Of course, the proper action would have been for the guy to go to security as soon as the unlocked door was found. Adrian Lamo should have stopped his investigation at the misconfigured proxy.

However, is it reasonable to charge somebody with a federal crime for having gone a little further in testing the security of a system? Whether is was an airport or NYT's intranet.

I don't think so. The FBI can claim that they don't know whether the guy smuggled dope during his attempt and the NYT can claim that they'll have to check every system for backdoors but I believe it's mostly bad faith from people lashing out because they felt humiliated. Get a grip... fix your stuff and move on. Destroying the life of somebody who tried to help you is just stupid and cruel.

Re:Great Excuse

[Shanep]

using a remote to erase the programs on your neighbor's VCR does not = "Breaking and Entering"

Unfortunately, these sorts of analogies will be used in the court room in an attempt to provide jurors with some scenario that's meaningful to them.

How stupid or ignorant they and the judge are, versus the effectiveness of each legal council will be what matters ultimately. Worse still, it could set a terrible precedent.

Bad analogies will be used, jurors and judges will eat them up then they won't know of their complete stupidity until after the trial, when they may again peruse the mass media (and read about what a bunch of tools they were to believe the lawyer hype).

Re:Great Excuse

So that if he does get caught he can proclaim himself a "whitehat" lockpicker.

Re:Great Excuse

If you crawled in through the doggy door

Was that "breaking and entering"

How about if I crawl up your back door (doggy style) and bring my camera along to make some porn to upload through your cable modem?

Would that be breaking and entering? Probably not with your loose ass.

Re:Great Excuse

[ionpro]

...Was that "breaking and entering"

Depends on the type of pr0n, I guess...

Re:Great Excuse

My friend was leaning his back on the door, which was open. He fell right in.

The analogy breaks right there. Your friend didn't go around trying lots of doors to see which ones were open. Your friend, upon finding one that was open, didn't go in and wander around.

Sure, if you accidentally find a security hole, notify the people responsible, but if you deliberately break in and then ask them to pay you to help them fix it, then that's nothing short of extortion. How do they know that he didn't leave backdoors? They need to do a complete audit of the systems he gained access to.

Re:Great Excuse

[arth1]

What companies do about those who warn them is what irks me. Not only do they press charges as if they had been maliciously broken into, but they tend to want to bill the white hat hacker for EVERYTHING related to the incident, including but not limited to ignorant PHBs spending months in meetings about it, as well as the price for fixing the mess.

It's like you getting to work one day and finding a note stating "the bathroom window opens from the outside, and the spare key for the filing cabinet where you keep customer data shouldn't be taped to the bottom of the counter." Then what do you do? Call in all the staff, and close up the store for a week while you hold meetings, followed by changing all the locks and buying a gun, and finally suing the person who left the note, charging him with the total costs of what you did?

Or you tell a farmer that you were hiking in his woods when you discovered that his game warden was poaching. The farmer's reaction is charging you with trespassing. While he may have a legal right to do so, he'd be a real jerk AND idiot to do so.

The above is, unforunately, the analog to what's happening in the electronic world.

I'm not saying that Lamos and other self-appointed white hat hackers are RIGHT in what they do (I believe they aren't), but even if the messenger isn't welcome, you don't shoot him or blame hime for all the problems he reports.
The main reason why you shouldn't do that isn't just because it's a petty thing to do, but because you HURT yourself and others in the long run.

See, if I were a hacker operating like Lamos, and saw companies doing that, instead of alerting the companies and risking facing their and the paranoid law makers full wrath, I would stop alerting the companies about their flaws -- instead, I would anonymously alert the PUBLIC.

Seen from the viewpoint of a company, what's better about that? Yet, that's what they're pushing hackers into.
The companies might argue that they would want people to stop rattling doors in the first place, and that's a valid argument. However, it's not going to happen until you have exterminated every potential criminal and curious kid on the planet.
In a Utopia, you don't even need a door lock, because no-one would ever walk through the door without a right to do so. However, companies can't argue that as a defense -- not installing a lock would be seen as gross negligence, because it's expected that criminals and curious people will trespass unless minimal safety measures are taken. That's how our society is.

Charging Lamos is a signal, all right. Unfortunately the signal isn't "don't test our security uninvited", but "once you've tested our security uninvited, don't tell us -- stay anonymous and tell it to everyone else".

Regards,
--
*Art

Re:Great Excuse

[iserlohn]

I think a better analogy is the bank analogy. Suppose there is a big bank with layers of thick walls around it built by qualified technicians (the geeks). These walls are special, there may be cracks within the walls, and these cracks may be big, but they can only be seen by the qualified people (like the technicians, but some qualified customers can see them too).

Now suppose that in some obsure corner of the bank, the walls have a small crack in it not noticed by any of the technicians (or worse, noticed but not fixed), employees or customers. The crack can fit someone in easily, but it is not obvious to laymen that it can.

Now supposed someone is actively looking for these cracks in the bank walls and finds them, slips in and does something to prove that it is possible to go in. He slips out of the bank and tells bank management that there is a hole in the wall.

Management denies there is anything wrong with the walls (but they aren't even qualified to inspect it), so the guy shows him proof that he was in the bank and left a few marks. The bank arrests them for tresspassing.

I guess they have the legal leg to stand on since it is unauthorized access, but it is certainly not breaking and entering; he's not even testing to see if the door is locked. He just slipped in a crack in the wall.

Don't make an example of this guy. Give him a slap on the wrist and let him go. There are worst offenders out there.

Re:Great Excuse

[rikkards]

actually there are companies whose sole income is breaking into networks to ensure they are at a certain level of security. This includes hacking (cracking, whatever) as well as social engineering.

Re:Great Excuse

That would depend if they were male or female. :p

Re:Great Excuse

[MrHanky]

The analogy breaks right there. Your friend didn't go around trying lots of doors to see which ones were open. Your friend, upon finding one that was open, didn't go in and wander around.

Exactly (although he did go in and wander a bit). My point being, there are certain grey areas, but most people will agree where the lines between grey and black are. He was definately trespassing, but that was the best way to find a phone (and phone number). And he found the door open purely by accident - he most certainly didn't break in. Using nmap on a large netblock is hardly an accident, neither is willfully sending GET /default.ida?NNNNNNNNNNN[...] requests to an unpatched IIS (no that's probably not what Lamo did, but it's one of the few exploits I know).

Re:Great Excuse

[Qrlx]

There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

You have got to be kidding me. You never jaywalk, speed, or roll through a stop sign? Please.

You sound about as erudite that guy who said "You're either with us, or you're with the terrorists."

Re:Great Excuse

All those "stealing my car" and "breaking into my house" analogies are completely false, and do not apply. You do not actually "break into" a computer network when you hack, despite the wording: you establish a channel of communication with a computer that sends you back data. So the proper analogy would be that you get to talk to someone on the phone you shouldn't be talking to, and they say things they shouldn't be saying to you. Now, it's clearly their responsibility to determine whether or not they should tell you these things - if they do and you're not supposed to, then you have defective security. If, instead of taking advantage of this, you explain to them how to tighten that security (and free of charge, at that), then you're really doing them a service.

I look at it this way: if Lamo was to crack my own network and then explained to me how to fix it for free, I'd be extremely grateful (and I'd probably give him some money anyway). In fact, I wouldn't be surprised if, should he be arrested and tried, all the corporations he helped over the years helped pay for his defense and testified in his favor.

One thing's for certain, though: please stop with the misleading analogies. They completely miss the point.

Re:Great Excuse

he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.

No, it's complete fallacy to believe that. I absolutely guarantee you that they'd just have shooed him away, and possibly threatened him legally for bringing it up.

Companies do not even regard security consultants that come to them unless they're a member of a well-known security organization (wether or not they're actually skilled does not matter. Only mindshare amongst decision-making peers does), and even then they'd likely tell them to take a hike. If they want a security audit, they'll ask for one. Their systems are perfectly fine after all... so why hire an expensive consultant?

But he did commit a crime - he broke into and entered their systems without permission.

That he did, and he even realizes this & the possible consequences. It's a shame someone so helpful is suffering those consequences now, but the law is the law.

Re:Great Excuse

[CaptainTux]

One of the things I think people need to understand is that just because something is illegal doesn't always mean it's wrong. Less than 75 years ago a racially mixed marriage was illegal in many parts of the United States but that didn't make it wrong. The "law abiding citizens" said that doing such a thing was "morally reprehensible" and that people who mixed races should be sternely punished for the "preservation of the race". Fast forward 75 years and place the word "network" in place of race and you basically have the same thing.

Don't get me wrong, I think there are many many legal questions associated with the blind security auditing of a company without their permission. But I think Mr. Lamo has proven by his prior actions what his intentions in this instance were. For the federal government to criminalize his actions is simply wrong. Obviously, the NYT had some security holes. And while we don't know how long the holes had been there we can probably safely assume that they weren't on the crux of hiring an independent auditing firm to come in and audit their systems. So the NYT was endangering their "super duper top secret" information already. Mr. Lamo actually HELPED them in protecting that information. I guess I fail to see why that is prosecutable. I'd like to think any right thinking judge would feel the same way.

Tux

Re:Great Excuse

[Snowspinner]

The difference, to me, is the difference between calling and saying "I was watching you through your bedroom window" and saying "I can see through your bedroom window". In the former, they admit that they were a peeping tom. In the latter, they just give me a heads up that they noticed as they were walking by.

Re:Great Excuse

[linkjunkie]

Yikes,

I drove 4 miles over the speed limit yesterday, should I go on the lam??


Back in high school, a friend gave me a copy of a Violent Femmes tape, is the statute of limitations up yet??


I play dvd's on my Linux laptop, should I turn myself over to the authorities immediately??


Black and white is for those with visual defects that leave them incapable of seeing in color.

Re:Great Excuse

[Just+Some+Guy]

Of course, he didn't realize that my driver's side window motor was about to wear out, and that when he was pushing on the window to reach his arm in, he shorted the little motor, put a load on my battery, and melted part of my wiring harness.

Thanks, buddy. Your note cost me about $800 in parts and labor. Of course, since you did it out of kindness, you shouldn't have any legal liability for your actions, even though they cost me a bundle.

Re:Great Excuse

[WhaDaYaKnow]

That's a really awful analogy. ...
He isn't stealing your car. He is walking up and seeing if the door is unlocked and the keys are in the ignition.

Wow, now _that_'s a really awful analogy. To back-'analogize' that one: are you implying that all that the white-hat hackers do is a telnet to a box, with user name 'root' and a blank password? I don't think so. So now we get into the 'how open is the box really' argument.

There is however no need for that argument. My car is MY PROPERTY. That means that YOU LEAVE IT ALONE. As I said before in another post, what if I walked out of the home with a shotgun and saw you in my car. Would it be OK to shoot you in the knee-cap?

Just because a box is on the internet does not mean it's public property.

If you want to do analogies on this, compare it to something like a store or something. A place where you are invited to come and look around. Hell you even get to bring stuff home if you come to an agreement with the store owner. But it's not acceptable to see if you can open the cash register. Or pick the lock to the office.

So go ahead, I'd like to see analogies on that one. Is it OK to open a door in a store that's not marked 'private' or 'employees only'? Would it be OK to pick the lock on that door? What if you are lucky and get the door to open, to find the store owner poking a minor? What if it wasn't a minor after all?

What if there's no employee in sight and the register is wide-open. Should I put a note in the drawer saying 'I could have taken your cash'? What if it is closed but it only takes one button to hit, to open?

Re:Great Excuse

That's like having a set of faulty stairs in your home. You know that the 4th step is the one to step over, but then one day someone steps on it and you try to blame them and make them pay for fixing the stairs. And the leaky roof.

You are the one who was to cheap to fix your problems before. The same can be said fot computer security. If you're too cheap to do it right the first time you should have to pay to fix it. Not force the one guy who tells you what's wtong to fix it.

Re:Great Excuse

[jjhlk]

If they really get lazy enough, something bad will happen! Tough. But they'll learn from that mistake and others will take notice. Especially if the mistake costs them their billion dollar company (unlikely though if they make billions!). Nobody should be excused from breaking the law like this just because they were helpful about it. As someone mentioned earlier, who knows what his intentions really are? And what if other people use a good-intentions excuse if they're caught in the process?

I think I'd opt for security darwinism.

Re:Great Excuse

[mindstrm]

and if the hacker looked at the garbage outside the building, that's debatable....

but the investigative reporter didn't find an unlocked door and walk into the building into an area where he knew he was not allowed to be, and then go tell people how easy it was to get in. He would end up charged with trespassing, and unlawful entry, or whatever.

You don't get to disobey the law just so you can prove a point.

Re:Great Excuse

[jjhlk]

For analogys, I see this more of as: he breaks into your bank at night. Rifles through cabinets and drawers, and tells you you left some keys to the security gun cabinet. Who knows what else he did though? And he did break into your bank. And what if you catch the next person in your bank and they tell you they were trying to help you out.

Re:Great Excuse

[mindstrm]

Oh yeah. It's not your CC#, it's the credit card issuer's, and they are responsible for it's misuse, not you. Look at the card, it will say so plainly on the back.

Any transaction that cannot be PROVEN to be authorized by you, you don't have to pay for. If your credit card company has a problem with this, find another one.

The issuer will respond with sanctions against amazon if they leak too many numbers, higher fees, etc, or perhaps having their merchant license revoked.

That's WHY you use a credit card.. because you get protection.

Re:Great Excuse

[jjhlk]

Just because it's such a fuzzy issue for some, but there are obvious downsides to allowing this sort of behaviour, he should be told to stop by the FBI or be prosecuted next time (or this time).

Maybe Amazon will take notice when EBay's hacked and hire some consultants.

Re:Great Excuse

Except hacking isn't as straight-forward as car theft...you see your car is there and you know it's not stolen, but you can't tell what's going on in your network nearly as easily. And to stick with this analogy, just because you see no apparent damage to your car doesn't mean they didn't stick a tracking device (or something, you get the idea) inside which they neglected to mention in their helpful note...I think that's really what people are worried about, and why they would take legal action against a hacking cowboy like Lamo. Though he does appear to be helping, he could just as easily be serving his own purposes in the process since there's no regulation of this process of him breaking in and then telling people about it later.

This needs to be done legally, as in with contracts drawn up ahead of time, or not at all. Especially since confidential information IS confidential, whether it's well-hidden or not...it's not okay to go see if you can sneak a peak.

Re:Great Excuse

[Just+Some+Guy]

No, it's not. A set of faulty stairs would be dangerous. A semi-broken car accessory isn't necessarily dangerous, and neither is a webserver that doesn't support a life-support system.

I will fix any problems in my system on my schedule. Someone's discovery of a hole in my system before I've had a chance to fix it (maybe I was out of town? Hospitalized? With a sick friend? Eating supper?) does not remove any responsibility from the attacker in any way.

Re:Great Excuse

[bitflip]

How different is this from the investigative reporters on your local news broadcast

It's not different at all.

If an investigative reporter breaks a law doing it, they can still go to jail. Remember those reporters who tried to sneak weapons past airport security as part of a story?

Re:Great Excuse

[QLNESS]

There is one lawful way of white hat hacking, it means hacking your machine to make sure its secure. If it were not possible to do this, security might be worse than we think. I am a white hat hacker, so are many sys and net admins.

Re:Great Excuse

Except that Mitnick was desperately trying not to go back to jail and Adrian has been actively seeking to become a hacker martyr for years! Hell, just look at the registration date on freeadrian.com (which he registered himself). He could have easily gotten away with everything he's done, instead he set himself up as a target intentionally.

Re:Great Excuse

[alienw]

They are running many different kinds of commerce and all depend upon good security.

In that case, give me one reason they should NOT sue the hacker guy? After all, he did break in to those systems. Yes, he was nice enough to notify them. But how do they know that he didn't steal a bunch of customer information and other critical data?

Re:Great Excuse

[arose]

A set of faulty stairs would be dangerous.

And a set of unpatched servers with customer data on them wouldn't?

Re:Great Excuse

2nd amendment backed up by a Ruger 44.

Re:Great Excuse

[Just+Some+Guy]

My personal servers don't have anything noteworthy on them, but I've spent a lot of time on their contents. If some twit were able to break in, they'd get nothing of monetary value or anything that could be used to make my life miserable. They could, however, cause me to lose a lot of personal effort.

I might note that similar arguments ("she was asking for it!") don't go very far in the defense of other criminal cases.

Honestly, you people are grasping at straws. He broke the law and got caught. I just can't find sympathy for his having to deal with the consequences of his illegal acts.

Re:Great Excuse

[arose]

If legality and illegality is the only way you look at what people do...

Re:Great Excuse

[Just+Some+Guy]

When it comes to "breaking and entering", a very, very tiny portion of the population would see it otherwise. Apparently all of them are here, on Slashdot, today.

It may be surprising to some, but the vast majority of people aren't happy with the idea of people playing with their stuff without authorization. Most of us learned that in kindergarten, but some didn't, and at least one of that group is now probably headed to jail.

Re:Great Excuse

[arose]

You would so be at home 1984.

Re:Great Excuse

[mariox19]

Our local news copied the VIN off of police cars; went to the appropriate dealership claiming to have lost their keys; had the dealer happily make them new ones with no questions other than "Is there anything else we can do for you today?"; and then opened up the trunks of the police car, to expose shotguns, and so forth.

This is investigative reporting, and the police thanked them for it. They didn't throw the reporter in jail.

I do wonder, however, whether journalists get away with this because they work for an established organization. (In other words, don't try this under the auspices of your college newspaper!)

If that's the case, our hero gets no respect because he more or less acts alone. I think that's a shame though, because he has clearly shown a history of good intentions and helpfulness to the affected parties.

Re:Great Excuse

[Nept]

That analogy doesn't have a lot of merit. You're a private person, he didn't break into private computers

So if someone had broken into my company without permission and leafed through a book with some employee/contact social security numbers, I'm supposed to feel better about it?

Actually, I would, but I think what he failed to realize is that culture of the NY Times is much different than the other companies (Yahoo, WorldCom) that he had hit before, which were essentially tech companies and would perhaps tend to look at that differently. But NY Times is old school, been around for what, over 150 years? They'd tend to be a lot more conservative and uptight about this sort of thing.

Re:Great Excuse

[Penguin's+Advocate]

Don't alert the public! You'll get sued for defamation or slander or something. You get in trouble either way.

Anyway, since he already did... The customers (or employees) of NYT should sue the NYT for their lax security which puts their personal information at risk.

The problem with this whole thing is that the "right" thing to do is not the same as the "legal" thing to do. It is right to help people. Whether it's helping my car not get stolen or helping me not get sued by all my customers when their info is used for shady purposes. The world is so F'd up and people are so F'd up and nobody trusts anybody and they really have no reason to and It's F'ing pissing me off and I can't thing of anything to do about it. The world is FUBAR and it's everyone's fault and nobody wants to F'ing admit it and so everyone's just sitting there afraid to do anything (and they have every F'ing reason to be afraid) and there's a few powerful people out there who aren't afraid to do anything, in fact they've got some set of F'ing balls. And the number of those people who are evil is exponentially greater than the number of those who are good. It's all just so F'd up. You can't do a damned thing for anyone anymore without having to worry about getting sued. You try to do something nice for someone, something goes wrong and now your up shit's creek without a F'ing paddle. The only good people out there are the people who don't sue people, and they're all F'd because they're all gonna get F'ing sued by some worthless punk who's pretending to be hurt so he doesn't have to work for the rest of his life and who doesn't give a flying F about you or any of your problems and is only thinking about himself. The whole F'ing world seems like it's the same way, "One-Way". ME ME ME I I I and F everybody else and the horse the F'ing rode in on. Nobody accepts a F'ing apology, everyone's out for a quick $ and nobody gives a shit about anyone else. I care about people, I'm nice to people, I help people, and one of these day's I'm gonna get F'ing sued for it or arrested for it, and you know what, I don't give a shit, I'm not going to stop being human because a bunch of greedy F's don't give a F about me or my family, F them, and F anyone who agrees with them.

Re:Great Excuse

I did break in but your wife jumped me and I felt kind of bad telling you about it.

Re:Great Excuse

[Piquan]

But it is just as likely that he left a trojan or backdoor in the system.

You imply that just because he had the means to do so, it is just as likely that he did so.

But I have the means to do this. So do you. So does anybody else. Does that mean that we should be accused of altering files?

Re:Great Excuse

Hello RIAA spokesman, nothing is ever that black and white. I break the speed limits, are you telling me i'm as bad as a murderer?

Re:Great Excuse

[Planx_Constant]

YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!
Rosa Parks broke the law. Gandhi broke the law. Our founding fathers broke the law. They all seem like pretty good reasons to me.
Adrian Lamo does expect to go to jail. He is willing to turn himself in, once he knows what the charges are.

Re:Great Excuse

Is it OK to open a door in a store that's not marked 'private' or 'employees only'?

Yes.

I mean, how can I enter the store without opening it's door? How can I exit?

Re:Great Excuse

Yes, he was nice enough to notify them. But how do they know that he didn't steal a bunch of customer information and other critical data?

Umm, wouldn't it be monumentally stupid for him to COPY (not "steal"!) data, and then identify himself to them??? I mean, by telling them, you automatically bring suspicion upon yourself. Guilty people don't do that.

Re:Great Excuse

[dirk]

But it is just as likely that he left a trojan or backdoor in the system.

You imply that just because he had the means to do so, it is just as likely that he did so.

But I have the means to do this. So do you. So does anybody else. Does that mean that we should be accused of altering files?

No, we have the means to potentially do it. I have never been into whatever system is pressing these charges (supposedly the NYT, but that is speculation). I could potentially change files, but first I would have to hack into their systems, which I haven't done. Lamo not only has the means to potentially do it, he has hacked into their systems, which means he could have done it.

Re:Great Excuse

So, if the law said if nothing was broken into when entering a home, then the entering was legal, would you still agree?

The criminals and law-abiding citizens statement is for the stupid and lame. It's a strawman argument, similar to "high speed chase" arguments for some guy that went through a stop sign by accident and then panic'd. Next, we have 90 mph chases through residential neighborhoods, when the freakin cop should just back off, let the guy go, and then track him down through other, safer means more correlated with the nature of the offense.

Laws are supposed to SOLVE problems, not create them. If a network is easily broken into, I look at the person running a network as the problem, not the solution.

And to correlate this with physical trespass, grow up. Expand your mind a little. Until you get your house trashed and robbed blind, getting your computer remotely trashed is NOTHING. Data and physical violation are TWO totally different things, and if you can't see that, you're a lost cause.

Re:Great Excuse

Hogwash! Don't you have a fusebox?

Re:Great Excuse

Was that "breaking and entering"

No, it was the lesser crime of "sweating and grunting"

Re:Great Excuse

[Shdwdrgn]

I'm seeing all these people note what a bad analogy the open car is, however insurance companies have already covered all of this. If your car is broken in to, the insurance company will pay for the damages, because you yourself did nothing wrong.

HOWEVER -- If you leave your car unlocked and the keys laying in the front seat, the insurance company will laugh at you for your own stupidity, and will gladly deny your claim to damages. Sure if they catch the thief, s/he will be charged for auto theft, but the owner is still SOL for damages.

The same should be true in the computer world... If you leave your computer vulnerable to a well-known exploit, a hacker should be responsible for any data that was stolen or damaged. If they deface your website or steal credit card information, they should be held responsible for the time required to rebuild that information. But if someone simply walks into your system, leaves a note that you have a problem, and then leaves again, that person should not be held responsible for clean-up costs.

Another way of putting this... Someone walks into your unlocked house, takes your stereo, and walks out again. When they get caught, do you sue that person for the cost of replacing your stereo, or do you sue them for the stereo, a new deadbolt, bars on your windows, and an alarm system?

Or for a more graphic analogy, say someone is murdered in your house. Who pays for the cost of cleaning up the blood - the homeowner or the murderer?

Re:Great Excuse

[alienw]

Umm, wouldn't it be monumentally stupid for him to COPY (not "steal"!) data, and then identify himself to them???

First, the guy isn't exactly the sharpest knife in the drawer. Smart people don't do shit like this. Second, copying secret data from somebody else's computers is theft -- theft of trade secrets, theft of service, et cetera.

Finally, don't you think your logic works in reverse? If he was guilty, he normally wouldn't reveal himself. However, since he would have been caught anyway, he could have decided to reveal himself and try to pose as a good guy.

Re:Great Excuse

[size1one]

he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.

You're assuming the company would automatically hire him. Many companies don't even keep their computers patched why would they hire a security consultant?

Now as for lamo being a white-hat that is not true as he admitted to changing a story on yahoo. Good can come from white-hats but would you let a known car-thief try to break into your car? When the line between white and black is so easy to cross you can't take risks with someone who has a record for crossing that line.

stupid lame 'grey hats'

[xtturbo]

He could atleast have the decency to knock. pity for him, i have not little wanker.

Re:stupid lame 'grey hats'

[krumms]

i have not little wanker

me either, but I don't go around bragging about it.

Damn straight he should be arrested

[Servo]

He was violating the law. He did not have prior authorization when he hacked into these systems. While some companies may have been happy to be warned of the vulnerabilities they had, and were glad to have them fixed, what he did was still illegal. He should deserve to be arrested, but given his motives will hopefully be given some leniency when it comes to sentencing.

Re:Damn straight he should be arrested

[FunkyELF]

This is crap. I've lived on college apartment networks. People have the biggest vulerablilities on their machines, i'm not talkin about something complecated to mess with, they have their entire C partition sharred. I put .txt files in their c:\win\startmenu\startup or whatever it is and if their printers were sharred I printed it as well letting them know about it. What was stopping me from putting a trojan in their startup directory. Anyway, turns out their stupid management was trying to look for me, but their network was dumb, and so were they. I'm not the slightest bit 1337, not trying to brag or anything. People don't realize what is going on. Its just like blaster. Everyone hates blaster, lets fry the ones who wrote it. I say next time something executes on your machine which you didn't double click on it sends e-mails to everyone on your address book telling them that you're gay, then procedes to format your entire drive. Too much nice hacking, people don't realize that something started running on their computer and there was nothing they could do to prevent it. Oh, it shuts down my computer, this sucks, I hate virus writters. Whatever I'm ranting.

Re:Damn straight he should be arrested

[The_Unforgiven]

You're ranting, but you're right.

Re:Damn straight he should be arrested

This is like someone coming up to your car and washing your windows or something, then asking for money. No, if I asked them to do it, fine, go ahead, if they just go ahead and do it I ought to beat them with a stick and yell a firm "NO" so they get the point.

Or, another scenario if you're touchy about bums. If you take your car to a mechanic to get the brakes done, and he comes back and says "oh, while I was in there, I noticed your engine looked shot, so we dropped a new one in there, the bill's $5000, took a lot of time to get done." Same principle as before, you ought to beat the mechanic with a stick for trying to screw you.

I'm sure his intentions were good and a few companies may have been appreciative, but it's kind of like if a psychologist just walks up to you and tells you that you're depressed and you secretly fantasize about your mother due to long-term neglect. You let companies come to you, you don't just go in and decide you're going to help them. It doesn't work like that. Now this guy knows that, maybe he'll pull a Mitnick and open a legit business and let companies come to him...after he serves his sentence, be it 100 hours of community service, or a couple years in a "pound you in the ass" federal prison.

Re:Damn straight he should be arrested

[Epistax]

"You did a great service to our company, and saved us several billions in possible lost revenue. Here, have a twenty year state in a federal pounding in the ass prison, it's only fair."

Re:Damn straight he should be arrested

[Idou]

And what happens when someone "violates the law," but they are working for the Chinese government and don't really care about U.S. law? Oh, and they also decide to totally trash the system they cracked into.

It seems we are making harsher laws for our own citizens simply because the Internet is Global and our laws can only be enforced locally. Futhermore, it seems we are making companies complacent by giving them these laws to use against U.S. crackers, when these laws will do NOTHING to protect against a foreign attack.

So, I guess his crime was being in the U.S. . . .

Re:Damn straight he should be arrested

[Mt._Honkey]

He was violating the law... ...and were glad to have them fixed, what he did was still illegal. He should deserve to be arrested...

Are you saying that everything one does to break the law is bad and should be punished? The law is an approximation of morality. It's that whole stealing bread to feed your starving children thing. Not wrong, but illegal. I'm not saying that this guy's reasons are as pure as that, but just because it is illegal doesn't mean it is wrong. If I loose my Windows CD but need to re-install my OS, is it wrong to use a pirated copy of the same version? It's illegal, but I'd say that it is most definitely not bad.

If I jaywalk to stop a little kid from running into traffic, should I be fined?

Re:Damn straight he should be arrested

[the_2nd_coming]

he looks as though he may be the type of person that would enjoy a
"pound you in the ass" federal prison.

Re:Damn straight he should be arrested

[Servo]

Are you saying that everything one does to break the law is bad and should be punished?

Of course not. I was only speaking about this particular case where he continually abused the practice. He could have just as easily gone in the front door and done the same thing with full consent as a "consultant". He actively searched for vulnerable companies, and accessed data which he should not have.

I equate that as the same as you breaking into my house and going through my belongings in order to replace the batteries in my smoke detector.

The law is an approximation of morality. It's that whole stealing bread to feed your starving children thing. Not wrong, but illegal.

Illegal, and wrong in that you took from the livelyhood of the baker and/or seller of the bread. Does that person not have the right to earn a decent living wage to feed his own family?

I'm not saying that this guy's reasons are as pure as that, but just because it is illegal doesn't mean it is wrong. If I loose my Windows CD but need to re-install my OS, is it wrong to use a pirated copy of the same version? It's illegal, but I'd say that it is most definitely not bad.

That has absolutely nothing to do with what this guy did. What he did was to identify and then exploit vulnerabilities to access private and confidential data. Just because the door was open does not mean he is allowed to walk through it.

If I jaywalk to stop a little kid from running into traffic, should I be fined?
Uh, no, and once again you are missing the point.

Re:Damn straight he should be arrested

Or, another scenario if you're touchy about bums. If you take your car to a mechanic to get the brakes done, and he comes back and says "oh, while I was in there, I noticed your engine looked shot, so we dropped a new one in there, the bill's $5000, took a lot of time to get done." Same principle as before, you ought to beat the mechanic with a stick for trying to screw you.


I didn't realize he was asking for money.

Re:Damn straight he should be arrested

[dtrent]

If I jaywalk to stop a little kid from running into traffic, should I be fined?

Sage. How 'bout you throw a baby into an intersection to demonstrate the need for a traffic light. Should you be arrested then?

Give the original post some credit, I think the circumstances were being taken into consideration. They guy broke into a system that doesn't belong to him. Maybe he did it to better all humanity, maybe he's selling the information to identity thieves, or maybe he just did it for shits and giggles. The point is, we'll never know. And beyond that, even if he did it with the best of intentions, it's debatable whether or not the ends justify the means.

Re:Damn straight he should be arrested

[Laughable]

The law isn't the measure of all things... It is a measure of the social forces which govern legislation. What a silly crop of insecure freaks we have breeding in this country.

Re:Damn straight he should be arrested

[the_greywolf]

i'd look at it this way, using an analogy similar to your own:

an experienced mechanic is walking down the street, and notices your car. curious, he pops open the hood to make sure it's in good running condition.

then he calls up his friends, gathers all the parts and tools he needs and knocks on your door.

"your engine looks shot. mind if i fix it for you? you don't have to pay me."

Re:Damn straight he should be arrested

[Mt._Honkey]

I was commenting on the point that the whole argument of your original post was "It's illegal, so he should be arrested". I didn't get outside of that, so calm down.

And there's no need to mark me as a foe...

Call to "The Screen Savers"

[Larkfellow]

Here's a link to The Screen Savers (on Tech TV) that has some information about what Adrian had to say when he called in live to speak with Leo.

Re:Call to "The Screen Savers"

[mog007]

Yeah, because when I think anti-hacking consultents, I think TechTv...

Re:Call to "The Screen Savers"

[FearedThought]

They actually do a good job. Letting him say his bit and seeming to understand and empathize with his situation.

hacking...

[softspokenrevolution]

Well, zero tolerance. The thing here is that to an awful lot of people, and especially those who make the laws, hacking is hacking is hacking, who cares what someone says they were doing it for.

I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."

I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.

Re:hacking...

"G. Guido coming down to your house, breaking in through a window with a golf-club"

Uhm do you have trouble reading summaries? He didn't make ANY damage. This is equivalent to someone picking my lock, not taking/destroying any of my property and then telling me about my lousy lock. I would be very grateful for that.

Re:hacking...

[Felinoid]

I'm of two minds on this. No three minds. Hay be lucky it's only three ok I RP like 7 avatar.

Anywho..
1. The law is the law
2. Don't the websites have ANY liabilitys?
3. I don't think permission makes a diffrence.

Re:hacking...

I feel that the "What if he broke into /your/ house ?" is a bit of a red herring argument, since it automaticcaly associates breaching of privacy and perhaps even bodily harm to you or your family, and so draws an emotional parralel to the analogy, where there is none. It's more like a kid feeling the handle of a car just parked, clicking the door open, looks around in your car, and then screams "Hey Mister. You forgot to lock your car, and it's a pretty bad neighbourhood here. You might want to lock it." Ofcourse you'll be angry that someone opened your car, but really, the anger is at yourself being so stupid as to leave the car door open, that get's projected on the poor kid, who is doing you a favour. And had no bad intentions.

Re:hacking...

[El+Cubano]

I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."

I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.

I can see your point, but what he was doing was exposing flaws in the security of "public" places on the net. How is this any different than when the local news where I live broke into the nearby international airport's restricted area and did a report from there (this was about a year after 9/11) to show how lax security had become again.

When the journalists do it, it is a public service. When a private citizen does it, it is a crime. WTF? Personally, if I am going to be utilizing the services of these sites, I want to know that they have good security (and not just because they say so).

There is no way anyone can convince me that what he was doing was wrong. He was providing a public service, and if the public is too ungrateful to realize that, then it is really sad.

It's not like he extorted money from the comapnies, or demanded some compensation, heck he even helped them fix the holes. It is just sickening that you can't even be a good Samaritan without someone wanting to take your head off.

Re:hacking...

If I can type in a URL or IP address into a browser and go there how is that hacking.
For instance http://galleries.blacksonblondes.com/0308m/739.php ?rid=bob1049b
Now let's change that to rid=bob1048b and then go to that site.
What's the hack, browser's let me do that.
Just for the record I can't view that site as it obviously uses ActiveX and a host of other crap that is insecure which I have disable or deleted.
The rest of you enjoy.
There is no hack involved in these supposed intrusions, just morron web administrators.

Re:hacking...

What about the people who had their social security numbers taken, wouldn't they be pissed off with both Lamo and the NYT?

They have a right to have their details secured, but also expect that no one should be "stealing" their details.

Re:hacking...

but when the journalists do it, one counts on the integrity of the journalists not to do anything, as well as the peer oversight provided by having anchors, crew, directors and other people required to produce a news show. It's alot harder to get away with shit when 5 other people are looking, not to mention the fact that once the security hole has been fixed (the one he came through) he can still have placed a backdoor for which they have to scour their system for, whereas the news people cannot have placed a door, jurry rigged the lock or done anything else to allow themselves access without arousing a decent amount of suspicion from the people who use the place on a daily basis. Computers are usually only used by people who look at the data generated to them in the form of a UI, there is simply too much raw data to look at and still get a decent overview of the system, whereas the airport will consist of a few items whose integrity or lack thereof should be very obvious.

Re:hacking...

I wouldn't buy a security system from someone who "hacked" my house. I'd have the louse thrown in jail. Same applies here.

Re:hacking...

sorry, but it's more like G. Guido coming down to your house and your front door is wide open. Nice of him to tell you that your a complete idiot and should always lock your doors.

Re:hacking...

What you claim to be a public service for some is a dis-service for others. When the public hears about that a company can be hacked, it could erode trust in the company and affect it's public shareholders. So even "white hat" actions can have black hat effects. Even a supposedly "white hat" hacker could *do no harm* but profit handsomely by selling that companies' stock short. Security is just a deterrent anyway. I don't need someone to break into my car to prove that they can do it, I know my car can be broken into. And I think we are all aware that the beefed up security at the airports is a pathetic waste of money because I can think of dozens of ways of getting weapons on a plane. The best medicine is to create a society where people are not so inclined to steal from us and bomb our planes. Spending that $87 billion on poverty here in the US and getting out of Iraq might be a good start on both.

Go Mom!

[The+Tyro]

Heheh... when the agents wanted to come into her home, she told them to get stuffed and come back with a warrant...

That's love, folks.

It would be ironic if this was set up by the NYtimes. I thought investigative/secret camera/sting operation reporting was supposed to be agressive journalism... couldn't his "hack" be considered the same sort of thing? "Unsporting" doesn't begin to describe it, particularly if he was up-front and honest about helping them out. If the NYtimes can investigate, blow the whistle on others, and embarass them into action, I'd say the same card can be played against the Times. "Sour Grapes" anyone?

Yes, he was likely technically in the wrong, no doubt about it, particularly if you adhere to the letter of the rule, rather than the spirit of the rule... even so, this seems a bit heavy-handed.

Re:Go Mom!

[LostCluster]

Yeah, there are many reporters through the years who have broken laws in the course of reporting, and I'm sure some archive searchers can come up with NY Times examples, where the investigative reporter escapes punishment because they broke the law in the name of journalism.

Lamo didn't down the company, or commit credit card fraud with Rush Limbaugh's SSN. There are much worse hackers out there, but the FBI's just looking for somebody to make an example of because they can't quite figure out where the first SoBig came from...

Re:Go Mom!

How right you are!

Somebody mod him up.

Re:Go Mom!

[SunPin]

Yes, you are correct but he should have covered his ass by setting up a security magazine online so he could enjoy the Freedom of the Press.

Freedom of the Press belongs only to those that own a press. Everyone else will be raped when the system feels like doing so.

Re:Go Mom!

I think you'll find the NYT's standards are always whiter than white.

Re:Go Mom!

[Drogo+Knotwise]

Up-front? If he was interested in being up-front, why didn't he contact the NYT sysadmin beforehand? I see no reason why informing someone before you "test" their systems would be a problem.

Re:Go Mom!

That's not love, that's just common sense.

If they had come with a warrant and she had barricaded the doors and let them know they wouldn't get in without a fight to the death... that'd be love.

Crazy? Yeah, love is crazy.

Re:Go Mom!

[ArchAngelQ]

The spirit of the law vs. the letter of the law is something that will be put into effect when the judge hands down the punishment. That's always been the best way to deal with mostly harmless, or even possitive breaking of the law. It'd be smart for the defence attorney to have him plead guilty to the charges, and then push the motive and results. Hopefully they'll get a sympathetic judge.

Even more hopefully, the judge will let him off with a big pile of community service... and then the FBI will get him to fulfill it, busting into their systems and pointing out the bugs. The private sector needs a watchdog for cracking, but the govt. needs it doubly so.

Seems fair

[TheFairElf]

If he's going to hack websites, even with the best intentions he's still breaking the law. It seems it would be better for him to work at a security firm (or open his own) and at least get paid for all his troubles. Then he'll be rich and he'll be praised for basically doing the same thing.

Re:Seems fair

[practicalista]

You need to think this line of argument through.

Essentially you arguing that it is never justifiable to break the law, irrespective of what good you may do by doing so.

Strikes me as a bad idea!

Damn

[Timesprout]

Lamo's hacked Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser

Is this hacking functionality part of the kitchen sink in Mozilla ?

He got what he deserved

[nuggz]

Yes, he did something illegal.
He did something wrong.
He might be able to prove or suggest no criminal intent, which would give the lenient sentence.

But really why was he doing this? it was dumb.

This seems unfair

[practicalista]

I am not sure what he did at the New York Times can even be considered hacking.

So far as I can tell he set his web proxy to the address of the company infranet, surfed around that, downloaded some documents and used the information contained in these to get some more.

Whilst I don't approve of hacking per-se, I'd have to say that here, this is very little more than exposing a badly designed web site.

Imagine that you go to you Gas company's online web site, look at the URL and see your account number in it. You think to yourself, I wonder what would happen if I changed one of the digits. You do and lo and behold up pops all the information to another customer.

Now you can go for your 15 minutes of fame and ring up SecurityFocus or you can have a quiet word with the Webmaster of the Gas company - either way, you are not a hacker.

Re:This seems unfair

Isn't what he did sort of like what the New York Times recently did when they rented a boat and penetrated one of the security zones in NYC? The police apprehended them but let them go.

Re:This seems unfair

Actually, that changing-the-account-number trick worked for my local gas company (PSEG) up until about six months ago. If you tried to make any changes (like start/end service or pay a bill) it would log you out, but you could see their bill...

Re:This seems unfair

[davesag]

My Girlfriend, Caroline, was surfing a jobs site last year and she's no hacker let me tell you, but she managed somehow to get into an area where she had full access to the administrative tools and could edit people's CVs, upload new word docs in their place, edit people's names and passworrds etc etc. I took a look, as she said "check this out, it's letting me edit their details." It was some poorly thrown togehter .asp site. So she wrote to the company concerned with some screen snaps and explained as close as she could remember what she had done. Caroline never received a reply. But at least the feds are not after her.
-
also just a thought, could we now say he's Adrian "on the" Lamo. boom boom.

Re:This seems unfair

Adrian's hacking tools are a simple Browser. He uses NO other kinds of tools. His going into places just requires knowledge of web servers, and the right URL.

If people put up a web server, accessable by browsers, they should at least have some reasonable protections. it's like leaving the door open to your house. Sure, it's illegal to open the door and walk in if you don't live there, but if you don't adequately protect your property, you are certainly at fault.

Re:This seems unfair

[bill_mcgonigle]

I am not sure what he did at the New York Times can even be considered hacking.

He also added &partner=Google to a URL.

30 years to life. Off with his head.

It's about time.

[FreeLinux]

This lame weasel has been publicly boasting about his escapades for over a year now. It's about time the authorities caught up with him. I suppose that they will use this as another reason why Andy Griffith and Barney Fife need the Patriot Act.

Re:It's about time.

[krumms]

This lame weasel has been publicly boasting about his escapades for over a year now. It's about time the authorities caught up with him. I suppose that they will use this as another reason why Andy Griffith and Barney Fife need the Patriot Act.

While I don't directly agree with your statement, it's a fair point. It was only a matter of time before somebody decided that it was time to say "Stop".

My bet would be that it was some management type that had no real idea what actually happenned, heard the word 'hack' and in the next breath, said 'lawsuit'. But, as any good /.er, I haven't read the article. So hey.

Sheesh!

[joto]

What did he expect really? That everybody should love him because he snooped around in their systems without permission?

He must have been living under a very large big rock for a long time, if he thought this kind of behaviour has ever been accepted by the authorities and most sysadmins.

And by the way, hacking systems without permission have never been white-hat. At best, I would call it grey-hat, although black-hat is certainly also fitting.

If we start judging people on intentions instead of what they do, I think most people will start complaining. "No, I was only trying to help the sysadmin, so I haven't done anything illegal", is about as stupid as "You thought about stealing that car, so you should go to jail for that".

Re:Sheesh!

[WindowLicker916]

Intentions have everything to do with how the law should be enforced. If I plan to kill someone and do it, thats murder in the first degree if it wasnt planned then its second degree murder or involuntary man slaughter. So if he's not causing any harm and is actually saving these companys from possibly millions of dollers worth of damages because some script kiddie, then good for him. He just did them a great service.

Re:Sheesh!

[serviscope_minor]

Yeah, damn right we shouldn't judge someone on their intentions. Now if you kill someone, you'll be locked away for life, no questions. And I don't care if they were trying to kill you and it was self defense. Killing is killing, no matter what the intention.

Re:Sheesh!

[joto]

I stand corrected in the case of killing. But there's still a difference between that and this case. Adrian Lemo didn't involuntarily hack those sites (and neither did he do it in self-defence). If you kill some asshole for utilitarian reasons, you will still be prosecuted (war and carrying out a death penatly are exceptions, though...)

How lame...

[Jon+Abbott]

...the FBI has filed charges against [Lamo], and currently has his parents' house staked out.

Well that's just... lame-o! [ducks for cover]

another scapegoat

[segment]

Wow so I'm not alone in this world. (for those who know me) Anyway, I wrote up an article about the Blaster scapegoat, guess I'll do another one. The ONE THING TO NOTE (I will not rant on about this too much) is how supposedly he accessed information on federal agents. Not to start a conspiracy theory thread or flame war, but shouldn't this be the obvious reason why they are going after this guy. Think about that for a bit. Sure he accessed their site, but they should also go after the vendor if they're sincere about being pissed off at the actions of this guy. If a car salesman sells you a car and states it has an alarm, yet the alarm doesn't work who do you blame the thief? Or would you go back to the salesman. Shit, sorry I have no time to finish this /. rambling, the feds are here because I decided to use POST to send information to my bank.

Re:another scapegoat

you have poor critical thinking skills.

why doesn't the FBI hire him already

Give me a freakin' break here. The guy obvious knows his stuff, why don't they just hire him. the New York times should have fire the idiots who setup their system.

He did nothing wront, because...

[Jacer]

Information wants to be free! [sic]

So I Married an Axe Hacker

Give me an axe and I can hack a network too, and call up those in charge of it and help them fix the holes.

And assuming the NYT servers have wooden casings, I can hack deeply into their system as well.

Common Sense!!

[drakman]

The better approach would be to ask them beforehand, or notify them of potential security holes first. Similarly, walking into someone's house and telling a petrified mother the left their door open probably isnt a good idea.

Re:Common Sense!!

Their response would be "No, we have no security problems."

Re:Common Sense!!

[serviscope_minor]

I wish people would shop using this "walking throught the front door" analogy. You can easily threaten someone like that. The "mum" that you're refering to may well be petrified if someone broke in. What if someone downloaded a file from here computer, and emailed her telling her that her data was insecure, and instructions on how to fix it? Whold she pe petrified then? Probably not. Its not like this guy has threatened people, so analogies implying that he has are plain silly.

Can't ask or tell ,... Its just not the same thing

[SerpentDrago]

OK , I get your point, But think about this one... If he had gone to them and asked them. They would be on a Hightened sense of security. Using Your example lets say i was going to break into your house to "test" the security. I told you i was going to do this. Guess what you would do for the next weeks. YOU would make sure you lock your doors and windows at all times. but if i would not have told you / asked you . mybee you leave for work in a hurry and forget to lock your door ! mybee sometimes on a cool night you open your window a little and forget to close it. I think you get the point.. Even if the Corp. does not actively tighten security for the "test" hack they are still going to be watching there logs more actively and such. The point is simple you can't do a true Test of Security by letting them know it has to be random and un planned.

That's totally Lamo

I suggest, from this day forward, we replace lame in speech and word with Lamo! (Or for the Arizona Slashdot readers, perhaps Slashdot could give out Lamo Bags from a new Wallace and Lamo show.)

He accessed an internal network

[mindstrm]

that he knew he did not have permission to access, by his own admission.

Any way you slice it, that breaks the letter of the law.

If you want to test the secrurity of my network without getting charged if you break in, then I suggest you obtain myh persmission to do so in the first place.

Analogy: You find a guy walked in your front door cause it was open, snooped around your house, your bedroom, your closet... then told you "You shouldn't leave that box of money in your closet, and you should leave your door locked".
Is he guilty of trespass / unlawful entry? Damn straight. Would you feel violated? Damn straight.

Re:He accessed an internal network

[practicalista]

The law make distinctions between trespass, breaking and entry, armed robbery and so on.

The guy who wanders around your house is a trespasser not an armed robber. It seems here that a better analogy would be :

A guy walks in to your unlocked house, boasts about it and you insist that he prosecuted for the worst possible crime he *may* have committed, not the crime he did commit (to walk through an unlocked door).

Re:He accessed an internal network

[Uerige]

Analogy: You find a guy walked in your front door cause it was open, snooped around your house, your bedroom, your closet... then told you "You shouldn't leave that box of money in your closet, and you should leave your door locked".

That's not an analogy for this. It's more like, if you have an alarm, and someone manages to get into your house with no big effort and without the alarm going off, then leaves a message saying: "You may have a fancy alarm system, but the kitchen window is wide open, call me if you need help on closing it!"

Re:He accessed an internal network

He changed the URL or IP address which any browser will let any person do and accessed an unsecure portion of a network.
Who's to blame any person with the brains and balls to it or the network administrator who didn't lock it down properly.
He deserves cudos and the administrator needs to be fired forthwidth.

Re:He accessed an internal network

If I found that message in my kitchen, I'd call the police. That might be your point or not.

Re:He accessed an internal network

[catenos]

not the crime he did commit (to walk through an unlocked door).

Excuse my ignorance, but is this really a crime in the USA? AFAIK local laws, in Germany anyone can walk into any open (as in "not closed", not "not locked") area as it pleases him/her, until and only until, you say him he is not welcome. Then you can call the police if he stays or reenters.

That's probably why most estates have garden fences. Most of them don't stop anyone, but they declare the garden a "closed" area (presumed that the fence gate is closed, of course).

So, yes, I can simply walk into a stranger's house, as long as he left the door open, and given that I don't do anything illegal additionally, there was no crime. (But that doesn't mean that the owner won't call the police and the police won't hold me and investigate what illigal activity I might have done in the house, if I don't have a reasonable explanation for being in that house).

Re:He accessed an internal network

[MegaFur]

I believe the cops can arrest you for being on private property without permission. Unless of course you own the property or there's some other good explanation: like if you're renting the property or you're the child of a parent that owns or rents the property, etc.

That's what "trespassing" means. Of course, sometimes, on large private properties they explicity post "no tresspassing" signs just to make the point extra clear. Also, some of the more paranoid home owners have "beware of dog" signs and possibly "this house protected by ADT security" signs. Absense of one of those signs does not make it okay to waltz into someone's house without permission. It's still trespassing.

What was he thinking?

[tarranp]

If you break into someone's house, telling him after the fact how yo got in does not automatically pardon you from the crime...

Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.

Instead, he took his time cracking the system, widening the holes so to speak, and then went to a reporter(!), of all people.

There is nothing inherently wrong with his desire to improve security. There is nothing wrong with him looking around the public spaces on the internet for chinks. What was wrong was that he failed to tell the people maintaining the chinks directly about them, widened them until he got at valuable data, didn't tell the affected people about the data he had received, but then went to a third party and told them about the wanging big hole he had made. I'm sure he views himself as a knight in shining armor, but in this matter he behaved like a publicity-seeking self-promoter.

Yes, shame on the NYT for misconfiguring their systems, but even more shame on Adrian for doing something so illegal and counterproductive.

It does not matter if a person thinks he's a good guy, he still does not have carte blanche to do whatever he wishes.

Re:What was he thinking?

a server is not a house.

Re:What was he thinking?

[ChannelX]

I suspect the law would disagree with you. The server is the property of the New York Times as is the data.

Re:What was he thinking?

[GigsVT]

There is nothing wrong with him looking around the public spaces on the internet for chinks.

I hear .cn is a good place to look.

Re:What was he thinking?

I suspect the law would disagree with you.

I very much doubt it.

The server is the property of the New York Times as is the data.

Many many things that aren't houses are nevertheless the property of the New York Times.

Re:What was he thinking?

Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.

You think they would have fixed the problem? Get real. I did some security work for the Times. I watched an admin try to kill all the apache processes on a web server with "killall -9 httpd". One problem: this was a Solaris box. Needless to say much hilarity ensued.

The Times had a couple of really good admins and a bunch of not so good admins. They also viewed web security as an afterthought. This isn't exactly the first time they have been hacked afterall.

Do I think Adrian was playing with fire? Definitely. Is he going to get burned? Probably. Unless Yahoo, MCI and the like come to his side, he is pretty much screwed.

As for those people arguing that he might have had bad intentions, I ask you this: What The Fuck happened to "Innocent until proven guilty" in this fucking country. In the past Adrian has never broken into a system to exploit it. In every case he has helped to fix the problems and the companies came out better in the end. That certainly suggests no ill intentions to me.

Would I be pissed off if someone broken into my system? Hell yes... at myself! What would piss me off even more, though, is finding out someone broke into my systems and then having to go through each and every one by hand to track down the damage that was done.

Frankly, I am sick and tired of this "zero tolerance" bullshit. Each and every case is unique and should be handled that way. Should Adrian be punished? Probably, but it should be something sane like 1 year of probation. When you consider how much better off each of these companies is as a result of his actions, I think that is a more than sufficient punishment.

Re:What was he thinking?

[FussionMan]

If these are open to the public proxies, how is someone to know when accessing them that they are breaking the law?

Re:What was he thinking?

"Find the chinks and brag about widening their wanging holes" at +5 Insightful.

You, my friend, are awsome. I'm more impressed than when I saw "Linus is a stupid mangina" at +5...

Enter the Matrix

[GillBates0]

So there's this hacker, and the blacks come after him, stake him out, and try to take him away...hmmm...I've heard that before.

I know what happens next...the "good guys" will try to save him from the agents.

Remember Lamo, choose the red pill.

Code of Ethics

[Maradine]

Disclaimer: the Man owns me.

Hey, ya know, I remember when when I got my CISSP and NSA training way back when that I had to sign off on a code of ethics about these kind of things. Since then, I've heard two very good interpretations of the code by two interesting sources:

An old friend from TKE:
Ya don't touch the booty til the booty invites you in.

Jack Nicholson:
Never rub another man's rhubarb.

Seriously, though. Pick your government or private sector security standard. Access Control, Authentication, and Accountibilty are atthe forefront of all of them. The corporations in question have no way of knowing what he did inside their networks, what he saw, and who he told. All three of the standard elements of information criticality -- Confidentiality, Integrity, and Availablility -- could have been breached. Would you prosecute?

I would. And my father taught me something relevant -- a man who believes he's innocent is rarely found on the run.

Except maybe Harrison Ford. Man, he's getting old.

M

finaly a good analogy

[claude_juan]

from the techtv site...

"Lamo hacked into the website of The New York Times in February 2002 and took the Social Security numbers of several people. He then added his name to the list of contributors to The New York Times and notified the paper of what he'd done."

kind of like this....

middle-aged man #1 (Lamo) - "hey, i screwed your 16 year old daughter. i took her virginity, but i have to tell you she wasn't very good."

Lamo expected this...
middle-aged man #2 (NYT) - "oh hey thanks! i'll get her some literature and make sure she's up to speed!"

But instead he got punched in the face and sent (pending) to jail.

do you really think he had the "good" in mind? "i'll just take a few socials cuz thats harmless." what a putz.

Re:finaly a good analogy

[LostCluster]

Taking a socical security number and giving it back to the people who run the system isn't harmful, it's simply proof that Lamo did break into the system. It's illegal, but nobody is hurt by the action.

Disclosing the SSN to the public or trying to get a loan under an SSN that's not your own is quite harmful... but nobody's accusing Lamo of doing that, the FBI is simply insinuating that all people who steal SSNs do bad things with them, without having any proof that Lamo did so. FUD 101...

Re:hacking...a service

[globalar]

From the article:
"'I hope there will be a time when Adrian can do positive things that everyone agrees are positive,'"

This service analogy, or the positive light of the grey hacker's actions, does have some weight, as the hacker can inform the admins about the specific flaws of their system security.

But then again, any service should be prompted or invited. And a larger problem is this isn't just washing windows, these are problem areas, flaws, and security flaws at that. These might even give access to a company's dirty laundry. So not only is this service uninvited and not approved, it gives access to private company resources and information, and uses the security holes to get in.

Yes, I assume if security is the only dimension that your job entails, then this is all worth it. But to most people in charge, and arguably the general populace at large, this is an intrusion by illegal means.

I personally value my private virtual space. If you get on my computer and get into my root account, it's an intrusion. Yeah, I will listen to how you did it, but for your troubles you'll never use my computer again.

Horrible analogy.

[pb]

What if I just leave a signed note on the inside of your car that says "follow these three easy steps, and then no one else will be able to break into your car again"? Do you say "hey, thanks, buddy!", or "hey, someone broke into my car!"...

Re:Horrible analogy.

[Sycraft-fu]

Depends if you asked permission first. If you come to me and say "hey, I think there is a problem with your car security, let me show you". I'll say "ok" and let you go to work. If you then break in, and tell me how to fix it I'll be happy. However if I catch you trying to break in to my car without my permission I'll call the cops.

Physical or virtual, you need my permission to use my stuff. If you want to borrow something, get a login on my server, test my security, etc ASK ME. It is not yours to mess with as you please. I don't care if your intent is just to find problems and notify me, you still need my permission first.

Heck, with physical secutiy, I am fully aware of most of the problems I have. I know the weaknessess to my house and car. Problem is, they cost too much to fix. Well, that does NOT give you permission to exploit them, even if just to let me know they are there.

Re:Horrible analogy.

[Art+Tatum]

I'd say thanks and I honestly can't understand anyone saying anything else. I suppose we're just different people.

Re:Horrible analogy.

[Just+Some+Guy]

I'd be angry, but appreciative.

However, that's not what happened.

In your analogy, suppose that I catch you in the process of breaking into my car. As you lay on the ground with my boot on your head, you tell me that you were going to help me secure it. Of course, you haven't written the note yet and don't have any evidence that you weren't trying to steal my CDs, but you're willing to provide references of other people that you've "assisted".

So, either I believe your references and trust that you don't have any "undocumented assistances", or I kick in your teeth while waiting for the cops to send your trespassing butt to prison.

I hope you have a good dentist.

Re:Horrible analogy.

[WhaDaYaKnow]

What if I just leave a signed note on the inside of your car that says "follow these three easy steps, and then no one else will be able to break into your car again"? Do you say "hey, thanks, buddy!", or "hey, someone broke into my car!"...

What if I walked out of the home with a shotgun and saw you in my car placing the note. Would it be OK to shoot you in the knee-cap?

(back-'analogizing' is left as an exercise)

Re:Horrible analogy.

Depends on whether you're a Republican or not (them choosing the latter statement... you know, the whole "don't think, just attack" mentality).

Re:Horrible analogy.

[irc.goatse.cx+troll]

"Physical or virtual, you need my permission to use my stuff. If you want to borrow something, get a login on my server, test my security, etc ASK ME"

While I can fully understand that, Do you really think a company like NYTimes would say yes? Of course not, they dont want anyone poking around at their system. Instead, they would go unpatched until someone hostile broke in adn actually did something with all of the customer info and write access to a very popular page-- for example, offer a 'nytimes news on your desktop' app thats just a simple trojan. Or use an activex exploit to force install it on most people running ie. Or take the site down right after a big terrorist attack.

Re:Horrible analogy.

I don't care if your intent is just to find problems and notify me, you still need my permission first.


Fine by me. Next time you leave your keys in your car, or leave a window wide open when leaving for vacation, I won't bother to tell you. After all, I don't "have your permission".

This is actually good news

[weileong]

that the FBI has filed charges against him

If the FBI has the resources to throw into this kind of thing, then it must mean they've got the whole terrorism thing solved.

Re:This is actually good news

Erm. I think the parent was trying to be funny/sarcastic, and not meaning it literally... .

ADRIAN DON'T COME HOME!

Son, DON'T COME HOME! They are staking out the house! Thanks Slashdot!

Wish I had mod points for once

[jbarket]

To sent this one to the top. I agree entirely. For the past year I have turned the tables and gone from creating overly complicated web applications for other people to running my own business. When I was working for an ISP, I would have probably appreciated a call like that--but now that it's my sensitive data at stake, it's a big no no. I mean, admitted his motive was good, but he still gained access to sensitive data. It's like breaking into a bank vault to prove the money isn't safe--somebody is totally going to take you away in handcuffs.

Re:Wish I had mod points for once

[williewang]

I agree as well. What concerns me, however, is that the new draconian legislation will try to nail him to the wall and treat Lamo as a "terrorist." Hopefully they will be reasonable adults about it if charges are formally announced and levied. But we are all going to have to admit that there are different levels of hacking just as there are different levels of theft and like-crimes.

If I walk into your house because you left the door unlocked and I walk around, look through your medicine cabinet or check out your books, then leave, that is trespassing--to be certain. But it's not the same as breaking in, killing your dog, and stealing all of your furniture. I'm not suggesting that you think the book should be thrown at him--you, like me, just don't want him snooping around uninvited. I just hope that they don't try to make a whipping boy out of this guy.

Re:Wish I had mod points for once

Of course if you locked down your apps in the first place you wouldn't have to worry. Sounds to me like you'd rather stick your head in the sand.

Um, what??

[GrouchoMarx]

OK, white hat cracking someone is still cracking their system, no matter how benevolent the intent. But this part just makes my blood boil:

French did not know what the specific allegations were, because the charging document is sealed.

Especially in light of this part of another article that people need to spend more time reading:

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

Excuse me, what part of cracking the NY Times is a threat to national security? Why are so many court documents sealed these days? There is NO legitimate reason for securing this sort of charge. Even if the prosecutors were to go as far as claiming he were a terrorist, there's still no nuclear weapons secrets (which we all know by now anyway, despite being classified) in the NY Times payroll database.

He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty.

I don't support this sort of vigilante white hat hacking, but I oppose ignoring the constitution even more.

Re:Um, what??

Makes ya wonder just who is on the nyt payroll these days . . .

Re:Um, what??

[mellonhead]

"He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty."

This is wrong. Indictments are sealed all the time. It's not unconstitutional.

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

These are the rights of the defendant. If an indictment is sealed, the accused does not have to be informed of the nature and cause of the accusation until arraignment.

Your blood may boil, you may not like it, but that's the way the system is.

I could not believe the interview on The Screen Savers last night. That noise you may have heard was hundreds of geek defense attorneys yelling at their televisions, "SHUT UP!" He buried himself with self-incriminating statements about his guilt. The tape of the show will be used at his trial.

As far as not turning himself in, he's doing major damage to himself at an eventual bail hearing. The prosecutor will cite the interview and state that Mr. Lamo, even though he knew he had a warrant for his arrest, chose to remain at large. He will further state that because of this, he doesn't believe Mr. Lamo can be trusted to show up for trial and therefore should be denied bail. When you find out there's an arrest warrant you don't "negotiate as a reasonable person" if they won't tell you what the charges are. You turn yourself in immediately. The article states his lawyer told him to do so. Every minute he remains at large is going to help him get Mitnicked and he could spend a considerable amount of time in jail without bail.

Re:Um, what??

[One+Louder]

Excuse me, what part of cracking the NY Times is a threat to national security?

Well, if the New York Times is compromised by hackers, how can we ever trust the accuracy of the stories published by this hallowed national treasure...oh wait...never mind....

Re:Um, what??

If I was living in the US right now, and there was a warrant for my arrest under sealed charges, I'd be outta the country on the first plane.

Re:Um, what??

[aminorex]

Ah, but that is the problem: The hackers might
put the TRUTH into the stories in the Times, which
would DEFINITELY be a threat to the security of
the ruling junta.

Mixed feelings on this issue

[Orion+Blastar]

If he was hired to test security it would be a different matter. But he allegedly broke into those systems without permission. That puts him in violation of Cybercrime laws.

I feel sorry for him, because he did allegedly report the weaknesses to the admins and he could have just read the data and not told anyone and used the information for his on purposes. So his intentions were good, to plug security holes by finding them and telling the admins about it. But he is doing it the wrong way, without permission.

He may want to think about pleading guilty and making a deal to get reduced charges. This will make him famous and when he gets out of jail and ends probation, he can become a security consultant. Otherwise they may try to make an example out of him and charge him with a full pentalty and any other charges they can think of.

But then the places he broke into didn't use good security practices and didn't apply the latest updates. Personally, I wouldn't put a machine on the Internet that contains sensitive data on it that only my company should have access to like contact information, credit card numbers, etc.

Re:Mixed feelings on this issue

[Daedalus-Ubergeek]

Remember, it's better to ask for forgiveness, than to ask for permission.

Re:Mixed feelings on this issue

Actually I think it is easier to ask for forgiveness, not better.

Re:Mixed feelings on this issue

[ratboy666]

Since the "holes" existed, it can be argued that the particular usage was invited. Unless I have entered into a specific contract, the NYT or any organization making a system available on the Internet exposes it to me, and makes its services available to me. Including services opened by "holes", because these holes may be a deliberate publication of a "service". For example -- If I take a taxi, it's published service is to take me somewhere. However, there may be other services that are _not_ published that the taxi may provide. Asking where an Italian Restaurant is... asking what time it is... etc.

Now, the service may be granted, EVEN IF IS NOT A PUBLISHED TAXI SERVICE. And, it is NOT illegal to ask the time from a taxi driver.

So, hacking should be considered legal. Under any sane legal system, anyway.

Ratboy.

Re:Mixed feelings on this issue

Now, the service may be granted, EVEN IF IS NOT A PUBLISHED TAXI SERVICE. And, it is NOT illegal to ask the time from a taxi driver.

Bad analogy. You're asking for the service. That's slightly different from what you're trying to compare it to.
A better one would be reaching into the driver's pockets and rifling around to see if you can find a piece of paper with the address of a restaurant. Try that in a taxi someday, I guarantee the driver's not going to be too pleased about it.

Re:Mixed feelings on this issue

[Orion+Blastar]

Not so easy to ask for forgiveness when someone is trying to make an example out of you for the legal system to prevent further crimes of the same nature.

Get permission, get paid.

[FreeLinux]

I wonder how much trouble he would be in if he had asked the companies' permissions before plying his trade

He wouldn't be in any trouble at all. Most responsible CIO/CFOs regularly contract with third parties to test their security. These usually involve full on intrusion attempts including social engineering attempts. They pay a hefty sum for such services and usually feel a little better if something(preferrably minor) is actually found. That way they have something to fix and feel even more secure than when they are told that they are completely secure from the outset.

What Lamo does is simple, straightforward, black hat cracking that he feels is justified and made legitimate by not causing damage and then reporting his findings to the appropriate people. What it really is is bragging on his part in an effort to boost his pathetic ego.

Re:Get permission, get paid.

Most responsible CIO/CFOs regularly contract with third parties to test their security. These usually involve full on intrusion attempts including social engineering attempts. They pay a hefty sum for such services...

Which he provided FOR FREE!

What's their problem?

Jayson Blair? Ah.

[AtariAmarok]

"but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got.""

Ah. This will lead to the perfect explanation of the Jayson Blair problem and other NYT prattfalls:

"It wasn't us. Lamo hacked our personnel files to make sure Blair was hired and employed. He also altered our articles so they were not longer factually pristine."

Followup

There is an interesting follow-up thread in the Power Tech Forums's message boards. Check it out.

Why they're after him

[mabu]

Lamo broke into the NY Times computer and found out that all their news stories are ghost written by the CEOs of Haliburton, Bechtel and Enron.

Re:Why they're after him

[stevejsmith]

You're thinking of the Fox News.

Maybe AOL wants revenge

Mr. Lamo did operate http://www.inside-aol.net (or was it .com ?) for a while. Maybe AOL wants revenge.

Why do they do it?

[Knunov]

I know what many of you are thinking. Why not tell these companies BEFORE you break in?

Because IT'S NOT FUN, that's why. Or perhaps more accurately, it's not stimulating.

Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!" The fact that he does nothing malicious afterwards and even calls and helps the sysadmins unfuck their systems is a testament to his character.

For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels.

"Uhhh... hey dude. Your lock is vulnerable."

See? Just not the same.

Getting past a computer's defenses is not the same as physically entering a home or bank vault, though I would find the latter far less intrusive than home invasion, especially if he never even touched the money.

Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.

Misdemeanor, at most.

It doesn't matter what he could have done while inside, it matters what he did, or more specifically did not do while inside the system.

"That bastard! He saw my FILE NAMING SCHEME!"

Yeah, he should fry for that...

Knunov

Re:Why do they do it?

Can I have your social security number? Apparently it's unimportant to you. I won't violate your meatspace, because, well that sounds gay. So if you'll just go about telling me, I won't pwn your Dell and just sniff for your SSN.

Re:Why do they do it?

[Sycraft-fu]

So who cares if it isn't fun, isn't a thrill, or ahwtever. The hacking laws don't say "it's illegal unless fun). Sorry, but you are a retard if you go and hack someone's system without their permission. If you want to do a security test of someone's system/network, ask. Tell them that you are willing to audit them, for no charge. You'll investigate their setup, and then make a full report of all venurabilities. You don't think that's fun? Get another carrer. The world does not owe you a fun time.

And yes, it is very much like breaking in to someone's house. Not as severe, but the same kind of crime. My computer is MINE and I'll thank you to leave it alone. Same goes for my house. If you want to poke around either of them, you need my permission first. It doesn't matter what your intent is, or if you damage anything, the point is you are getting in to my personal roperty without permission.

If you want to hack people's systems legally, then you need to do security consulting. Get their permission to break in and tell them what it wrong. You don't get a thrill from that ebcause you aren't getting awy with something you shouldn't? Too bad.

Re:Why do they do it?

[buttahead]

another key point to make here is that this guy can hack a company and then do one of: 1) try to sell his services to the company to prevent such hacking in the future, 2) take any information he discovered and sell it to the highest bidder.

either way he can profit. I don't care if some one is "testing my lock". I do care that they are trying to bend me over a barrel and invite their friends over for a party.

Re:Why do they do it?

[Caeldan]

According to the article, he did look at personal and confidential files once inside. Namely, Social Security numbers, as well as some high profile people's phone numbers.

So basically he did walk in and see you sitting in your Lazy Boy and said 'hey your lock is weak'

Re:Why do they do it?

[RzUpAnmsCwrds]

"For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels."

But, wait, isn't that what crackers do? Even the crackers who don't steal personal information and trash the system will invariably run into confidential data. There may not have been "family pictures", but there were certainly names and addresses and credit card numbers.

If you don't trust the government with your private data, why would you trust some kid with it?

Re:Why do they do it?

Why not tell these companies BEFORE you break in? Because IT'S NOT FUN

It is, however, ethical and legal to get somebody's permission before attempting to gain access to their systems. Thinking that because it is fun not to do this somehow makes it all okay is childish.

Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!"

No payoff, huh?

The fact that he does nothing malicious afterwards

Says who? The guy that just broken into your server? And you trust him implicitly because...?

and even calls and helps the sysadmins unfuck their systems is a testament to his character.

Does he do this for free? He must do, right? After all, the payoff is WOO-HOO, not cash, right? He doesn't ask for money?

For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you

Do you consider your SSN to be personal?

Getting past a computer's defenses is not the same as physically entering a home or bank vault

That doesn't mean it isn't wrong.

Now, if he LOOKED at personal/confidential files once inside, that is a different story.

And we have to rely on his word that he didn't. Given that he's already broken into your system, are you really going to trust him?

But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.

What makes you think that that is his only ambition? Because he says so?

It doesn't matter what he could have done while inside

It damn well does, and if you think otherwise, then you need to do a bit of growing up.

What do you think sysadmins should say in this situation? "Oh yes, thanks for pointing that out, here's some money to help us fix it. Oh, of course you didn't install any backdoors or copy any confidential data while you were there, we trust you". Bollocks. They need to do a complete audit on their system.

"That bastard! He saw my FILE NAMING SCHEME!"

Dickhead. There is such a thing as confidential data you know.

Re:Why do they do it?

Several years ago, I did a little bit of white hat hacking. I has started out just finding the hold, and telling the admin about it. Most of the time, it would take several attempts to contact them and several weeks before they'd respond. Even then, they usually denied that there was a problem. However, if you actually gave them a working expliot, they usually fixed it right away.
I'm lucky, back when I did it people weren't so willing to get the authorities involved. But if you've ever tried to notify someone about a potential security hole, to prevent someone else from using it, you'd know exactly why he had to get in rather than just find the problem and tell them about it.

Re:Why do they do it?

[eddie+can+read]

Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.

The problem with that reasoning is that when an organization knows that its systems have been entered by an unauthorized person, they do not know what he has done, and so they reasonably feel they have no choice but to act as though it has been tampered with. That involves a great deal of expense and effort on their part. That is money going down the tubes, a significant amount of money. That money is lost as surely as if their building had been broken into and office equipment stolen.

So it doesn't matter that, in the privacy of his own thoughts, the person who entered without permission knows he saw nothing and did nothing to harm them. His victim cannot know that; they cannot reach into his mind to see that he did nothing while on their computers. They very reasonably feel they have no choice but to treat their systems as truly compromised, which involves significant expense, and this expense is his fault. In economic effect, it amounts to vandalism.

No more bullshitting.

[Henry+Stern]

If NYT wanted a security audit of their system, they would have paid someone to do it. Since they did not, they obviously didn't want one. Good intentions or not, Lamo broke the law and deserves to face the consequences of his actions.

I realize that it's "chic to be geek" here with the whole "white hat" hacking stuff, but be realistic. After all, you don't see people doing the physical analogue of white hat hacking. That's B&E.

Re:No more bullshitting.

This isn't white-hat hacking by anyone's definition except maybe Slashdot.

Hacker the Gray

[AppHack]

So he's a gray hat hacker who has fallen into shadow. Will he come back as a white hat hacker, more powerful than before?

MS upset at free choice??

[Martigan80]

"We'd like to see the market decide who the winners are in the software industry,"

A typical American Business failure; to realize not every country wants a Republic governments backed by a capitalistic economic system. I think MS is just pissed because they haven't found a way to buy off the governments in Asia yet.

Re:MS upset at free choice??

[Hatta]

Are you lost? This is the Adrian Lamo article. The microsoft article is here

Run. Just get out of here...

[Jerk+City+Troll]

If you're in the United States, get out now. In this country, "hackers" are branded "cyberterrorists" and anything you do with a computer is treated worse than many rapes and murders. Get out. There is no sense dealing with these people... you will be treated like an animal by a bunch of animals and there will be no justice.

I should know. I had a little bout with the FBI from some messing around with computers in college. They nearly destroyed my entire life. A felony for such a minor offense? Insane.

Dialectic

[Henry+V+.009]

Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.

We can begin with what we do know for sure about hacking. A hacking incident is when someone sends packets of information (in some form and by some medium) from a computer or computers to someone else's computer or computers. Which packets are illegal and which are not? Any exact definition raises problems. You can say that any packets that change the functioning of the target system in an unintended way is hacking. So the ignorance of the owner becomes the limit of what is or is not hacking. Faking an email address on a badly designed sign up page (or using mailinator) might be hacking under that definition. Other definitions are similarly problematic. Currently our legal system tends to default (once it actually gets to jury trial) to the above definition, but (in effect) adds that the act must be highly technical and use specialized tools. (Other definitions exist, and I am of course willing to bust holes in any particular one you care to suggest--so go ahead and suggest them.)

But there is such a thing as computer hacking. Everyone knows that. Even if we cannot have an exact legal definition, we know that some things are clearly computer hacking. What is the best way of creating law (which is now inexact) to deal with this behavior? I would suggest making the motive of the hacker one of the main considerations of law. It is always hard to for legal systems to judge guilt based on motive--and they should not if they can avoid it--but in this case, they must either judge the motive of the victim or the perpetrator. If the motive is vandalism or theft, then the act should be punished. Adrian Lamo's motive appears to have been an act that should not have been punished--though it is highly important to state that we do not yet know the facts.

Re:Dialectic

This comment has absolutely no content whatsoever. It says nothing, and takes three large paragraphs in which to do it. You idiot moderators were karma whored to the max. Great job, morons.

Lame-o took confidential information from the NYT network. He wasn't given permission to do so. His motives are unimportant for determining anything except the full extent of his punishment. His actions were illegal. His actions also open the NYT and himself to all sorts of financial liability. The moral of the story: don't exploit computer networks, copy private information from them, cash in on the media glory, and then be surprised when "unsporting" organizations decide that some punk stealing information that could get them sued isn't ok.

The bottom line is that we _do_ know from his _own admission_ that he has committed a crime technically. We simply are unaware of the extent of his law-breaking. There is no moral ambiguity here. No nonsensical debate over what "hacking is or is not."

Re:Dialectic

[Henry+V+.009]

This comment has absolutely no content whatsoever. It says nothing, and takes three large paragraphs in which to do it.

By "this comment", you are referring to you own three-paragraph comment?

Now, do you mean to say that it should always be illegal to ever get information that you do not have "permission" for? The investigative reporters of the world should take note. Or maybe you only mean your statement as an unprincipled exception, and only to apply to those big scary computers that hacking people use.

Re:Dialectic

I'm on to you, karma whore. You know absolutely nothing about the statutes in question. Now go cry to your blog about the minutiae of unauthorized access of computer networks. Maybe a bunch of fat ignorant people will be a more fitting audience for your stupidity.

Re:Dialectic

[Henry+V+.009]

Now this is interesting. 'On to me,' huh? Since you have already psychologically dissected my character with that masterful expose--you'd get a Pulitzer if there was justice--I will try yours.

You came across an argument that you disagreed with, but did not have the mental faculties to rebut. To express your disapproval you engaged in an attack without content: 'anybody fooled by this is an idiot'. After all, logical argument was not an option because of your limited means. When challenged, your pride prevented you from giving up, and you upgraded your attacks to a personal level. It was the rhetorical equivalent of monkeys flinging shit. Since it is a problem of your capacity and not your integrity, there is no reason to hold you accountable, anymore than one would lecture the monkey in the zoo.

Re:Dialectic

You continue to say nothing and yet utilize so much in order to do it. It's a classical ploy to present oneself as an intellectual, and thus a suitable candidate for positive moderation. If you would actually like to be seen as someone with something to say, perhaps you should actually have something to say. Your metaphysical arguments are immaterial. Please cite relevant case law, presuming you even know what he is being charged with.

As I said, I'm on to you. You can masquerade as whatever you will, but when the mod points come along you're getting modslapped. Your comment has absolutely no content. Wave your penis in the air, 'cause 'round here ain't no one gonna care.

Re:Dialectic

[Chester+K]

I would suggest making the motive of the hacker one of the main considerations of law.

Someone compromised your system containing sensitive data that you are possibly under contracts to which you could end up paying thousands or millions of dollars if the data is illicitly modified, or distributed; and you're going to just trust that the guy who shows up and says that he was in there has sterling ethics?

An intrusion is an intrusion, plain and system. Compromised systems need to be taken offline, thoroughly examined, rebuilt, and retested. The cost to a company to do all this does not lessen based on the motive of the hacker; and it's easy to feign good intentions in order to lessen your sentence when you've already been in the system, and got a copy of the data you wanted.

Re:Dialectic

[Henry+V+.009]

My god. Negative moderation. Make sure to tell me when you do it to make sure I notice. Wouldn't want any of your precious mod points to go to waste.

Re:Dialectic

[Henry+V+.009]

Whether or not our supposed 'white-hat' hacker actually compromises the system, they would still need to take it off-line and examine it and rebuild it and test it as you say. Why? Because he has shown them a security flaw which has existed in an open system. There is no way to know how many others have exploited the flaw. So the hacker in our imaginary case has incurred no extra expense on the company by reporting to them that he was able to bypass their security. The flaw was there before his actions. That their increased knowledge puts them to expense to correct a flaw is no crime on his part.

The problem of feigning innocence is exactly the problem that I referred to regarding motive above. But it is a problem in the law that errs to the defense, rather than erring to the prosecution as the law does now. And it is in the character of U.S. law to err to the defense when possible.

Re:Dialectic

10-4, good buddy. That's a 1.2 on the neocon scale.

Re:Dialectic

[Henry+V+.009]

I'm a bit thick. What did you mean by "That's a 1.2 on the neocon scale"?

Re:Dialectic

I was suggesting that you're a prime example of a neocon-class dotter. It's ok to be a newb. Slashdot is loaded with compulsives such as yourself, you'll feel right at home.

Re:Dialectic

[Henry+V+.009]

Ah, I understand. I thought it was some sort of anti-Jewish thing for a second. And yes, slashdot does seem to be littered with people with certain types of mental inadequacies.

Re:Dialectic

The bottom line is that we _do_ know from his _own admission_ that he has committed a crime technically. We simply are unaware of the extent of his law-breaking. There is no moral ambiguity here. No nonsensical debate over what "hacking is or is not."

Ahh, it is so clear to me now. Everything that is illegal is morally wrong. Thanks for bringing that to my attention.

Re:Dialectic

[goldfndr]

Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.

There is one potential analogy that I can't find any holes in - from the sidewalk, yelling to the house owner that the dog guarding their unfenced front lawn will go to sleep if you say the words "Rover, lie down".

More alarming is ...

[dominic.laporte]

If a person is caught *while* doing this sort of hack how can you explain all you wanted was free publicity ? If i see a person going around my house the first thing that would come to me is a baseball bat !

Re:More alarming is ...

But they didn't see him in their house, he was already gone, the only thing coming to you is a baseball bat in the face, as you are blind and didn't see him coming, and you deserve it, but he is generous, so instead of batting you in the face, told you how to fix your security

Break in

[AtariAmarok]

"But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?"

In order for your analogy to be complete, you have to remember that he entered and altered things.

So, it is not a peeping tom you can compare it to. It is someone who busts in, pees on the floor in the bathroom, and drops pizza slices on the bedspread in the bedroom.

"The guy's not threatening anyone, nor is he stealing or endangering anyone's life."

The same can be said of someone who breaks into your house while you are gone and rapes your wife. Hey, he didn't take anything or threaten anyone's life, so it must be OK, right?

"The "Housebreaking" metaphor doesn't realy apply."

Yes, it does, since he entered. Your "peeping tom" analogy would only have worked if the guy was looking at material mistakenly put on public web sites.

Re:Break in

[urmensch]

Yes, it does, since he entered. Your "peeping tom" analogy would only have worked if the guy was looking at material mistakenly put on public web sites.

No, a public web site would be more like a banner over the front door advertising a birthday party.

Thinking of a window as a "port", using shades would be kind of like closing and opening that port.

Re:Break in

[efflux]

So, it is not a peeping tom you can compare it to. It is someone who busts in, pees on the floor in the bathroom, and drops pizza slices on the bedspread in the bedroom.

Or someone who left his business card on the table.

Or maybe it's like nothing in the real world at all, and we have different expectations of real privacy and security vs electronic privacy and security. So maybe, we should stop with the analogies as they are all strained.

And after this is over......

[micaiah]

1.) He will write a book

2.) Make a movie

3.) Profit

Adrian we're here to help

[Kurt+Russell]

you

Re:Adrian we're here to help

Been to Metafilter today too? yeah I read those stories... i'm on the strait and narrow...

Re:Adrian we're here to help

[Theodore+Logan]

I'm sorry, but this is not something to joke about. It is a very serious problem. Besides, the joke is so old by now as to be sickening for that reason alone.

Ethical but illegal

[r6144]

If what the cracker did is actually what this post says, I think he didn't do anything wrong ethically. There is really few alternatives if you do want to get the system fixed and the admin isn't that friendly.

But anyway he clearly violated the law, so it is mostly fair (albeit pathetic) that he gets prosecuted. He must be either very brave or stupid (or both) to do such things knowingly. Once I want to blame the law, but anyway there is already plenty of ethical ways to break the law badly.

Maybe the law should be amended so that the cracker will not have jailtime if he can prove that his intentions are good, and no actual damages are done.

Re:Ethical but illegal

[Courageous]

If what the cracker did is actually what this post says, I think he didn't do anything wrong ethically.

I disagree. He had no right to put his value system in front of theirs. It's quite likely that they valued their privacy more than he valued his ability to get into their system and tell them about their lack of privacy. You see, for him to do this, it requires him to invade their privacy and create problems for them on *his* terms. It's narcissism, and that's why he's getting busted. He believed that his terms were more important than theirs.

C//

What a joke

[Vellocet]

Come on. This guy has been breaking computer laws for years. Entering a system without prior authorization is against the law, period. Two things amuse me about Adrian Lamo: 1) He has never demonstrated significant or diverse knowledge of computer networks. The methods he uses to enter systems are trivial and repetitive. His ego is the only thing that can't be replaced by a simple script. 2) He brags about not accepting or extorting money. It's just as sickening that Adrian Lamo is all about fame. As the article points out "In February, 2002, Lamo told the Times of their vulnerability through a SecurityFocus reporter." As usual, Mr. Lamo talks to the cameras before talking to his victims. This is how this guy gets paid: national press coverage. To any security professional, this guy is a complete joke. Let him slide back into obscurity.

Re:What a joke

[Entrope]

Your argument falls flat on a number of points.

Reportedly, his access to the NYT systems was by using publically accessible proxy servers. Saying he needs prior authorization to do that is naive -- do you need prior authorization to access arbitrary mail or web servers on the Internet? Leaving the systems open is prima facie authorization. There would have to be some indication that only NYT employees (or whomever) were authorized to use the system.

You are amused that he uses the same tactics to access many poorly secured networks. Does it not worry you that so many networks are poorly secured in identical ways? I believe that is a much more significant issue.

You are further amused that he does it not for money, but for publicity. HELLO MCFLY. There are an unknown number of other systems just waiting for someone to break into them. If Mr. Lamo publicizes the existence gaping security problems (especially after working to help close the specific examples he finds), it encourages other businesses to close their holes. Without him, many of them would rather than sit fat and lazy and hope whoever penetrates them gets caught.

That publicity also brings business to the security professions who you think consider him a joke. Talk about biting the hand that feeds you.

Re:What a joke

[Vellocet]

"Reportedly, his access to the NYT systems was by using publically accessible proxy servers. Saying he needs prior authorization to do that is naive -- do you need prior authorization to access arbitrary mail or web servers on the Internet? Leaving the systems open is prima facie authorization."

So if you forget to lock your door is that "prima facie authorization" for me to enter your home, rifle your possessions, copy, edit, and distribute your address book, etc? No. Its breaking and entering, or trespassing. Is attaching a computer to the Internet and failing to configure your software properly "prima facie authorization"? "Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access" He was not just using public services. He was exploiting known flaws. The proxy server was only his gateway. He used this public gateway to access private information on the intranet. "Does it not worry you that so many networks are poorly secured in identical ways? I believe that is a much more significant issue." It worries me that businesses and individuals don't take the time to hire a professional or educate themselves on simple security methods. It worries me that Adrian Lamo hides behind a fictional white hat. It worries me that people like you think this is somehow morally correct. Entering systems without permission is reprehensible and illegal. "You are further amused that he does it not for money, but for publicity. HELLO MCFLY." I'm amused that he makes a point of his moral high ground while revealing his hipocracy. "Without him, many of them would rather than sit fat and lazy and hope whoever penetrates them gets caught." _I_ hope he gets caught. And punished. I think he should receive a lighter sentence for revealing his work, but what he is doing is still wrong. You really wouldn't care if a stranger broke into your private computer, read your personal email, copied your credit card numbers, and so forth, just because they told you afterwards? "That publicity also brings business to the security professions who you think consider him a joke. Talk about biting the hand that feeds you." The slammer worm brought alot more publicity when it infected hundreds of thousands if not millions of computers around the world. You think viruses and worms are good publicity? No. These types of attacks result in increased legislation and governmental control of the Internet. Is that really what you want?

Re:What a joke

So if you forget to lock your door is that "prima facie authorization" for me to enter your home, rifle your possessions, copy, edit, and distribute your address book, etc?

A publically accessable BUSINESS website is not analogous to a PRIVATE home. Try this:

"So if you leave the front door of your business open is that 'prima facie authorization' for me to enter your business"?

Yes.

perception problem

isn't it funny when one goes to a restaurant one never orders "mutilated beef with a side of some green plants recently killed" or "recently slaughtered hen with a side of some rare mushrooms you're helping tmake extince". Everything is an opinion in this world to think otherwise is deadly, remember this youngling.

crisis @ politrix dot org

Mens rea

[yerricde]

He might be able to prove or suggest no criminal intent, which would give the lenient sentence.

No intent means no mens rea which means no imprisonment.

What country does he think he lives in?

[Cyno]

Here in the US we do not tolerate these activities. He knows too much which makes him a potential terrorist. Using his skills without a license, without the authorization of the government, without legal protection, will land his ass in prison.

You're all just mad...

[whoda]

That a homeless guy is a better hacker than you.

Good!!!

I think it's great that he's been arrested. Hackers can't use telling the administrators as a shield, legitimizing their crimes. Hacking is illegal, plain and simple. Adrian Lamo is no different from the script kiddies that hack cable users for use in zombie networks. It's still hacking, he just went for a "bigger" prize. Then, to justify the crime he committed, he tells the administrator how he got and how they can fix it. It's still illegal, it was still wrong.

Thank God he's been arrested.

Am I supposed to cry now?

[davmoo]

I realize this will be an unpopular point of view with 98% of Slashdotters, but...

If you can't do the time, don't do the crime. Its that simple.

Regardless of if you agree with it or not, the law is the law, and it is currently illegal to hack in to a system without permission. If you don't like it, then work to get the law changed. And in the meantime, don't expect sympathy if you get busted for breaking it while knowing full well you could be prosecuted. Any man with brains enough to hack in to a system should have brains enough to know he can get busted for doing so.

Re:Am I supposed to cry now?

[LostCluster]

Lamo isn't exactly running from the law at this point, he's just insisting that they unseal the charges against him before he'll agree to turn himself in. If they want to come out and arrest him, they better do it by book because a camera crew from Keven Spacey's TriggerStreet Productions just happens to be doing a documentary about Lamo and will gladly document any excessive force.

The whole story about mom and dad's house seems to demonstrate that the FBI is more into using force than reading the rulebook right now. They tried to intimidate mom into letting them tear the house apart, claiming they'd have no problem getting the warrent. Well, mom called that bluff and it turned out that the FBI didn't have the cards. The FBI has plenty on Lamo for sure, but not enough to go snooping around his parents house. They only wanted to rough up his parents (if not physically, at least mentally by making a mess of their house) because they want to scare Lamo, but this was a scare tactic not allowed by the Constitution and the courts.

Lamo deserves the book thrown at him, but the question now is more of whether he deserves a paperback or an unabridged dictionary. And so far, the FBI seems to be trying to throw an encycolpedia....

Re:Am I supposed to cry now?

Yes, but is pointing your browser at a certain address and reading what it displays "hacking into a system without permission" ? Are you hacking this comment right now ?

Re:Am I supposed to cry now?

[dtfinch]

It's cases like this that demonstrate to lawmakers the glaring holes in the laws they pass. Undoubtably every single senator and representative in congress has recieved thousands of letters and emails protesting unjust laws like the DMCA and USAPATRIOT acts. Millions in all. It's clear that they make little if any difference.

The only real way to work to get the law changed, as you recommend, is to either get elected (not likely for most of us) or actively protest in full public view as Lamo does. He's doing a very brave thing for the good of everyone. Something that's clearly not wrong shouldn't be illegal.

Martin Luther King Jr had a lot to say about unjust laws in his letter from Birmingham Jail. To greatly summarize, it's better to willfully disobey an unjust law and face the consequences than to obey and thus support it. Laws should reflect good morals, not the other way around. Do what you know is right.

More likely...

[Brian+Stretch]

Lamo broke into the NY Times computer and found out that all their news stories are ghost written by the CEOs of Haliburton, Bechtel and Enron.

It would be more likely that Lamo found evidence that the NYT really is run by former Soviet "useful idiots". We are talking about a paper that has its own Pulitzer prizewinning apologist for Stalin.

Though in all fairness the NYT is likely just another bunch of leftist hypocrits. They complain about high prision populations, police "brutality", the Patriot Act, AG Ashcroft, etc., but when some kid makes them look stupid they go running to the FBI. Pathetic.

breaks the letter of what law?

and which letter? I never knew there were so many attorneys reading and posting on this forum.

You're a goddamn moron.

Think about this example:

I walk though a college parking lot, at night. I see a car with its lights on, unlocked. I open the door and turn the lights off, and maybe leave a note telling them to be a little more careful in the future.

Does that make me a criminal?

Re:You're a goddamn moron.

[LearnToSpell]

Legally, yes. Morally, well, that's up to you to decide.

Do we want to live in a society where people are unwilling to turn off somebody's headlights because they're afraid of being thrown in jail?

Re:You're a goddamn moron.

[Acts+of+Attrition]

Actually it's more like going into the unlocked car, taking it for a joy ride, bringing it back and then calling the owner and telling him that he shouldn't keep his car unlocked and his brakes might need a change.

Re:You're a goddamn moron.

Except neither the AC nor Lamo went for a joy ride, dumbass.

What we need is an intermediary

[capedgirardeau]

There needs to be an independent 3rd party who vulnerabilities in _deployments_ can be reported to.

Then they can contact the vulnerable organization, give them time to fix it and if they don't, publish the vulnerability. This protects the White Hat.

I can't tell you how many web sites I have found with various vulnerabilities that once I tried to contact someone to notify them they totally ignored it.

We are paying the costs for their insecurity in various ways already (credit card fraud comes to mind) yet we have no way to help prevent it!

That needs to change.

Good intentions don't mean it is legal

[rblancarte]

Drago - you are a fool. If you are hacking people's systems without their permission, YOU ARE BREAKING THE LAW. PERIOD. END OF STORY. If people were allowed to say "Well, I was doing it so I could help their security", then you would have all sorts of Blackhats hacking systems, and then claiming, "I was going to help, but you arrested me first." No.

Look, there are ways to do security checks like this, without the security teams knowing that you are doing it. Get permission, make sure that no one is tipped off, and then test the systems.

If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.

Re:Good intentions don't mean it is legal

[rwise2112]

I agree 100% with this.

And how does anyone know if Mr. blackhacker hacked 100 systems for every whitehack he reports (possibly just as a cover).

Re:Good intentions don't mean it is legal

[ThePorkHawke]

I agree that this is currently against the law as the law is written, however, I don't think it should be illegal.

Imagine I leave my front door adjar.

Someone, possibly a postman, can walk up my drive and knock on my door (tresspassing?), and because I have left it adjar it opens easily. They can stick their head in and verify that it is not just an outer door and that they really are actually inside my house. They could then call out to me, leave a note or whatever telling me that my front door is on the latch or otherwise open to the wide world. I would probably be very grateful for such advice, and be thankful that a nice chap found this before some northern scum who would probably nick everything.

Have they broken the law? Possibly they have tresspassed by even stepping on my driveway. Point is, this activity should not be illegal, it makes no sense. If the person actually enters my house and nicks a load of stuff its a different matter, but if after finding my house accessible his only action is to notify me of the security breach then I cannot believe anyone would arrest him. Also, the act of stealing something is clearly much more seriuos that even sitting on my couch for a bit before deciding to tell me about it - which is akin to what this guy did.

I fail to see the difference between the above and identifying a security hole in a computer network.

Companies can't be bothered to secure systems properly, they don't want to be responsible for your data or losing it. They would rather scare everyone away from knocking on their door with these laws than listen to legitimate security concerns from concious parties. If they actually cared about protecting their systems they would not allow incidents like this. Which white hat hackers will bother to warn them about other shortcomings in the future?

Imagine you find a security hole in a network, do you;

a) Be nice and warn the company about it, risking going to jail,

or

b) Get out quick, say nothing and hope they don't notice so you don't have the FBI harrassing your fucking parents?

Who you really worried about hacking your system, Lamo or bin Laden? The current laws encourage b) which means the hole stays open longer and makes it easier for black hats to actually get in and collect credit card details, etc. The danger here is that someone will actually get in and do something bad with the data they get, or delete data, etc. Action should be taken which minimizes this risk, but this has the opposite effect.

Re:Good intentions don't mean it is legal

[rikkards]

Problem is that it is not your responsibility to maintain the security of someone else's network. Granted there needs to be more security awareness, but what there really needs to be is more CIOs hiring security teams to try to infiltrate their network without letting their underlings know (except that it could happen at any point).
Most military organizations have this inhouse and I am aware of some companies who do this, but still it is better to come down hard on someone who went poking (which he did) uninvited no matter what his intentions are.

Rather than breaking in why doesn't he set up a nice little web page that informs people on network security and where they can get up to date information on known exploits and the methods to stop them.

THen all he needs to do is let some CIO type magazine know about it and chances are they would write a nice pretty article. Or submit an open letter to said magazine, maybe they would publish it.

Course this is my 2 cents

Re:Good intentions don't mean it is legal

[MoneyT]

Probably because the company would ignore that site on security like they ignore all the other sites.

Re:Good intentions don't mean it is legal

Imagine I leave my front door adjar.

Someone, possibly a postman, can walk up my drive and knock on my door (tresspassing?), and because I have left it adjar it opens easily. They can stick their head in and verify that it is not just an outer door and that they really are actually inside my house. They could then call out to me, leave a note or whatever telling me that my front door is on the latch or otherwise open to the wide world. I would probably be very grateful for such advice, and be thankful that a nice chap found this before some northern scum who would probably nick everything.

Now, your analogy is just a little too simple here.
With what he's claimed to have done it would be more like this:

You leave your door unlocked. He comes along and notices that he can get in. Rather than simply informing you that you're leaving yourself open to robbery, he walks in.
He then proceeds to find personal documents of yours and photocopies them and adds his name to the end of your answering machine message that says who lives there.
He then tells someone else and gets them to inform you and the world of what he's done.
Would you be grateful for his security help at that point? Or would you be itching to call the cops?

Personally, I don't care what he claims his intentions were. He went in, he got a hold of confidental information, made some modifications (added his name to the NYT contributors list), and then told someone else who told the Times. (Unfortunately I can't find any info on the length of time between him going in and him telling the reporter.)
Even if his intentions were pure, he acted stupidly and is going to have to face up to the consequences.

Re:Good intentions don't mean it is legal

[FussionMan]

So the moral of this story is that if you are a hacker and you hack into some some system. Never tell anyone, especially law enforcement or the the admins of the system you hacked.

I'm sure our public records will be much more secure that way. As long as we don't know, it didn't happen. Another benefit is that lousy admins get to keep their jobs.

Re:Good intentions don't mean it is legal

[staticdragon]

here's my problem with the whole "its not his job to go hacking other people's systems" argument. I think it is MY problem, when I am a customer/ user of the system. Take one of his previous hacks for example, Excite@home. I was a customer of Excite at the time. He helped point out secuirty flaws to them. Now, Excite had all my pertinent information somewhere in their system. My name, my SSN, my address, anything needed to become me online. He wasn't invited to hack their system, but because he did and told them about it, my personal information is now a little bit safer. I am appreciative that it was he that got there before some random Eastern European hacker who only wants my CC number.

Re:Good intentions don't mean it is legal

[Izago909]

So let's throw the (relatively) most desirable type of hacker in jail so he gets out of the way of the black hats. This is some bullshit logic. Regardless of what his 'true' intentions were, his track record speaks volumes: He's always come clean with people.
While network admins are busy giving themselves kudos for integrating Microsoft's latest and greatest secure systems, he is busy looking for holes. Without these types of white hats, all the world would have is insecure networks remaining open to black hats until they discovered the holes the really hard way.
Screw all the evil, sinister things you think his 'true' intentions are. He and his counterparts have potentially saved your company millions in expenses when some black hat could have made off with gigabytes of confidential data. Think these white hats are bad? Wait until you have class actions out the wazoo because many of your customers are now facing the business end of your over confidence.
Screw modern hacking laws because they are stale and outdated. People always like to tack on new laws without even considering removing or revising obsolete sections. All it's going to do is alienate any potential allies. The bad guys won't get caught because they hide, the good guys don't hide because they think they don't have a reason to.
White hats are thrown in jail because they get bad attention and can cause a PR mess. Many times, the work of black hats can be covered up by the company or government. How many stories have we heard of hackers holding sensitive data ransom or extorting businesses in some way? You really don't think EVERY incident gets publicized, do you? These people want to make it look like they are tough on hackers, so they go after the easiest and most public targets.
You will be giving a powerful message to upcoming generations of hackers. If the end result is the same, what the hell do I need this white hat for?
Someone will come knocking at your door, it's inevitable. What color hat do you want him to be wearing?

Re:Good intentions don't mean it is legal

[Kenja]

If the post man goes into your house, rumages around and then leaves you a note that your underwear is dirty and your out of milk he should be arested.

Re:Good intentions don't mean it is legal

People like you should really try to open your minds a little more and stop seeing the world in terms of simple black & white. It'll make a better world for all of us.

Re:Good intentions don't mean it is legal

[rikkards]

And if they do get hacked and someone gets screwed because of it. Sue the company for neglect. It's the american way :)

Re:Good intentions don't mean it is legal

[arose]

Now just outlaw telling someone they left their door open (you did opened it didn't you?) or returning a lost purse (you violated the privacy of the owner!). Outlaw helping others at all while you're at it!

Re:Good intentions don't mean it is legal

[1lus10n]

no, its more like if the post man breaks-in and rumages around he should go to jail.

if you leave the front door wide open you couldnt convict him in an average court, he was "worried something may have happened to somebody".

besides in either case the postman isnt going to jail if it is his first conviction, he is getting probation. whereas hacking is equal to killing someone in the laws eyes, not just snooping around.

20 years to life for breaking into a computer system (for a first time offender)

5 years in prison or probation for breaking into a home or bussiness (for a first time offender)

so i ask how is this fair ?

Re:Good intentions don't mean it is legal

ohhhhh. ohhhh.

let's see: guns dont kill people. peole kill people. fucking great logic. whitehats, blackhats, purplehats, and all the other fucking hats.

how would logically define whitehats from redhats? or bluehats from blackhats? based on track record? ohh wait, i am model civilian by day, and evil mass murderer by night. by my public record, i am a great asset to the society, so let's not put me in jail.

what the hell kinda logic is that? we need to have black/white, on/off kind of laws. grey areas are what is wrong with the system. too many exceptions. too many laws to deal with exceptions. if someone touches somebody else's systems to gain access to it, when they are specifically barred from doing so, that is ILLEGAL. and should remain so.

in my opinion, there is no such thing as whitehats.

Re:Good intentions don't mean it is legal

[putaro]

You know, I often leave my windows open and my door unlocked. Adrian Lamo would often come in and sleep on my couch during the night and help himself to beers from my refrigerator. I'm so thankful that a "white hat" hacker took the time to show me that my house is not totally secure. I don't know what I would do without him.

If I want someone to check my security I will HIRE them. I'll take my risks with "black hats" breaking into my networks or premises and "white hats" can stay out or run the same risks as the "black hats" with regards to federal pound me in the ass penitentiary.

Re:Good intentions don't mean it is legal

[Izago909]

You know, I often leave my windows open and my door unlocked. Adrian Lamo would often come in and sleep on my couch during the night and help himself to beers from my refrigerator. I'm so thankful that a "white hat" hacker took the time to show me that my house is not totally secure. I don't know what I would do without him.
I hope you don't leave sensitive networks and data 'opened and unlocked' like you do your house. In a home, you have reasonable expectations of privacy, Networks, by their structuer, are public areas. Even an intranet is a public area, just as much as a walled community is. Someone who walks around an exclusive area such as that, and doesn't belong there, will get tossed out on their ass. If they resist or repeat they will probably be charged with trespassing. Someone who walks around the same are and breaks things, raises hell, steals will be arrested and charged with trespassing and then some.
Your example is my third, which means he was trespassing until he took something. It can't be breaking and entering without the breaking. Unfortunately, with computer crime, there are no true 'teirs' of infraction like there is with traditional crime. They way people have and will continue to beef up the laws won't solve a thing either.

If a reporter showed how easy it is to walk on to a plane with a weapon, they would probably win an award, if at least praise. If someone showed a credit company how it was possible to comprimise their data, they would run the risk of prison. I'm not saying you need to pin any medals on him, just realize that you got lucky instead of porked. Not so many are lucky wnough to get a hacker who will contact them, tell them what the hole is, and offer a solution. If you really must make an example, give him probation with electronic monitoring and take away his computer for 6 months. Reserve the ass poundings for the people who would have done the same to you.

Re:Good intentions don't mean it is legal

I think it is appalling that this good samaritan white hat is being treated this way. It is the same as if someone noticed the front door of your house was unlocked, or your car was unlocked. He doesn't take anything from your car or house, he's just letting you know you left it insecure. Personally, I'd be grateful for being advised of security problems, as opposed to choosing the route of ignorance, and then later saying "oh, I didn't know the house/car was unlocked, and now some black hat guy has stolen/wrecked everything!"...

Re:Good intentions don't mean it is legal

[DaveJay]

>If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.

Not to oversimplify, but jaywalking out here in California is a $50 or so ticket -- I know because my wife got one.

If I ran out into the middle of the street to pull a stray dog out of traffic, should I receive a ticket?

I'm not saying that the hacking and theoretical situations are comparable, mind you. I'm just suggesting that you must judge every case individually, rather than apply a blanket statement like yours.

It brings up another issue

[The+Tyro]

and that's ethical vs not, whether it's hacking, or journalism.

Journalists are supposed to operate by an ethical code, and the vast majority do so. Journalistic ethics would say that you cannot break the law in order to get a story... though that's not say it hasn't been done. Check out this link. It would seem that ethical standards in journalism are quite flexible, and that there is no set rulebook. Instead, as in ethical dilemmas in many disciplines, one must weigh competing evils. The evil of impersonating someone, or operating under a false identity, veruse letting a politician go on with corrupt, harmful actions... which weighs more, and who decides?

By the same token, one might make the same argument for Adrian's actions. He intended no harm (as an investigative reporter might intend no harm in impersonating someone else to get a story), so the Mens Rea AKA "guilty mind" did not exist. Reporters often argue, when investigating and digging into the lives of public figures and officials, that those officials have less of an expectation of privacy than regular citizens... and to some extent they're right. Yet, how does the watchdog presume to waive the privacy of others in the pursuit of a story, while immediately running to the FBI? The media also argue that they have the right to dig, based on the fact that they are defending the public's "right to know." (how many times have we heard that?) The media assumes that power as society's watchdog... but who's watching them? Apparently, Adrian was, and they are NOT happy about it.

It's doubly ironic that an organization dedicated to exposing the truth (ostensibly in a transparent, above-board, and for-the-greater-good fashion), is getting their panties in a bunch over someone showing them some truth in a like manner. Apparently the old grey lady doesn't have a problem airing the dirty laundry of others, but is awfully sensitive about her own problems... and from an ethical standpoint, Adrian's actions are probably arguable either way.

I'm sorry, but I find this whole thing incredibly funny.

Re:It brings up another issue

[cthugha]

He intended no harm (as an investigative reporter might intend no harm in impersonating someone else to get a story), so the Mens Rea AKA "guilty mind" did not exist.

Methinks you don't quite understand mens rea. It simply means there has to be a basic level of intent behind the actions that constitute the elements of an offence, so if your actions are accidental, or you're insane, or you otherwise do something against or independently of your will, then you lack criminal intent and can get away. But if your actions are deliberate, regardless of the motive, then you do possess mens rea or criminal intent, and are stuffed. There are a few exceptions, such as murder, where it must be shown that you acted with the intent of causing the victim's death, or stealing, where it must be shown that you acted with the intent of permanently depriving the victim of their property, but otherwise motive is essentially irrelevant.

The media assumes that power as society's watchdog... but who's watching them?

Amen. It's amazing that the media sets itself up as another branch of government ("the Fourth Estate") without being willing to accept the restrictions and level of accountability that the other branches have. It's why I tend to be in favour of slightly stricter defamation laws that the US has in the wake of Sullivan, despite otherwise being very heavily pro free speech.

He screwed up

I have no sympathy for him. Regardless of his intent, he willfully violated the law when he infiltrated these corporate systems. The other companies whose systems he hacked were certainly under no obligation to express gratitude when he informed them of what he did. Am I supposed to thank a burglar who breaks into my house then tells me how he did it afterward?

If he is actively contracted by a company to attempt to exploit weaknesses in their IT infrastructure, that's one thing. But if no such agreement existed, his actions constituted a crime no matter what his intentions were.

Mod parent up.

[qtp]

Funny/Insightful

'nuff said.

lame-o

maybe he can use his superior social engineering skills to talk his way out of a friendly encounter with bubba and his two cell mates...

one can only hope...

You're right

[KalvinB]

We should just forget about crimes that are going on in our country and focus solely on those that *might* be perpetrated by the evil desert rat in the hat.

"Dear concerned Citizen, We know we live in a country with laws but we're too busy to enforce them. Good luck. The FBI"

Gimme a break.

Ben

Re:better avoid mom and dads house

Gay means happy. Only in the last few decades has it been used to refer to homosexuals. You obviously don't read much.

I have another analogy....

[PalmAddict]

If it is correct that all Adrian used was a common web browser to access this information for the NYTimes web site, I relate his actions to something that I have done in the BBR.

Take the fact that you have pulled into and parked in a public parking lot of a department store. Upon exiting your vehicle your notice that the car next to you has a set of keys in the door and no one is around. You check the engine and notice that it is cool and has been parked for quite some time. You check the doors to make sure they are locked and if not, lock them. You write a note stating that the owner of the vehicle had left they car unsecured and should check with the manager of the department store for details and after leaving the note on the door, you take the keys and give them to the manager of the department store telling him/her that one of their customers had left their keys in their car door along with the details about the car to verify who the owner is when they come to claim them.

Are you not at this point guilty of illegally entering the property (the vehicle), and theft of personal property, even more egregiously, security measures for such property?

I am curious as to why those whose information was easily available on the NYTimes site are not suing the Times into oblivion? I see the bigger crime as stupidity on the NYTimes part.

But hey, I wasn't looking over Adrian's shoulder as he was doing this so I could be blowing hot air out my ass....

Re:I have another analogy....

> Upon exiting your vehicle your notice that the car next to you has a set of keys in the door and no one is around.

That line should be changed to:

Upon exiting your vehicle you run around the parking lot while checking for unlocked doors.

Re:I have another analogy....

Oh, we have another anti-port scanning nazi in the house.

You guys are going to have to face up to the fact that communications are now automated. Anything that can be done once at the command line can be put in a for loop. To stick to the stupid analogy, it's as if the dude turned loose a robot to swiftly check all the doors for him. (And, of course, once they found an unlocked door, they went ahead and rifled through the glove box looking for the insurance papers to see who owned it.)

My house, my property

[KalvinB]

My server, my property.

There is no confusion. It's only confusing to people who can't get past the "it's on the internet" part.

Property Laws can easily be applied to cases like these.

You have no more right to dick around on my lawn without my permission as you do to dick around with my server. You've entered physical property and used my physical lines which cost me physical money to get there.

I don't care if you physically stomp on my garden or fly your radio control airplane through it to damage it. It's the same thing.

People like you would probably demand a "damage caused by remote" law on the books for such an occassion.

Current laws suffice.

Ben

Re:My house, my property

[Henry+V+.009]

So you maintain physical lines for people to send packets of information to your server, without requiring any specific agreement from them before use. You have no contract they must first agree to, and no posted rules that they must first read before sending packets to your computer. Someone uses one of those physical lines to send information to your server. Your server sends information back to him that is not acceptable to you. After the fact, you feel that the information he sent went against some permission that you never explictly stated. Therefore you wish him punished as a tresspasser?

Re:My house, my property

[qeveren]

I ping your server. I've just sent ICMP packets over your physical lines into your physical property without your express permission. File charges against me.

Re:My house, my property

[KalvinB]

"File charges against me."

Did you cause any damage?

No. Then I guess I have no reason to file charges then huh, moron.

Think. Use your brain. We complain about how complicated lawyer speak is to understand for common people and you're a prestine reason why. People have forgotten how to think for themselves and need to be told how to think down to every little detail. And even then it's a battle to get them to comprehend.

Ben

Re:My house, my property

[egc4ever]

Demonstrating actual damages is generally not required for intentional torts, i.e., trespass.

Re:My house, my property

Please explain what damages Mr. Lamo caused.

And remember: Think. Use your brain.

Hey, you left your keys in the door

[cpopin]

No, this is more like telling someone they left their keys in the door. No gratitude.

Wall Street Journal

[srichman]

Another well-known periodical, the Wall Street Journal was quite cordial when these kids cracked the Journal's session authentication scheme. I can see how exposed SSNs and address books could spook a company a lot more than a cracked online subscription system, but it's still a disparity worth keeping in mind if you're one of those folks who's keen on voting with his consumer dollars...

Oh, because corporations are always trustworthy

[the-banker]

I understand most of the arguments against what Lamo did, but there are a few points I want to get off my chest:

1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.

2. I don't know how it needs to be done, but truthfully do you (the collective Slashdot you) trust companies to secure their networks, perform audits and be upfront and honest about their failures? If I were a NYT partner I would be furious that my information may have been publicly accessible, yet I would never have known about its vulnerability without Lamo. How many companies have been hacked, had credit card or other info stolen, and just not said anything about it? When Acxiom was hacked, personal information on individuals was stolen over 8 months before they "discovered" the hack - and the hack was found by Hamilton County, Ohio Prosecutor's office when investigating another case that had come forward. What are the chances that Acxiom KNEW they had been hacked, compromised personal information, and said nothing? I am guessing with the current climate of corporate ethics, a pretty high chance exists that a lot of information is being disseminated by people who stole it and consumers have no idea because the company in question is sweeping it under the rug.

Hacking into someone else's system is bad. Nobody can disagree there, but the bottom line is a tradeoff of negative impacts - for what Lamo did I see a lot fewer negative consequences than today's corporate irresponsibility with personal information and computer security.

Re:Oh, because corporations are always trustworthy

[juuri]

Houses are connected to streets which are a public medium.

Just because something is connected to the net doesn't give you rights to explore it. The free-willing, let's have a party and XXX.edu's servers have long passed. Stop pining for them and pretending the rest of the world didn't show up.

The Internet is no longer the wild west; that is a simple fact that lots of people need to accept.

Re:Oh, because corporations are always trustworthy

1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.

And my house has a door which connects to my driveway, and my driveway connects to the street.
Oops. The street's a public medium. Since I connected my house to a public medium I guess I should have no expectations of privacy.
(Ok, that's not a good analogy, I'll admit it.)

But, I have a question. If as soon as you connect a machine to the internet you lose all expectations of privacy, you would have no problem with me connecting to you machine -- which is obviously connected to the internet -- breaking in and rummaging through your files, would you?
I didn't think so.

Re:Oh, because corporations are always trustworthy

[gothicpoet]

How can you not see where your argument just doesn't hold up? "1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument." Yessssss... it IS like he broke into a house. If not a house, then a company owned building. Every HOUSE, every building has public streets and other public access ways adjoining it. Many company buildings have PUBLIC areas and PUBLIC hours of availability. NONE of that means that you, I, or anyone else can do as they please in that space, real or virtual. If a company puts a faulty lock on their doors and I come along and check that lock I KNOW that the lock means I'm not supposed to be there. It's COMMON SENSE that I'm not supposed to try to pick that lock. If I want to tell the company that the lock is faulty, that makes me a good samaritan. If I pick that lock, then go inside and pick the lock on a file cabinet and rifle through the files inside, I am going to be in a world of legal hurt if I get caught. And I am NOT a good samaritan. I am now a THRILL SEEKER. The whole point of being a thrill seeker is that you KNOW you are doing something you are not supposed to do. Is there some part of this which isn't completely clear to anyone with a mentality older than the age of 8? It's interesting that there are so many people who refuse to carry this through into the digital space. The analogy I just gave carries through perfectly to the current case. Adrian tested the lock - found out that it was a sh*tty lock and got it open. He went into the server (the building) where he knew he was NOT supposed to go and he got into the file cabinets (the files with the company data). He then went and talked about it. He had no expressed or implied permission to do something that IT WAS UNDERSTOOD he should not be doing and that there are legal penalties for doing. There may be questions about how severe the penalties should be based on what he did with the information he gained access to, however there is no question at all that he was doing something that EVERYONE knows you should not do. To think that there's no problem with what he did is NOT to be living in the real world. We all know that companies do NOT want us to break into their systems. To try to rephrase the argument in such a way that he didn't REALLY break into their systems is to play semantic games and apologetics. I don't think he's demon spawn for what he did, but it's a really immature habit to be (yes) breaking into other people's property and expect that sooner or later someone isn't going to take it VERY personally.

Re:Oh, because corporations are always trustworthy

Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.

So you don't bother with passwords on, say, your email account, right? After all, you have no expectation of privacy, and the Internet is just a bunch of shared resources.

Re:Oh, because corporations are always trustworthy

I totally agree with you. If anyone puts a computer on the internet (New York Times), and makes it accessable to anyone with a browser, then it is expected this information on that machine is PUBLIC, available for all to use (even registered users).

On the other hand, there IS data that is private. Such as transaction information. IMHO - this information must be KEPT OFF the internet. PLAIN AND SIMPLE.

Unnfortunately, the mechanism's involved in keeping this data secure DOES cost a lot to implement (VPN's, Secure servers, etc).

There are too many shortcuts people take when setting up systems. Either because they are lazy, or because they don't know how, or can't afford the cost. This is of course the main issues with security today. There are EASY ways and HARD ways of doing things. People take the EASY way, and NYT is no exception.

Sensitive data should be kept OFF the internet, END oF STORY.

His real problem

is not that he broke into the system to helpsecure the system . Adrians problem is that while he was there on his noble quest to help secure the network he accessed Social Insurance Numbers that were stored on the NY Times internal network.

One notable SIN # belonged to actor Warren Beatty (according to Tech TV's show last night) .Don't as me WTF somone would give their SIN to the NY Times that is just plain stupid.

This kid is going to jail for a long time whether he knows it or not !!

Response

[Overly+Critical+Guy]

I say, "Why did you have to break into my car to write me a note?"

Re:Response

To prove it was really possible, and that I wasn't trying to con you.

Duh.

MOD PARENT UP

Finally, a sane analogy. Prosecute him, fine - but the punishment should be no more than a trespassing charge. You can only prosecute him for what he did, not what he could've done.

Breaking into House/Car Analogy

[wiredbuddy]

The problem I have with this analogy is that most people can determine on their own whether their house/car is reasonably secure against break-in. Most people cannot do this with their computer.

First false stories, then shoot the messenger

[cpopin]

You know those boys over at the New York Times are not too bright. First they can't control writers printing false stories, now they can't secure their own systems.

And now they're going to air their dirty laundry by charging the messenger. They'd be better off taking the high road and by employing Adrian Lamo to help fix their problems.

I wonder how many people are going to trust NYT with their personal information from now on?

I also wonder if they've closed their security holes. If not, hackers with less honest intentions then Lamo may run with this story.

Re:First false stories, then shoot the messenger

Goatse on the NYT front page !

Ingrateful

[Bruha]

How many security experts have found exploits and have contacted the network department of the exploited network only to get a ho hum or nasty response of "whatever there are no problems"? Only when the systems are hacked and proved to management that things are ordered to be fixed. The security administrators nautral reactions are usually to blame the hacker even though the hacker had good intentions to help them he also probably cost someone their job. So it's no wonder the security admins probably in a effort to cover their collective arses asked law enforcement to go after the hacker.

I believe this is the case with NYT here. Yahoo and @home are understandably grateful becuase of the potential of lawsuits due to people's computers being hacked and they also would lose business accounts if those businesses perceived that the network was insecure. Even though all ISP's have a disclaimer I have yet to see something happen to where it's brought to court so it's a untested method of deniablilty of responsibility by the ISP.

Hopefully this guy can get out of the mess he's in and some security company will snatch him up or he can become a independent contractor for larger companies.

Either way it takes a security breakin to find the holes as many audits can also miss things. NYT should be thanking this guy.

No Good Deed Shall Go Unpunished!

Looks like the cliche has once again been proved correct.

Day of the dumbass

[Servo]

So, I guess his crime was being in the U.S. . . .

Yeah that is it. He should have moved to China and done his friendly exploits from there. That's the answer! OK!

Seriously, why do you think that because we have less legal course of action against someone on the other side of the globe that we should not enforce laws for people who live here? I do not get this logic, and only see it as a big excuse for people to break the law and feel good about themselves.

No, not all laws and punishments here in the US are just. As I said in the original post, I do hope that he is given some leniency because it does seem like he only had "good" intentions. Good intentions does not totally excuse him, however.

Re:Day of the dumbass

[Idou]

"why do you think that because we have less legal course of action against someone on the other side of the globe that we should not enforce laws for people who live here"

All laws are limited to their jurisdiction, a geographical area in which they have authority. The Internet has no such geographical limitations, therefore futile attempts by legislators to regulate activity on the Internet does nothing more than further complicate an already complicated legal system, create more loop-holes for corps to stick it to the consumer, and make drones, like youself, complacent with the current state of U.S. security.

Truth is, the only reason they found out about this guy was because he was trying to help out (and was a bit naive). The types of people these laws are really trying to deter are simply never going to be caught.

You are simply going to drive "white hat hackers" to become "black hat hackers", and the Chinese army is going to have a lot easier time cracking our systems without this guy pointing out our weaknesses.

Re:Day of the dumbass

[Servo]

First of all, what the hell is it with you and the chinese army??!?

I myself am not a drone, and not happy with the current state of US security, but what you seem to be proposing is complete anarchy, not any sort of security.

His motives are not on trial here, his actions are. There are ways to alert folks of problems with security without actively hacking them.

Re:Day of the dumbass

[Idou]

"First of all, what the hell is it with you and the chinese army?"

China has become the biggest threat to the U.S. sphere of influence. Also, Taiwan recently accused China of cyber attacks. It is just an example . . . try no to be so easily distracted.

"what you seem to be proposing is complete anarchy"

Having the U.S. stand clear of making laws IT CAN'T ENFORCE actually strengthens its authority. I don't know how you got off on the tangent that "no unenforceable laws" is the same as "no laws."

"There are ways to alert folks of problems with security without actively hacking them."

I'm sorry . . . I honestly do not understand your logic here. How is someone suppose to find out whether a system is crackable or not without trying to crack into it!? That is actually a pretty funny quote . . . maybe you should make it your sig.:)

Re:Day of the dumbass

[Servo]

How is someone suppose to find out whether a system is crackable or not without trying to crack into it!?

First and foremost, it wasn't his place to do so. I believe this is the intent of the law and reason for arrest. His motives are irrelevant.

Secondly, and more to the point, he was scanning for vulnerable versions of software to allow access. Once he indentified vulnerable targets, he was not forced to access them. He could have walked away or alerted the responsible parties that they were running vulnerable software and potentially had holes in their system. Just because a system *is* hackable does not give other people permission to hack/crack into a system because they want to see if it is possible.

It is quite obvious that you are either a purely academic type or have never dealt with any sort of management or ownership level of a business. That sort of practice is not acceptable to a company, even if the company network is run by an admin who can't even tie his own shoe.

Look, Adrian Lamo knew exactly what he was doing. He continued to do so even though he knew it was illegal and likely to end in arrest. At best, that's pushing your luck. At worst, that shows intent and disregard for the law.

What I find is funny is that you go on and on about "unenforceable laws", but they ARE enforcing it! That's what you are pissed about!

Re:Day of the dumbass

[Idou]

I still don't get it:

#nmap localhost

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1581 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
111/tcp open sunrpc
139/tcp open netbios-ssn

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Now, how the hell am I suppose to know whether or not this is a vulnerable system without running some exploit code on one of these services!? It seems like your understanding of "cracking" is much more academic than mine.

"He could have walked away or alerted the responsible parties that they were running vulnerable software and potentially had holes in their system."

Uh, he did that . . . that's how he got caught. Oh, I see, "excuse me,sir. I would like to alert you to the fact that you are running 'ftp.' Certain versions of this program have been known to be exploitable, but since I have not run any exploit code on your version, I don't know the state of your version." Yeah. sure. THAT will get their attention.

"That sort of practice is not acceptable to a company, even if the company network is run by an admin who can't even tie his own shoe."

Yes, and the people believing that laws are protecting them from exploits through the Internet are complete morons. . . The REAL exploits, causing damage, never get reported, because people like you are too embarassed to report them and are afraid of damaging their "goodwill."

"What I find is funny is that you go on and on about "unenforceable laws", but they ARE enforcing it! That's what you are pissed about!"

Yeah, like capturing people who openly communicate their intentions is hard, and we can consider it "enforcing laws against crackers"? Like I said, he could have done the EXACT same thing outside the U.S. and been safe or just not informed the company and trashed their systems. His crime was being in the U.S. and being nice enough to inform people about the vulnerabilities.

After this incident, I doubt we will be hearing cases like this. People will just exclusively crack to destroy and admins won't know what hit them.

Re:Day of the dumbass

[Servo]

Now, how the hell am I suppose to know whether or not this is a vulnerable system without running some exploit code on one of these services!? It seems like your understanding of "cracking" is much more academic than mine.

You aren't. It is not your system, not your responsibility. Knowing if it is secure or not is THEIR responsibility. Get the fuck out of other people's business.

Uh, he did that . . . that's how he got caught.
Uh, no that's not what he did. He accessed as much information as he could to "verify" what was open. He got caught because he told them what he did. If commit a crime and then tell the cops you did it, it doesn't excuse it!

Yes, and the people believing that laws are protecting them from exploits through the Internet are complete morons. . .
I agree with you there. These laws do not protect people from the exploits. A lot of people may falsely believe that they are "safe" because its illegal. But, what they DO say is that "yes its illegal". So when someone commits a crime, and yes what he did was a crime, they are liable for it.

Yeah, like capturing people who openly communicate their intentions is hard, and we can consider it "enforcing laws against crackers"?

Intentions are irrelevant in this case. He knowingly committed a crime. Period. End of story! It doesn't matter how hard or easy it was to catch on to what he was doing.

Like I said, he could have done the EXACT same thing outside the U.S. and been safe or just not informed the company and trashed their systems.

Are you aware that he committed a crime? Right? Remember? It doesn't matter where he did it from, it was still illegal. Just because he might be able to get away with it from outside the US, doesn't justify anything that you have said.

His crime was being in the U.S. and being nice enough to inform people about the vulnerabilities.

Oh you bleeding heart liberals sure do know how to move my heart! Do you really think that if you feed me so much bullshit after a long enough time I will think it tastes good?

After this incident, I doubt we will be hearing cases like this. People will just exclusively crack to destroy and admins won't know what hit them.

I hope that is the case. You'd think people might learn to keep their hands to themselves. Do you honestly think that white hat hackers are suddently going to go black hat because they can't commit crimes without getting away with it? If you think yes, then probably they aren't very white hat then, eh?

If he had been smart, he'd have incorporated and gone around offering security services. Walk in, say "I believe your network is insecure. Let's sign an NDA, and I'll perform a security audit." Vulnerabilities are fixed. He gets paid. Problem solved.

Did the Times admins lie on their resumes?

[Lodragandraoidh]

If he did the so-called 'hack' just by changing proxy settings - I think the prosecution is going to have a hard time arguing that he 'broke' in.

If I have an http server sitting where anyone on the internet can touch it - and I expect no one to visit it, and I want to try to charge someone criminally who does, then I must be smoking crack.

If you don't want someone to have access to something, block all access to it (ports) from outside - or set up a proper VPN 'hole' so that access from outside to those critical systems is properly secured. Use a DMZ for those systems that must be accessed by the public.

It sounds like the network admins at the Times are the real criminals, by lying on thier resumes about thier abilities...

Idiots high and low

The problem is mostly the media themselves...They don't know, and for that matter, their semiliterate consumers don't know the difference between a hacker and a cracker/script kiddie, etc. Another aspect of this is symptomatic of the current political situation...Everybody high and low is paranoid...Regular people, because their media outlets are leading them by the nose, and corporate entities for fear that they'll be exposed for the liars/cheats/manipulators they are...NYT should get their heads out of their ass...It sounds to me like a guy with skills who should be getting payed is getting hammered down...

lotr jokes ...

[krumms]

are lamo.

altered files?

[asv108]

But he didn't just "look in", he went and altered files.

He didn't alter files, he put his Name and contact information in the editorial database to prove to the Nytimes that their system was vulnerable. You make it sound like he corrupted stuff.

Re:altered files?

[maggard]

he put his Name and contact information in the editorial database

That's altering files. Furthermore that's what he claims he did, NYT then had to go and verify that is actually all he did, that it and other databases were still valid, etc. Tha'ts a lot of hours of work.

The "it could have been worse" agument doesn't make it any better.

Re:altered files?

[arose]

Ignorance is a bliss.

Re:altered files?

[catenos]

Furthermore that's what he claims he did, NYT then had to go and verify that is actually all he did, that it and other databases were still valid, etc. Tha'ts a lot of hours of work.

You don't really believe yourself, do you?

Of course, the NYT had to do all these lot of hours of work in any case, because they had a huge, whopping security hole. What makes you think they can presume he was the first/only one to find it?

Re:altered files?

[maggard]

What makes you believe that's ALL he did? As to a security hole, the asshole coulda just dropped them a note, not taken advantage of it to vandalize 'em.

Re:altered files?

[catenos]

Mine:

You don't really believe yourself, do you?

Of course, the NYT had to do all these lot of hours of work in any case, because they had a huge, whopping security hole. What makes you think they can presume he was the first/only one to find it?

Yours:

What makes you believe that's ALL he did? As to a security hole, the asshole coulda just dropped them a note, not taken advantage of it to vandalize 'em.

Very interesting. Now, please enlighten me what your reply has to do with my statements? Are you just trolling?

Regardless. I never claimed "that's" ALL he did. (Btw, what "that"? I didn't mention any actions by him.) I claimed that he caused them no more work than had to do anyway (i.e. if they had found the hole themselves).

asshole coulda just dropped them a note

Well, you will laugh, that's what he did.

not taken advantage of it to vandalize 'em

Ah, so adding his contact info to their database is now called vandalism. Okay, you are trolling.

why do I have to put a subject

[BRUTICUS]

I remember back in the 80s and 90s when youd see a car has left its lights on you would open the doorn and turn them off for the owner.

Your counter-analogy sucks too - try mine.

[GreenEggsAndHam]

There's a huge difference between scanning a few ports and having root on a system. That would be your analogies for looking through the window and standing in the lounge.

This guy was *inside* the system with the power to wreak havoc. That *is* the same as someone standing in the lounge ... and if he didn't have a can of gas and some matches well you can only count yourself lucky.

I guarantee that if I find someone standing in the middle of my lounge without having been invited I will fuck him up even if he introduces himself as One Of The Good Guys.

Now HERE is some honesty!

[AtariAmarok]

You want real honesty?

Imagine this: Jayson Blair interviewing Bill Clinton, featured in the National Enquirer (I know all about it because it was mentioned in G.W. Bush's State of the Union address, in the section about Iraqi nuclear weapons).

Now, that's bound to be totally factual, isn't it?

Interview him

[BortQ]

I would really like to see a slashdot interview with this guy.

Stupid NY-Times

[caffeineHacker]

If it was really as easy as the article states, then NY Times should be held accountable. Seriously, should they not be punished for making sensitive data so insecure. It's not all the kiddiots faults. If there was some sort of punishment for companies using losing security policies, maybe the CEOs would invest a little more money in security measures, and SSN, Credit Card numbers, etc..would be a little safer. Before I ever buy anything online, I always nmap out their server and check for blatant security flaws. If I find one I don't give my card number. ..since it's idiotic they can't disable useless open ports, configure proxy services, patch systems, and whole plethora of other crap that seems like basic measures to insure I don't get screwed when some 14 year old gets bored. Granted breaking into computers is wrong, but not fixing your problems is just as bad.

Re:custom client

[jimsxe]

God people arent we talking about Companies here? They certainly dont care about your information leaking out of their systems, why do you all care if someone breaks into them? He should have broken in, wiped all their servers and posted all their internal emails to the web. Then we would see how "innocent" they were. Companies are not people. Dont compare the two.

is there such a thing as cracking...

[lobsterGun]

...if the compuer in on the internet???

Think of this issue in terms of the web page deep linking argument. There are companies that have placed content on a public network that then object when people link directly to their content (as opposed to going through their interface). The argument is that since they put it on the WWW and made it accessible that they have no right to complain when people use it in ways that they do not approve.

Apply the same thinking to internet cracking. Does a company have a right to complain if the system that they placed on a public network gets cracked? Aren't they granting a tacit permission for someone to look at their computer by giving access to the public?

If they truly valued security, they could take steps to insure that their computer is not cracked - they could place set up a private network, or not put the system on a network at all.

Some will bring up the metaphore of the house. They will compare a computer to a house: You can look at the outside, but don't go in. Is that metaphore valid in the context of the internet? A house is a real world object, an owner has no choice but to place the house in the real world location where real people can get to it.

From the perspective of a cracker, a computer operates in the virtual world - the owner can decide not to make the computer accessable at all. The computer still exists in the real world, but by not putting it on a public network it does not exist in the virtual world of the cracker.

Since there is such a simple means of protecting the information store on the computer, should there be any penalties for accessing it in a way that the owner didn't intend? and if there should be penalties, shouldn't the be less severe than an equvalent real world penalty?

And at what point does accessing a computer become cracking? If they leave a directory shared, can anyone look at it? If they leave telnet open and don't put a password on the guest account, is that considered cracking? What if it is the root account that isn't password protected?

Anyway, those are just a couple of questions I ahve running around in my mind. In writing this I think I've answered them for myself. But I'll go head and post this anyway, maybe it will stimulate discussion.

that's smart thinking...

[buttahead]

I will go out today and do something illegal. Lets see... shoplift some fruit from the super market. I'll bring it back in a few hours and tell the manager that they have been robbed by myself and offer my services in helping prevent the same event in the future.

I guess it really matters what kind of mood the manager is in at the time. He could have me arrested. After all, I did break the law by stealing, even though I brought the items back. Or he could let me go and perhaps hire me.

If I am foolish enough to take those chances, I deserve whatever I get. Hopefully he gets some jail time. That will teach him to stay off of my property. If he wants to sell me a service, he should inform me beorehand what he is planning on doing, and let me opt out. that jackass.

I personally think whithats are great, but this guy is walking a fine line. He is using an illeagal talent to profit. He could just as easily blackmail the company he is hacking if they refuse to accept his help in sealing the holes. Either way, he can profit, and both are brought about by a inllegal activity.

The Problem is how they're handling this

[miraclemax]

I personally am of two minds about this whole thing. I understand that if he really was meaning to be honest and helpful with his exploit of their shoddy system, that he was doing a good thing in helping them correct it. Better someone who would be nice about it than someone who would not tell. but, at the same time, regardless of the intent, he did do something illegal. And regardless of your intention afterwards, it was a violation to their system and property to do so in the first place. So, in all fairness to his intentions, he should be prosecuted after due process. **What IS wrong, however, is that he has not been allowed to see the charges against him. He has said that as soon as he sees the charges against him, as is his Constitutional right, that he will turn himself in, so long as those charges are reasonable. Remember that Kevin Mitnick reportedly had inflated wild charges brought against him in a hacker hysteria and had reportedly had a lot of his rights violated in captivity. If I were him and pending jail time, I would be very nervous in light of this and other previous cracker captures.

Re:The Problem is how they're handling this

You say he did do something illegal, but you don't know that is true.

In fact, the FBI won't even say what it is he did that's illegal. If this guy was on the run from a secrete crime in Russia or China, we would all sign and wonder if those stupid commies will ever learn how to run a court system.

Furthermore, the events that people are SPECULATING might be the cause of the FBI's interest are not clearly against the law. After all, all he is described as doing was typing certain addresses into his browser and look at the page presented. It seems to me this falls more in line with the various cases of companies inadvertently putting press releases on their web site before the market closed when they ment to wait until after. The NYT set up the machine so that when you sent the normal, internet standard request for information to it, you got the information. If they had at least had a simple http auth with user "user" and password "password" one could reasonably argue it was analogous to someone locking their property with a crappy lock. It would at least indicate that they intended to keep the documents private.

Its a sad world

[madstork2000]

Consider this:
You see an open door at your neighbors house. You know the guy is on vacation.

Do you call the cops? Probably not, you just go over and check out the place for him. Most of the time the door was not securely latched, or the kids watering the plants forgot to close it.

But what if you discover that the place has been trashed and stuff presumably stolen. I would call the cops, and my neighbor. Would they be suspicious of me? Yes probably at first, but in the long run they'll more likely be grateful.

Obvisously, there are good reason for laws, tresspassing is one of the fundemental laws throughout history. But, I'm willing to give up a little privacy if and when someone goes out of their way to HELP me protect my property. I'd much rather a neighbor walk through my house in my absence if they think something is wrong.

I also happen to own a tiny hosting company, and I would definately rather have a white hat let me in on specific exploits my system is vulnerable to rather than leave it alone and let the script kiddies do their thing, if I have screwed up.

Unfortunately for Mr. Lamo a law is a law, and with the overzealous (at least on high profile cases) FBI on the case, they'll probably try to make him into another Mitnick.

It is a sad world, everywhere we go policies, principles, and even laws try to dissuade people from working together and co-operating. Capitalism, democracy are great in principle, and can be in practice, but even the best ideals can be bastardized by people in power.

Free software is said to be communism by its critics, sharing code in a CS course is bound to get you expelled, make a backup copy of a CD and face the rather of the RIAA, the world will probably end if the same DVD Can be played in europe, japan and the USA.

This is in my opinion another example of moral decay. We have all these rules and laws that do not promote morals, but rather promote some arbitrary standard of "rightness".

It is the principles of openess, and co-operation that have drawn me to Linux, and free speech software. I'm trying to raise my children right, to teach them to help others for the sake of helping. When something needs to be done, if you can do it, do it. I try to instill them with team values, that together they can accomplish more than they can by themselves.

Its just ashame that the way things are going I'll likely end up looking like a bad parent...

Re:Its a sad world

[gvc]

It might be more apt to consider what the response might be if you walked up and down the street trying the doors on houses belonging to people who don't know you from Adam, without regard to whether they were home or not.

What goes around, comes around...

NYT: "We sue you because we want you to know that we can sue you. It's called white sueing. :)"

Isn't INTENT part of committing a crime?

[Quizo69]

Correct me if I'm wrong (IANAL) but don't you need an element of intent to commit damage etc to be labelled as a potential criminal?

In other words, if you are hacking with intent to commit credit card fraud etc, you get done under credit card fraud laws because your intent was to steal the numbers and use them in a manner contrary to law.

On the other hand, if your intent is to do a public good for the company (especially if you state this in a sealed and notarised letter held by your attorney prior to the event) then surely you cannot be found guilty of criminal intent?

Re:Isn't INTENT part of committing a crime?

[gvc]

AFAIK, unauthorized entry is illegal in most jurisdictions, especially if you defeat some sort of locking mechanism (no matter how trivial).

"Criminal intent" means intent to commit the act that is illegal, not "intent to do harm."

As an OT example, I'm aware of a case in Manitoba of a person who was convicted of 'dangerous driving' for speeding in excess of 200 km/h. Although the judge accepted that the driver had no intent to drive dangerously, he did accept expert testimony that 200 km/h was dangerous, and that the driver intended to drive 200 km/h.

How else...

[idontneedanickname]

Well, how else will you believe them that they can break into your car? If they just leave a note stuck under your windshield wipers saying that your car is insecure and that you should do the following, you'll probably just think it's a prank or something like that, and disregard it. That is, if you don't mistake it for a parking ticket first, and just throw it away ;-). A note inside your car will prove to you that you are indeed at risk, and you will now probably seriously consider following the advice on the note, and taking security precausions.
Now back to the real world. If someone called up Yahoo, and said something to the extent of: "Your system is insecure, there's potential for exploitation here and here using bla and bla." They are unlikely to be taken seriously. That is, if they can even get a phone number of someone who will understand them. I think you can guess what would happen if they call the typical customer support. Of course there are exceptions where there are intelligent sysadmins who will listen to someone who knows what he's talking about, and invest 10 minutes to see if they might be correct.

Just so you know, I think it's really not worth anyone's time to go around checking other people's/companies' security. If large companies such as Excite@Home and Yahoo don't have tight security, that's their own fault. They should be the ones looking for consultants to make sure their systems are unassailable. I seriously wouldn't care if they got hacked, especially if they care so little about their customers that they don't make absolutely sure they will be able to offer their service without interruption. To think some people pay for Yahoo Mail...

Re:How else...

[Nept]

Well, how else will you believe them that they can break into your car?

Why should you care?

No really, why?

New York Times story

[cpopin]

I thought it would be interesting to see NTY's take on the story.
http://www.nytimes.com/cnet/CNET_2100-1023_3-50722 68.html

So I was walking downtown...

[ZackSchil]

...at about 2am and I saw a light on in a jewelry store. I walked up to the door and peered inside, it looked like no one was in there. I gave the door a little tug and it moved a bit. It must be stuck I said so I gave it another tug. something clicked and the door opened. No alarm went off, nothing. I walked around and called for an employee but no one answered. I looked around and saw no one. I went in back, found a pen and piece of paper wrote a note for the guy at the store that his alarm was off and his front door was open or the door lock wasn't working. I shut off the lights and locked the door from the inside so as not to attract thieves, and left.

The next day I found out that the FBI wanted my head and had surrounded my parent's house. Wait, what?

MOD PARENT UP

All the news thats is fitted to print

[cluge]

The NYT is one of the most hypocritical organizations today. They sue to get 9/11 tapes of people dieing - all in the name of "openess" and "public information", yet they have a network connected to the public network - which is open and transparent through their own doing - and thats bad/illegal? PLEASE - The NYT's proxy servers were so misconfigured that it was akin to them posting information in the window of the downtown offices and then getting pissed if people read what they posted.

You can bet your rear quarters that if our hacker had been a reporter on a story for the NYT that they would be vigorously defending his actions. Like most large corporate entities the NYT has no moral basis for anything it does, in the end it's about money, not honesty, truth or enlightenment. It sure as hell isn't about the times mission statement which is "The Company's core purpose is to enhance society by creating, collecting and distributing high-quality news, information and entertainment."

Perhaps our hacker should have "enhanced society" by distrubiting the inromation he found to the world. It would have been high quality news to see how one of the most influtential papers is really run.

Re:All the news thats is fitted to print

[bradleyjg]

Not to mention all the classified and secret information they publish from unnamed sources. That's espionage and should be treated as such. Freedom of the press doesn't mean freedom to spy on your country. They are a bunch of sanctimonious, hypocritical assholes.
-faramir

Really did it, cocksucker.

Long story made longer, I left no note and somebody's old hooptie didn't have a dead battery when they got out of their night class.

You gonna come beat me up now, Mr. Internet Toughguy?

Re: hacking and intentions....

[King_TJ]

It seems pretty obvious to me that hackers doing this sort of thing are simply trying to draw as much attention to themselves as possible, in order to boost their ego and enhance their career options.

Plenty of self-proclaimed "white hat hackers" are low-key individuals, who draft up lengthy "codes of conduct" that they agree to follow, as they discuss security holes and exploits on mailing lists or newsgroups. They generally report holes privately, via email, first - and only (hesitatingly) release details on the flaws if the vendors don't respond in sufficient time.

I really don't think Lamo fits in this category at all!

Besides, if he was so confident his activities were legal and ok, why is he running around from state to state, in hiding? If he felt he had a strong case in his favor, you'd think he'd just turn himself in to the FBI right away, so he could show their folly in court and walk away righteous.

This guy just wants to stir up trouble, and was banking on the mass media portraying him in a positive light the whole time, so he'd land a high paying job doing security consulting. It backfired on him, and now he's on the run.

why does everyone care about current laws so much?

why not take the chance to re-examine the status quo. i say decriminalize all victimless crime.

Re:better avoid mom and dads house

[deglr6328]

not many intelligent gay guys I know say "fag" unless they're mocking an idiot's use of the word. By the way Adrian is gay. His "boyfriend application" is still around from 2000.

oh good

[waspleg]

so next time you go 5 mph over the speed limit i think you should be executed mafia style cause after all you're a criminal and there is no gray area whatsoever it's a perfectly black and white world just like The Beaver had.

Non-Issue

[Visceral+Monkey]

Such a non-issue and so not worth a story here. He broke the law and will go to jail; simple really. Who cares if he's "homeless" or living in the lap of luxury. Let's pile on some more hype to this idiot, shall we?

Re: the car analogy

[King_TJ]

You're absolutely right, however - I find even this to be frustrating.

Some years back, I was working at a small computer store in a quiet part of town (no crime to speak of, etc.). It was a hot summer day so I purposely left my car window rolled down about half-way, parked it behind the store, and went in to do some work for about 20 minutes.

When I got back, I had a note sitting on the driver's seat from the county police. (It was even on their letterhead.) Basically, it was a hand-written warning from the cop that was patrolling the area, saying my car was an easy target for theives and I should make sure not to leave my window down like that again.

Did it harm me in any way? No, of course not... But I still felt like it was stepping on my rights. Who was this guy to tell me what I should or shouldn't do with my car? I was fully aware of the risks involved with leaving my window rolled down. I surveyed the situation and made a willful decision that I'd rather take the (small) chance of theft, vs. the 100% probability my car would be steaming hot when I got back in it.

As far as computer hacking attempts go, I think respectable "white hat" hackers should stick to exchanging information amongst themselves on what flaw they find, using their *own* systems - and go through proper channels to report issues and bugs. If that fails to get results, publish the exploits if they like. But let other people do the illegal hacking using them. Companies that don't do security patches are on their own, as far as I'm concerned. It's not anyone else's responsibility to harass them into compliance. After the "black hat" comes along and screws them over - they'll learn (or maybe even go out of business from the incident).

NYT?

[wolf-]

They were worried he knew just how much of their news was faked.

Re:NYT?

NYT stands for "Not Yet True", doesn't it?

Police vs. judiciary

[gvc]

As far as I know, John Ashcroft has not yet been able to completely eliminate the distinction between these two distict components of the administration of justice.

Most of the arguments that I've seen here are the sort that Mr. Lamo can make in court. If the court finds that his actions were justified, it has the opportunity to acquit, or to give some other form of discharge.

In my neighbourhood, I would like the police to arrest people they find in jewellery stores late at night, or in my home while I'm on vacation, or on my computer without permission. If the prosecutor or the judge decides that no charge should be made, or that the charge should be dropped, fine.

While I feel some sympathy for this self-appointed security checker, I can't immediately fault the police. Especially without access to the facts of the case, which will be exposed in the judicial process.

One might argue that Mr. Lamo is being punished by having to go to court. I think not. He must have been well aware that his actions were provocative and that this was a likely outcome. Now he will have the opportunity to justify his actions.

Entering via an open door...

[podperson]

If you leave your front door open and I take a look inside your house, what crime have I committed? At most, I am told, trespass. If you left the keys under the mat and I opened the door, it's breaking and entering.

Similarly, if I take your car with the clearly stated intention to return it when I am done (e.g. if I desperately needed to drive someone to the hospital), I haven't stolen it, I've borrowed it -- with or without your permission.

Theft, burglary, etc. are crimes defined in part by the intention of the alleged perpetrator and the damages suffered by the alleged victim.

OTOH we live in a world where one of the first "terrorist" groups targeted by the government after 9/11 were Environmental Activists who destroy machinery but have been careful never to hurt anyone.

But I'm no lawyer.

Re:Entering via an open door...

[tiny69]

If you take someone's car and then return it, it's still theft. You denied the owner his right to use his car while you had it. Not only that, he can blame you for EVERYTHING that is wrong with the car. Whether you had anything to do with it or not. A tear in the seat, engine runs a little rough, a dent in the fender, etc. Even if you didn't cause any problems, how are you going to prove that you had nothing to do with it? You did take the car without permission. Who's going to believe you?

Same issue with White Hat hacking. If you break into someones computer or network, then you can get blamed for EVERYTHING that goes wrong. A harddrive dies, a computer gets infected with a virus, techs have to get called in to fix a networking problem, etc. If you had unauthorized access, you can be blamed. And who's going to believe you when you say all you did was look around? How are you going to prove that you had nothing to do with the problems? Sure, you can give the authorities a log of what happened, but how are you going to prove to them and a court that you didn't alter them to make yourself look good? At best, using a log to prove your you didn't destroy anything will prove that you did break into the computer(s)/network. Remember, anything can and WILL be used against you.

Re:Entering via an open door...

[podperson]

If you take someone's car and then return it, it's still theft. You denied the owner his right to use his car while you had it.

If I park someone in I deny them the right to use their car, but I haven't stolen it. I'm talking about the legal definition of theft not your intuitive definition of it. Intent is key, if I intended to return it I did not steal it.

If people do not believe that I intended to return it then I might be convicted of theft, which is clearly a risk in taking someone's car, regardless of one's intent. But again, I would not be guilty of theft, merely falsely convicted of it.

Not only that, he can blame you for EVERYTHING that is wrong with the car.

He can blame me for everything wrong with the car no matter who I am or what I've done. Whether he can prove it in court is another matter.

Who's going to believe you?

Clearly, this may be a problem. Let's take my original example -- trying to get a pregnant woman to hospital. Let's assume I have good character, left a note, my wife was indeed pregant, I did take her to hospital, and did in fact return the car. I think a lot of people would be inclined to believe me (indeed, most car owners would probably believe me). If in court he tried to claim I had destroyed upholstery, etc. etc. these allegations would be worth about as much as any other random allegations.

Re:Entering via an open door...

[tiny69]

If I park someone in I deny them the right to use their car, but I haven't stolen it. I'm talking about the legal definition of theft not your intuitive definition of it. Intent is key, if I intended to return it I did not steal it.

The courts disagree with your intuitive definition of intent with regard to stealing.

http://courtofappeals.mijud.net/documents/OPINIONS /FINAL/COA/20021217_C228081_57_280O.228081.OPN.COA .PDF

With regard to whether the car was stolen, defendant asserts that there was no evidence presented that he intended to permanently deprive the owner of her car. Defendant's argument hinges on his assertion that for the property to be "stolen," it must have been taken by larceny and, thus, taken with the intent to permanently deprive the owner of possession. Defendant is correct that a larceny requires that the property must be taken with such an intent. See, e.g., Cain, supra at 119, citing People v Goodchild, 68 Mich App 226, 232; 242 NW2d 465 (1976) ("The felonious intent required for larceny, animus furandi, is an intent to permanently deprive the owner of his property."). However, we find that the statute concerns any property taken without permission, not only property taken by larceny.

MCL 750.535(3)(a) requires that a defendant must have possessed stolen goods. However, the statute does not define "stolen." In the absence of statutory definition of a term, this Court may consult dictionary definitions to determine the common meaning of a term. People v Morey, 461 Mich 325, 330; 603 NW2d 250 (1999). Random House Webster's College Dictionary (2000), defines "steal" as "to take (the property of another or others) without permission or right, esp. secretly or by force," and "to appropriate . . . without right or acknowledgement." For goods to be considered stolen under this definition, they need only be taken without permission or right; thus, "stolen" goods encompass a broader category than just goods taken by larceny. Defendant conceded that sufficient evidence was offered to permit a reasonable jury to conclude that he took the car without permission. Accordingly, the jury could have concluded that the car was "stolen" as that term is used in the statute.

I can point out other cases that essentially say the same thing if you would like.

Re:Entering via an open door...

[podperson]

Thank you for proving my point! Read your own posting:

Defendant's argument hinges on his assertion that for the property to be "stolen," it must have been taken by larceny and, thus, taken with the intent to permanently deprive the owner of possession. Defendant is correct that a larceny requires that the property must be taken with such an intent.

What the court has done is said that he's guilty of possession of stolen goods not of a larceny (and that they can do this because their statute for possession of stolen goods doesn't require the goods to have been stolen by an act of larceny as per the legal definition of the word but stolen goods as per the meaning of "stolen" as per the dictionary). (If you read the definition of "steal" in Webster's you'll see they're skating on thin ice here, too!)

My guess -- the defendant is obviously guilty, but making an appeal by splitting hairs and the judges are splitting hairs in response. If the appeal had been against a charge of larceny they would probably have split different hairs.

If, on the other hand, a reasonable man who had taken a car with the clear intent of returning it were making the same argument, it probably wouldn't need to go to a court of appeals.

Re: Your fly is open

[Ignis+Flatus]

I know it was rude of me to look there in the first place, but now that I have, would you prefer me to keep this info to myself?

Consider The NY Time's Liability

[nutznboltz]

What about the NY Time's liability? They can't just let people access their system against their will knowingly without doing damage to themselves.

Suppose another hacker came along and was not a white hat and there was damage? The NY Times would be asked if they defend their site against known intruders.

I know Adrian.

[musingmelpomene]

I'm sorry this is happening to him - but I also know he's got enough places to hide that they'll have a hell of a time finding him.

Damn the law

[bshroyer]

This is how we do it in America:

1. find a stupid law (cybercrime, euthenasia, sodomy)
2. break it
3. get arrested
4. rally your support group behind you via the media
5. abolish stupid law

The way I see it, Adrian Lamo has accomplished 1 and 2, is about to accomplish 3, and we're working on number 4.

Go Adrian!

Government agecy for hacking

[jjhlk]

This makes me think the solution is this: make an agency that goes around trying to unobtrusively hack certain sites (I guess the biggest ones with more money involved). Lamo did fix some holes relating to banks! So he did some good, only illegally. If it seems important though, make an agency. I read about the idea initially at the Don Lindsay archive. I thought about how much it *could* work after reading this.

Legality.

[mindstrm]

Everyone is drawing up all kinds of analogies... but let's be serious.

Did he knowingly access computing resources he knew he had no permission to use, and that he suspected the organisations in question thought were secure and not for public use - Yes, he admittedly did this.

That, sorry, is illegal.

You can go on and on about how he didn't hurt anything, how it was insecure anyway, how his intentions were noble.. but it was still against the law, and he KNEW, or should have known it was against the law, he just banked on not getting charged.

Do I think he should be in jail? Heck no.. but neither should we pretend he did nothing wrong... we drew a line, made some laws that say you can't go poking around in other people's computers without authorisation, and we expect people to follow them.

This isn't a civil rights issue. This isn't a good-guys-vs-bad-corporation issue. This is a guy who knew the risks, and did it anyway.

Accessing someone elses system is irresponsible, despite noble intentions. You don't know what damage your actions will cause, even if you are intelligent, and know the technologies you are using. You don't know what customised systems they may have that your intrustion will interfere with... they have a right to expect you not to be there.

Re:Legality.

[mindstrm]

You can say the same about just about any law... but there are rasons we have those laws in the first place, and it's not for one or two people to decide that the law is unjust.

LEt's say you scanned my system, and I had an open proxy. You could have screwed stuff up; you had no reason to be there... you don't KNOW what I run.. you don't know what damage you may have caused. That's why the network was PRIVATE, and you weren't supposed to be using it.

I agree not all illegal things are wrong, but in this case, it WAS wrong.

What part of this law is unjust? The part where you aren't allowed to use my systems without my permission? He ACTIVELY broke in.. it doesn't matter if it was for a greater good. I could go around breaking into houses in the neighborhood, and cleaning them all, to try to prevent disease.. does that mean I'm not doing anything wrong, becaues my cause was noble? Hell no.. I'll still get in shit.

Is this guy a felon? No.. but how you can pretend he did nothing wrong boggles the mind.

Also

[mindstrm]

it's fairly clear that NO damage was done whatsoever, and could not have been.

Furthermore, it is up to the owner whether or not to charge him.. he COULD have been charged with trespass.
Of course, it could be argued he didn't knwo if the door was supposed to be open or not, and went to check if anyone is okay.. a store is a semi-public place. This is different than using an open proxy to surf an internal network..

Surprising lack of common sense

[StormReaver]

Once again, this is nothing new or mind-bending. It's just another self-made computer hacker with high intelligence and a surprising lack of common sense (which, based upon many of the talkbacks, is shared by too much of the readership here).

The basic principle at play here is stupefying simple: if it's not your property, don't touch it.

Your intentions are completely and absolutely irrelevant. The fact that a business poorly secured its system(s) is also completely and absolutely irrelevant.

If you accidentally stumble upon an open sensitive link that you suspect shouldn't be open, and if you want to be nice, call or email the site operator and explain what happened. And then don't use the link again!

Discovering and using, without permission, a private internal proxy server to snoop around a site you know full well is not intended for you is quite obviously wrong.

The proxy setting did not just spontaneously set itself within this guy's system (due to a virus, trojan, or whatever). He explicitly set the proxy with the express purpose of breaching the private property of another, without that other's prior permission. And to make matters worse, he then intentionally rummaged through the system and much personal information.

There is nothing in this story that makes Adrian Lamo out to be anything other than a retarded crook.

My personal opinion is that he should be sentenced to 60 days in the county (or city) jail and fined a few thousand dollars. Maybe after having to shit with unsavory witnesses in a tiny enclosed space for a couple months, he will discover a stronger sense of respect for the privacy of others and of their property.

As part of my job, I have to frequently enter and move about the county jail. I don't know the exact dimensions of each cell, but it's close to 5x9. The toilet sits in a corner tucked between the bunk beds on either side of the cell and faces the surveillance camera. There is not even the illusion of privacy, and there are no ventilation ducts in the cells. To ventilate the cell from the stench of feces requires the steel, computer controlled door to be opened. And the doors are only opened periodically (for meals, scheduled exercise, inspections, etc.). The shower (most pods have only one) faces the public area of the pod, again eliminating any sense of privacy. And this all applies to the low security pods. The high security pod is a totally different (and much worse) story.

All county employees were given a full tour of the jail before opening day (the jail is less than two years old and is quite technically advanced), so I was able to inspect all areas of the jail, and I witness its daily operations on a daily basis as part of my systems support role. All things considered, it's an awful place to live.

It seems to me that Adrian's sense of values could only improve with a short stay in such a facility.

Re:Surprising lack of common sense

I could be totally fucking off here but it seems that a person who has some serious hacking sk33lz, and is using them to help people isn't very bad. Wouldn't you only wish a stay in your described cell on a bad person? I agree that he should probably be elecrtronically monitored and have some serious fine$. If I was put in a cell for 20 years for helping someone like that (this is a possible sentence for adrian), i would come out with some serious anger and hatered for the idiots around me. You better bet your ass I'd be taking it out on the people i tryed to help, if not everyone. If lamo does this we could all get some serious problems.

Apparently the NY Times heeded sec zealots

[aricusmaximus]

From related story http://www.securityfocus.com/news/358

[Li]mited amnesty for hackers was too much for NFR Security CTO Marcus Ranum, who signaled his dissent by applauding alone from the back of the room at the mention of a legislative proposal that would make some hackers eligible for life imprisonment. "You guys are a bunch of security professionals and you're sitting here making apologies for hackers," said Ranum. "That's the lamest thing I've never heard of."

In an interview later, Ranum called Lamo a "sociopath," and said his hacks are indefensible. "It's against the law, how much more cut and dry can you get?" said Ranum. "If society was comfortable with what's he's doing, they'd change the law."

Perhaps he doesn't like the fact that Lamo is doing this for free instead of making the NYTimes pay through the nose?

Re:Apparently the NY Times heeded sec zealots

[proberts]

"Perhaps he doesn't like the fact that Lamo is doing this for free instead of making the NYTimes pay through the nose?"

Perhaps you should look at what Marcus has done for the community before you cast such aspersions.

Besides making the Firewall Toolkit free, he's always been extremely helpful and well-principled.
Maybe you just don't like the fact that honest people are vocal about those who aren't being honest.

As the principle architect of three firewall products, Marcus has done more to protect the 'Net than probably almost anyone. What have you done?

It's not like the laws are a surprise- if you're doing something illegal, then intent only gets considered during the penalty phase- if you're not smart enough to understand that, you really should be flipping burgers, not pission off multi-billion dollar corporations.

Ad hominum personal attacks just because you don't agree with someone's position on something shows you to be foolish.

When people stop attacking systems, we can spend money on making the world better, instead of protecting things from malcontents. The more folks that go to jail for attacking systems (no matter what their claimed motivations) the more risky attacking systems is, the less they'll do it, the better off everyone will be.

Paul

Re: hacking and intentions....

[parliboy]

Well, the big reason he was taking his sweet time was that the federal prosecutor sealed the charges. When you see sealed charges today, you know that's the thing that goes hand-in-hand with being disappeared and threatened with charges of terrorism if you don't plead guilty.

Sorry, but I don't think I'd do anything different in those circumstances.

Re: hacking and intentions....

[aricusmaximus]

So what? The end result is positive. If a person points out critical security flaws in your system, he's doing a service for you. True, it's obnoxious and even a little scary that the person could stick his/her nose that far into your system,

Being confident that what you're doing is okay doesn't mean necessarily that you trust that the legal system/government won't fuck you over. Ruby Ridge or Waco anyone?

What's the point in driving white-hats underground? What they do is good for the internet community. And the NY Times is being a bunch of wrongheaded dicks for fucking with that.

Give the NY Times a piece of your mind

[aricusmaximus]

Let them know that they're doing a disservice to the internet community.

Give their public relations guys a call and let them know they're making a bad move.

http://www.nytco.com/contact.html for phone

Or via email:

http://www.nytimes.com/ref/membercenter/help/let te rtoeditor.html

Legality?

[Tellalian]

I'm surprised at how many "good ridance, the jerk shouldn't break the law" posts I've seen, especially when breaking and entering, in the context of computer security, is defined so vaguely. From the context of the article it sounds like the hack in question, of the New York Times, involved accessing data by "anyone capable of properly configuring their Web browser." If someone accesses a page on your website that you didn't mean for them to see, heh, they can't read your mind. And, might I add, the metaphors of someone "breaking" into your house or car don't quite fit. The nytimes.com is a huge publically accessible website (duh). A more appropriate metaphor would be someone going into a department store and walking into a room meant for, but not listed as, authorized personel only. If he had used some social engineering to obtain passwords, exploited a software bug, or used a trojan or virus to hack the NYTimes, I'd agree that the guy is at fault, but using your web browser to access data wasn't illegal the last time I checked.

It's all proceeding according to plan. . .

[Fantastic+Lad]

How long does everybody give the web before the Big Lockdown?

All they have to do is keep on punching the 'Fear' button. The general public doesn't see the Adrian Lamo case through the same lense that Slashdotters do. They see "Hacker" "FBI" "House Surrounded".

Even if there is a rational understanding of the situation, those key 'fear' words still sink into the subconscious. The campaign against the web by 'SOMEBODY' has been reaching a fever pitch of late; security holes and viruses and large scale spam blasts. . .

This train isn't going to stop until finally the general public cries out for Big Brother to protect them. --And guess what? The big company which connects all the cute little www.name.coms into to all the right I.P. numbers is owned by. . .

Ex-spooks take over Internet domain name registration, (1999)

The press recently reported that the National Science Foundation has turned over Internet Domain Name registration to Network Solutions, Inc. (NSI) of Herndon, VA. The press failed to note some interesting connections.

NSI was purchased in May by Scientific Applications International Corporation (SAIC) of San Diego. SAIC is a $2 billion company indicted by the Justice Department on ten felony counts for fraud in managing a Superfund toxic cleanup site
(SAIC pleaded guilty) and sued by the Justice Department for civil fraud on an F-15 fighter contract.

SAIC's board members include Admiral Bobby Inman, former NSA head and deputy director of the CIA; Melvin Laird, Nixon's defense secretary; and retired General Max Thurman, commander of the Panama Invasion. Recently departed board members include Robert Gates, former CIA director; William Perry, current Secretary of Defense; and John Deutch, the current CIA director. Current SAIC government contracts include re-engineering information systems at the Pentagon, automation of the FBI's computerized fingerprint identification system, and building a national criminal history
information system.

"At the very time the Internet community is struggling with the issues of encryption and privacy, I'm more than a little uneasy to find this bunch of ex-spooks sitting at the very entry point of the Net," says Jim Warren (a leading activist in making government records accessible) in the article, which was written by investigative journalist Stephen Pizzo, Web Review Senior Editor and co-author of the book Inside Job, an expose on the savings & loan looting.

Who do we think is perpetrating all of this horseshit? Do we really believe that Windows was made this vulnerable and shoddy by accident? Like all those bombings by the Palestinians which do NOTHING for their cause, and only give the Zionists more reason to bulldoze people's houses in their ongoing ethnic cleansing campaign. Go look at the news archives; right when the 'Road Map' or whatever fake peace initiative is about to gain some ground, right at the worst possible moment, that's when a 'suicide bomber' goes off. Look at the actions; Who do they benefit, time and time again? Certainly not the Palestinians. And in the case of the internet, all this virus nonsense and fear mongering. . . That only serves those who have a vested interest in placing draconian controls on the web, one of the few true sources of real, global news and communication.

Remember; Bill Gates is now working with Homeland Security. The lockdown will use Microsoft solutions, Bill will gain even more money and personal security via gratitude from the 'winning side', and we will all get screwed. (Bill has certainly proven himself to be the most Machavellian asshole in every twist and turn of Microsoft's life right from conception. This is exactly in line with how that bastard thinks. Just another damned sociopath).

Can't afford to have the web up and running when America makes the BIG grab. What can you do? For starters, learn as much as you can NOW while there is still free flowing information. Develop personal connections and methods, because face to face communications are going to be the only reliable ways to resist when the time comes. Learn about energy. Learn about the sorts of forces you're going to be faced with.

-FL

Comment removed

[account_deleted]

Comment removed based on user account deletion

An even easier exploit

Lie on the registration form. I generally try to portray an 80-year-old hooker. (Though I have to admit that your exploit is more technically interesting.)

FREE ADRIAN

FREE ADRIAN

Comment removed

[account_deleted]

Comment removed based on user account deletion

Further evidence of our retarded society

[KalvinB]

"without requiring any specific agreement from them before use"

This is just another example of why our world is going to shit. Too many retarded people that think I have to make you sign something before you can't damage something I own.

Didn't sign an agreement that you can't egg my house on holloween? Guess you can then huh? What are you, stupid?

Our society has become so braindead that unless you tell someone specifically not to do some specific act, they assume they can regardless of the fact general laws exist.

Property laws exist that say you can't damage other people's property. Why? Because common decency has gone out the windows thanks to an abundance of retards that have engulfed our society.

"Therefore you wish him punished as a tresspasser?"

Listen, idiot. You don't need to sign an agreement that you won't damage my property before you're not allowed to.

Unf-in believable. Do the Slashdot community a favor. Pack up your computer and send it back to HP where you got it from.

Ben

Re:Further evidence of our retarded society

[Henry+V+.009]

Thank you for explaining. You are limiting the term hacking only to instances where property is damaged. Simply obtaining information is not covered under your definition, correct?

Re:Further evidence of our retarded society

you can't damage something I own.


Please, tell us- what damage did he do??

my struggle...

[C10H14N2]

"There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens." Don't forget the undermenchen and auslanders. Scary.

White, gray and black

Honestly, i find amusing people wanting to differentiate from a "black" hat. Unless the security audit is -requested- by the target company, it sounds somewhat coward to mask yourself behind a "white" or "gray" hat...

Desevres Repeating

[qtp]

Or maybe it's like nothing in the real world at all, and we have different expectations of real privacy and security vs electronic privacy and security.

The only change I'd make to that statement would be to add the word should (or can) between we and have.

So maybe, we should stop with the analogies as they are all strained.

'nuff said.

Cybercrime

[Orion+Blastar]

US Law states differently, they call it unauthorized access. He wasn't given access to the whole system, just parts of it. He used the holes to exploit security to get around it to access parts of the system that the public is not meant to see.

But yes you do have a point that they didn't do anything to plug those holes. Sort of like blaming someone for walking into your shop at night because you didn't put a lock on your door or have a security system working. One could argue that you were inviting them in. At least the Police say that to people who left Windows open at night and a robber used the Window to get into the house and rob it.

Even more evidence of our retarded society

[KalvinB]

"Simply obtaining information is not covered under your definition,"

That's called stealing.

Think. Or do us all a favor and pack up your computer and mail it back to HP.

"You didn't tell me I couldn't come in through the unlocked window and photocopy files in your file-cabinet so it's not illegal! No physical property was taken!"

What are you stupid? Yes.

Ben

Re:Even more evidence of our retarded society

[Henry+V+.009]

So obtaining information is always stealing? Whenever one looks up information on a website he is stealing? I assume you wish to revise your argument.

Re:Even more evidence of our retarded society

"Simply obtaining information is not covered under your definition,"

That's called stealing.

No, that's called a Copyright violation.

Copying != stealing.

Furrfu.

Re:Even more evidence of our retarded society

After reading some of your comments on various stories here on slashdot, I've noticed some problems. One is that you have little to no imagination(maybe). Second, you have a hard time figuring out the difference between many different words, such as stealing, ingringment, trespassing, and many others, but I have no time to search through all your mistakes.
The reason I say all this is because you are what people like to call "by the book". You believe in what is and what should be according to the way things are going, but fail to realize why sometimes even the bad things that happen have a real purpose and good intention behind them. Why do lawyers defend criminals even when it is obvious? Can you answer that one? This is a very easy one though, but this type of thinking goes deeper.

Property cases can not be easily applied to computer related issues. Why do you think there is so much confusion and trouble in the courts about this? It is also not the same thing. Just as we can not treat intangibles as we do tangibles, but we still do (patents/copyrights) and look at all the problems we have because of it. Companies are evern trying harder to make intangibles more like physical property. Now assuming you have a weak imagination, it may be hard for you to see it any other way than it is and base all your thinking on arguments, whether they are reasonable or not.

Some of the moderators can't see past some of the unimaginative comments out there, so your at times modded insightful or interesting. Here is a tip: When your posting an argument or comment, put a little more thought into every detail. Ask hows, whys, whats, etc. and from every aspect you can to fully understand the meaning of things. I am only doing this to help. I wish you the best of luch.

Re:Even more evidence of our retarded society

[GoneGaryT]

You raise an interesting point. In UK law, there was a test case some years ago in which the view was taken that computer data cannot be stolen. It can be criminally damaged (altered, deleted) but copying does not constitute theft, as the original data is left intact in the appropriate place.

"Theft of Data" is nonetheless still popularly believed to be an offence in the UK, as the judgement alluded to above is not immediately intuitive without some detail. I'll admit to being surprised myself when I first learned of it, though it's satisfyingly thoughtful.

I daresay the idea might not find favour in the US.

Re:Even more evidence of our retarded society

[GoneGaryT]

References for my previous here

Oh, but your analogy blows even more

But the guy standing in your lounge poses a physical threat to you. He can start your house on fire, rape your wife or kill your kids. The worst thing a hacker can do is screw up some of your files that you should have backed up in the first place.

Yawn.

Re: hacking and intentions....

[Quothz]

It seems pretty obvious to me that hackers doing this sort of thing are simply trying to draw as much attention to themselves as possible, in order to boost their ego and enhance their career options.

Not at all like, say, teen athletes, who play sports for the sheer fun of it.

Besides, if he was so confident his activities were legal and ok, why is he running around from state to state, in hiding?

Well, according to the article, he's in California working on a documentary. Not exactly the kind of thing you'd do if you were "in hiding".

If he felt he had a strong case in his favor, you'd think he'd just turn himself in to the FBI right away, so he could show their folly in court and walk away righteous.

This just tells me he's not an idiot. Talking to a lawyer before the cops is good sense, and perfectly legal. Nothing in the law requires him to turn himself in, so he can take his own sweet time and make sure his rights are protected.

You got some kinda grudge against this guy, or did you just not read the article?

Because...

[idontneedanickname]

Because that means other people can use the same way to break in, obviously.

Re:Because...

[Nept]

But why should you care if other people break into the site?

Why?

White hat?

[Cyberllama]

White hat hackers don't actually break into anyone elses systems. They discover exploits on their own boxes, and they report them for the benefit of others. They might notify a company that they are vulnerable to a particular exploit, but they never actually exploit that security hole without permission first (in order to demonstrate that flaw).

This guy, at best, is a grey hat. If he was reading private memos or anything along those lines on the NYT system, then he probably does in fact deserve to get busted (Note: He deserves to get busted, not jail time. The laws against hacking are entirely too punative. There is no financial damage to speak of in this situation. Too often companies will report the cost of patching their system as the financial damage -- as if the money they spent fixing the hole was somehow the fault of the person who pointed the hole out).

first....

[PhreakOfTime]

First they will come for the scientists, then the artists, and the poets, then whoever else is left to shatter the world-view of the people in power...

At first glance, the concept of history repeating itself is a casual amusement...now its becoming a scary reality

PAX AMERICANA

Those NYT People Are...

RATBASTARDS.

Re: the car analogy

[Mordanthanus]

But what your not considering is that in order for your analogy to fit, you would have had to have kept a briefcase on the passenger seat containing the personal information of about 50000 people with big letters on the front saying "Confidential".

Whether he was stepping on your rights or not is relative... he could have been looking out for the rights of the 50000 individuals whose information you so carelessly left laying in your passenger seat with the window down.

Re: hacking and intentions....

[Tadghe]

King TJ, you should read a bit on Mr. Lamo before you go casting stones.

1. He has repeatidly turned down anything from the companies he's helped.
2. He has always agreed to sign whatever NDA's are required of him. 3. That hardly fits the profile of somone trying to "bolster" his profile.
4. He has done this for *years*.
5. He has (A far back as I can remember hearing him speak) been aware that one day someone would not take too highly of his efforts.
6. He's hardly on the run, he's trying to get in touch with his Lawyer to setup the details of turning himself in.
7. He has NEVER released (as far as I can remember) the exact details of ANY of his corporate hacks.

Want proof? Go seach SecurityFocus, he hangs out on BugTraq and a few of the other lists. For heavens sakes man, quit trolling without at least reading about the guy.

Re: hacking and intentions....

[RancidBeef]

So what? The end result is positive. If a person points out critical security flaws in your system, he's doing a service for you. True, it's obnoxious and even a little scary that the person could stick his/her nose that far into your system,

So if you find me in your house rummaging through your stuff and I claim I just wanted to check the security of your locks, is that ok?

The New York Times?

Well, they need a new story after Kevin Mitnick. Even if they have to conjure one out of thin air^H^H^H^H^H^H^H^H FBI case.

Talk about ethics...

Re: the car analogy

Suppose after geetting the warning from the police you decide to continue to leave your window down and it gets stolen and used in a drive-by shooting.

You were willfully negligant in protecting your car from being stolen, so are you partly responsible for letting your car be used for the crime? You were willing to take the risk for it being stolen, so does that mean you are willing to take responsibility for it?

Should you even be able to make a claim for the stolen car to your insurance company? You were doing something that made you an easy target, knew about it, and did it anyway. Or should the dangerous behavior be reported to your insurance company so they can raise your rates to compensate for the added risk?

Hack the NYTIMES?!

[Safety+Cap]

Why bother when others have done all the the hard work for you?

Sorry, I misunderstood

[idontneedanickname]

I should not (and do not) care unless I were a paying customer for said site, or if I had some other interest in it.

see

[ShadowRage]

this is what I've been seeing, the people in power going after the easy targets, I've seen it in my own life as well, when I would go to school, some kid would do something, but since I was around and that kid was a known threat, I was the one punished because I was less likely going to set their cars on fire later if they did anything. same goes with the government and the RIAA, they find the people who do these things, but with innocent intent because it's an easier job and these people are less liekly to create revenge... well, in their little simple minds, this is true, in reality, it only causes these people to get revenge in the future. and hell, that one principal who punished me for what that one kid did once, wondered why all her car windows her broken and the tires were slashed, etc. ;) My point is that the only reason the good people get hit harder is because of ego and cowardice. They dont wanna hit the badguy too hard or hit them at all because they have friends who will lash back or they'll lash back in the future, and they cant just let the problem go... that's when they need to find a scapegoat. this is what Adrian Lamo is. a scapegoat for all the black hats out there. yes he did berak the law, but, no one complained or pressed charges. What the government also might be afraid of is him hacking them, so they'll prolly arrest him, call him a terrorist and he'll never be seen again, while a black hat hacker hacks them and destroys valuable records, while Adrian might have never even thought of doing that. That's politics for you. even if they dont make sense. one of these days someone will get wise. doubt it, but hey, it's a thought.

GODDAMN I'M UGLY AND STUPID

[pr0ntab]

-said the teekid.

Re: hacking and intentions....

[aricusmaximus]

A very poor analogy.

My house is not securable, nor do I expect it to be. So a person entering my house, or temporarily taking my car is not doing me a service - I already *know* they are insecure, and I expect people to stay the hell out.

By contrast who gave NYTimes their confidential information expected that their information would be kept secure. But the NY Times left that information available to anyone with modest hacking talents. Bad news. What if someone other than Adrian Lamo found that information first?

If someone finds a security hole in any site that stores my credit card information and then reports it, then I'm happy, whether or not it was an official security audit or someone like Adrian Lamo. The bank/merchant will be forced to close a hole that a malicious person would *not* report and instead use for nefarious purposes.

The New York Times did not "find" Adrian Lemo "rummaging" through their - he directly reported what he did to them. I'm not an elite hacker, but I'm guessing what he did would have gone unnoticed had he not done so.

So your analogy is wrong, twice. Either try again or realise that, embarrasing to the NY Times it may have been, Adrian Lamo was actually providing a public service. The FBI's wrongheaded actions, though in compliance with the law, hurts us all.

Bottom line: if there's a security flaw in an important system that keeps confidential information, no-one should go to jail for reporting it. Period.

You know...

He only did this because the "bully's" in school always called him "LameO"

D

My understanding

[The+Tyro]

of Mens rea has to do with culpable mental states (I am not a lawyer). Knowingly, recklessly, negligently, etc, etc (depending on the state's law) could be a couple of examples. You are exactly correct that he must meet the elements of the offense... and the corresponding culpable mental state must also be met, assuming that is one of the elements.

I haven't read the particular statute they are charging him under, since the FBI won't release any information... but depending on the elements required, including culpable mental state, he may or may not meet them. I wouldn't be at all surprised if this is all a bluff on the FBI's part. I've known them to bring people into a room for questioning, with walls stacked with boxes, maps/pictures of the subject's home, work, etc... a virtual room full of "evidence" that really makes it look like they've got the goods on you. Know what? I've known of cases where those boxes were totally EMPTY... the FBI are masters at playing mind games to get you to spill your guts. It helps a great deal if you have an attorney who knows the game; I hope Adrian's attorney is sufficiently well-versed.

I'm curious to see how they handle this... otherwise, we are in total agreement about the lack of media accountability. They wield an incredible amount of power... but are really only answerable to their editorial boards.

Re:My understanding

[cthugha]

I'm not an expert on US criminal law at the federal level, but, generally speaking, common law jurisdictions that have codified their criminal law have enacted their codes so there is a base level of intent (i.e. deliberate, willed action) that may be modified for a given offence by making specific intent an element of the offence (e.g. "intent to kill", "intent to defraud", "intent to further the commission of an offence").

The article mentions 18 USC 1029, which creates a number of federal offences related to use and trafficking in access devices, but specifies that intent to defraud is an element of those offences so our accused should be safe there. But 18 USC 1030 is also mentioned, which makes unauthorized access of certain specified kinds of data (financial and personal records, for example) an offence without any additional level of intent, which isn't really surprising.

The US Code can be accessed through the Office of the Legislative Counsel of the US House of Representatives, which the Library of Congress has links to, as well as other search engines to access the Code. Go and have a read for yourself.

Imagine two countries:

Alpha and Beta. Computer hacking is legal in Alpha and illegal in Beta. But the Alpha government will extradite their own citizens if they hack Beta networks, so Alpha citizens pretty much exclusively attack Alpha networks.

Alpha is swarming with script kiddies, so connecting a machine with known vulnerabilities to the internet is totally useless. It will be hacked within 30 seconds. Therefore the habit of connecting such machines just doesn't exist in Alpha. Security is as natural and mandatory as the power and network cables.

In Beta, the enforcement against hackers and hacker-enabling software has become so aggressive that hacking attempts are rare, and make front-page news. The last hacker was sentenced to life in prison. Nobody really knows the state of network security. There are highly paid consultants who look after it. It's unwise for anyone not professionally accredited to show interest in such matters.

In Alpha, while the sysadmins have managed to fend off the script kiddies, they have a very hard time keeping up with college and graduate students specializing in computer security. It's the most popular specialty in Alpha's comp sci departments. Alphans develop numerous techniques to inherently harden a system so a programming mistake can't make the machine vulnerable. They begin where our current ideas of GRSecurity, SELinux and Mandatory Access Control leave off.

Ten years go by. Reliance on the internet increases to the point where any advanced country would collapse if it disconnected its international links.
The Betans with the strongest interest in hacking emigrate to Alpha, where they can pursue their calling freely. If the remaining computer security establishment of Beta is a bit second-rate, nobody notices. Alphan children sometimes romp innocently through Betan banking, telecom and defence systems, but by the age of 12 they know it's not just illegal, but lame and childish - like shooting fish in a barrel.

The government of Beta announces that in light of the massive loss of life and property that a network outage could cause, hacking tools such as nmap are banned and subject to the same rules as nuclear weapons.

Most Alpha software is written with new languages, paradigms and OS's that have adapted to the challenging security environment. Beta sticks with C, Linux and Windows, and few Betan techies even try to read the flood of Alphan security papers. If you weren't in an Alphan school at the age of 14, you have a ton of catching up to do. And why bother, when hacking is illegal in Beta? Beta security researchers have an easy time of it: they just crib from ten year old Alphan papers.

Which country do you think has a better chance of survival?

Re:Imagine two countries:

[crucini]

I posted the parent, and like an idiot forgot to log in. So I'm trying to drag it up from the obscure gutter where it lies.

At the risk of sounding immodest, it is more insightful than 100 breaking-into-car analogies.

And?

[Sycraft-fu]

Still doesn't make it right. You try something like this in the physical world, you are likely to catch a bullet with your teeth. In the US we have the concept of personal property and teh concept of not messing with personal property that isn't yours. Hence, these concepts are codified into law. He is now facing those consequences. The whole "ends justify the means" argument is a load of crap and is the same shit you hear from facisits that would like to have the ability to monitor everything we do and arrest us without cause.

My shit is my shit and it is mine to do with as I wish, including be insecure. It is not your right to poke around to prove that insecurity, unless you first ask permission.

Hackers seem to have this false notion that if they CAN do something they SHOULD be allowed to. Not how it works. I bet you that all but a very few of them have shitty physical secutiy on their houses that me and a couple firends could bypas in less than a minute. Doesn't give us the right to do that. The fact that they have a private residence with a lock is enough to indicate that we are not to go in there.

Now don't get me wrong, all people should have good virtual security since, unlike physical, you don't ahve to spend money on it, just take a little time to patch your system and run a firewall. However, just because they don't doesn't mean that you should be allowed to break in, even for bening purposes, legally. It is and should be illegal.

So..

If I run up to you, tear off your clothes, and shove a nice cold implement up yer arse, it's okay, right?

Just checking for colon cancer, my friends!

I'm providing a great service to the public! You should thank me!

(Disclaimer: I do not actually run rampant through the streets, probing people.)

Re: the car analogy

[King_TJ]

Yes, I believe in this (far fetched) scenario, I would have some responsibility. I don't think any reasonable jury would feel I deserved to be punished for the drive-by shooting though. Whether I leave my car's window rolled up or not, I have a reasonable expectation that my vehicle shouldn't be tampered with by others. Those who do are committing the crime, not me.

I would accept the fact that my vehicle was stolen at least partially because I made it a relatively easy target. In fact, if I did file an imsurance claim in this situation, it's likely my imsurance company would decide not to give me the full value of the car after reading the police report. (There's a real good chance the report would mention something about the vehicle having the window rolled down when it was stolen. They'd wonder why no windows were broken or no doors damaged trying to pop them open otherwise, right?)

media puff needs a blackhat beatdown

hackers giving taped interviews on the local
NBC station defies logic

Adrian Lamo!

[TheLoneWolf]

He is no criminal he is a hacker! He helped comanies! It is people like him that are in charge of companies, that write the software we use, that make this world function. If anyone is a criminal it is the times or even the government. I dont have anything against the government but if they put him away they are the ones committing a crime. Adrian has been thanked by companies, he has helped them defend against possible attacks. Yet the times Slanders they put the blame on hackers without even knowing what a hacker is! We are all hackers in one way or another! They blame hackers for what phreakers, crackers and script kiddies do. We hackers make this world go round. Charging him and putting him away would be setting a president that would take us back to the stone age! Hackers of this world created the companies that made this world what it is! They created the digital revolution. Without hackers we would not be where we are today! There are some black hats but Adrian is not, all he did was help. The times is in the wrong! He tried to work it out with them but they would not have it! Adrian hang in there you did no wrong! We support you. Adrian you are a hacker a true white hat, you seek knowledge and how to better society. Hackers of this world, we are in trouble if he goes to jail, what is next being put away for trying to get the most out of your computer? Oh i know using Linux and patching your kernal or compileing a program. Where is justice! The governemt even uses hackers like Adrian. This should be stopped. The times has no right to file aginst him theyt are more criminals then He! ~The Lone Wolf

Re:Adrian Lamo!

[e.coli]

People like Lame0 don't create. They don't build companys. They are after the publicity.

Hackers are not crackers. Crackers break into systems. Hackers take things apart to make them work better (all before EULAs) - not to take advantage of someone elses resources (NYTimes).
Hackers create.
Crackers don't.
Cracking a web site creates NOTHING. Nothing but pain and suffering. Nothing but embarassment. Nothing but costs to state and local governments for tracking down the cracker and housing them in our less than sterling jails.
Most of these people who claim to be white hat hackers are nothing more than script kiddies/phreaks. The government would not use these wastes of human mind for anything other than office help. Don't give people like Lamo too much credit.
Adrian exploited. He did not help. He notified the press, not to help but to seek noteriety.
Has he repaid the NYTimes for the resources of theirs that he used? No.

Read this because I did it!

This is such a intresting topic to me. Close to three months ago I gained access to an online newspaper from the local newspaper company here in my city.(www.newsherald.com) I gained many passes in 20 minutes. I informed them after the crack with a anom. email. Here is the intresting part. I knew now that I had access to my local news at any time illegally. What did I do? Nothing. I thought about the issues surrounding me logging on and getting caught. All the above is true! Whitehat hackers and blackhat hackers does not mean nothing to feds and cia. We are all hackers in plain english that may pose as a threat to the nation. There is something about that statement that makes me continue to do what I enjoy to do. To me it is just like the area 51 mystery. People are just going to have to get closer. Hacking is the ultimate human curosity adventure today for intelligent and imaginative people. I doubt that Lamo,Adrian will be sentenced to max punishment for hacking a newspaper provider. Although, this topic has made me more aware of my cyber activities. I guess I'll stop hacking when I here Adrian Lamo is sentenced to firing squad.

Re: hacking and intentions....

[RancidBeef]

I'm sorry, I think it a very good analogy. You have said nothing to convince me otherwise. How strong the security is of the house or the server is not the issue. The issue is that this guy is essentially guilty of "breaking and entering", regardless of his intent. Also, it doesn't really matter whether they found him or he notified them himself, what he did was wrong. Now, if he did the equivalent of "jiggling the lock" without going in and told them "did you know your door is unlocked", that might be a different issue. But from what I heard, he penetrated deeper into the system than that.

It's also irrelevant what's inside that he found. Using the house analogy again, it wouldn't matter whether you had dirty socks or the crown jewels in your dresser drawers, if I was even in the house then I have committed a crime.

Granted the FBI, prosecutors and the courts will probably go overboard, such as keeping him away from phones, etc.

I'll also admit that the NY Times should secure sensitive information. But I still don't believe that gives anyone the right to engage in "vigilante good-samaritanism".

Re: the car analogy

How on Earth is that a bad thing??? Stepping on your rights??? Good lord, man. It was a cop trying to be a nice guy...It's not like he went in and closed your windows or ticketed you or punished you in any way.

Frankly I'm surprised more cops don't start beating people on the street given the abuse they get from the public for any little thing they do...

a misguided Feynman?

[1iar_parad0x]

Here's a little background info on Adrian Lamo:
http://www.wired.com/news/infostructure/0,1 377,508 11,00.html

What's the difference between Mr. Lamo and Richard Feynman. Obviously, one is willing to flagrantly break the law. However, the insatiable curiosity is the same.

I remember as a kid I used to go exploring. I was too stupid to realize this exploring was trespassing. Sometimes people suffered my curiosity. Once, a very nice older couple managed to humor such a spoiled little brat. They gave me a tour of their entire house. Incidently, they seemed to make the mundane entertaining. I'm sure I'd be labeled with ADD now. I also (like most of you) began to play with computers because I was curious. However, I don't have the patience to MISCHEVIOUSLY hack.

Unfortunately, no one managed to reach this guy before it was too late. I hope they don't throw the book at him. If you read the article, you'll realize that he isn't malicious, just stupid. I really do pity him.

Dude.

You might want to adjust your tinfoil hat, it's a bit too tight.

Can you say DMCA?

[gilesjuk]

Watch out, that's circumvention! :)

It's using an exploit to gain access without authorisation.

Re:Can you say DMCA?

> It's using an exploit to gain access without authorisation.

Fortunately that's not what the DMCA bans. I know you're just joking, but you should really read the law some time.

The best analogy for this...

[IshanCaspian]

...what this is like is someone who talks to a really dumb secretary, and, with a combination of wit and cleverness manages to get her to reveal confidential information. He did not "break into" anything. He coaxed a supposedly secure device into telling him secrets.

Besides, why should the sysadmins have OUR GOVERNMENT covering their asses for not having done their job properly?

What is right and what is wrong.....

[e.coli]

The problem here is that people who like to break into computer networks don't see the harm in their actions. They view it like a little kid, it's theirs and no one has a right to take it away - it's their game/toy/fantasy.

In the case of Adrian Lame-o, the neeping lemmings put him up on an altar and bow down before his mighty web browser. They cannot see anything else but his brilliance.

They do not see the network as property. They can't comprehend the concept of breaking and entering because the net is free!

But here is the truth of it. The NYTimes paid for the servers, routers, firewalls, wiring, fiber, storage devices. This is property. They collect subscription fees from people who want to use this property. That is their right.

They paid people to collect information, stories, lists and data. This is property. They sell this property. That is their right.

They built a store front to allow people to enter their property and conduct business with them. That is their right.

They have security in this building to prevent people from going beyond the ground floor where normal business is conducted. That is their right.

They have paid for all of this.

Now, along comes Lame-o. He sneaks walks into the storefront, looks around and notices that one of the security devices is not turned on.
Does he notify anyone? No. When no one is looking he makes his way past security and away from the first floor.

(The security people have their hands full with people trying to get past the first floor and their budget is cut, not enough people to patrol, not enough in the budget to repair, new devices for circumventing security coming out everyday. Can't keep up with training.)

Lame-o is now on the second floor. Does he notify security? NO. Is he supposed to be there? NO He rifles some desks, file cabinets, scans lists, checks out credit card numbers. Does he stop and notify security? NO

At this point we know that he alters some data, effectively using resources that the NYTimes has paid for (Property!!) without authorization or permission.

Now he sneaks back out of the building. Does he notify security? NO

He notifies the press.

Does he pay the NYTimes for the resources that he pilfered? NO
But that is okay, the public opinion of a bunch of sheep/lemmings will bouy you out of troubled water. Lame-o will be a god unto them!

You haven't done anything wrong!?!?! YOU WEAR THE MANTLE OF THE WHITE HAT!!! Your press clippings say so! Your adoring admirers don't care about property! They want a free and open system where they can gambol and despoil the landscape making it impossible for the average user to get anything done.

Bullsh*t

Oh yeah, and about those sys admins that are always getting bashed, the ones who missed that one hole out of a gazillion. Let's heap steaming trash on their heads too. After all, new exploits happen all of the time. There are so many fingers in the web pie that it's difficult to find all of the openings that vermin can come in through.

Let's see these white/black hat lemmings/sheep set up web servers that cannot be broken into while conducting a business similar to the NYTimes. Oh yeah, and with very little money. And let's see them keep it running for a year without anyone breaking into it. And if someone does break in then these same lemmings can get their asses canned.

White hat. Black hat. It's all bullsh*t.

Criminals. (Yeah, this stuff pisses me off!)

Do any of them set up a security business and try this stuff legitimately? The ones who stop being neeping sheep do. But white/black hat dittos don't. They can't. They don't have the strength. They just want to be dittos who aren't responsible for their actions. They just want to have fun. Or see their faces in the press clippings like Lame-o.