Slashdot Mirror
Adrian Lamo Charged With Hacking
retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."
Who needs more greyhats running around testing security without so much as permission?
Well, zero tolerance. The thing here is that to an awful lot of people, and especially those who make the laws, hacking is hacking is hacking, who cares what someone says they were doing it for.
I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."
I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.
Heheh... when the agents wanted to come into her home, she told them to get stuffed and come back with a warrant...
That's love, folks.
It would be ironic if this was set up by the NYtimes. I thought investigative/secret camera/sting operation reporting was supposed to be agressive journalism... couldn't his "hack" be considered the same sort of thing? "Unsporting" doesn't begin to describe it, particularly if he was up-front and honest about helping them out. If the NYtimes can investigate, blow the whistle on others, and embarass them into action, I'd say the same card can be played against the Times. "Sour Grapes" anyone?
Yes, he was likely technically in the wrong, no doubt about it, particularly if you adhere to the letter of the rule, rather than the spirit of the rule... even so, this seems a bit heavy-handed.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
If he's going to hack websites, even with the best intentions he's still breaking the law. It seems it would be better for him to work at a security firm (or open his own) and at least get paid for all his troubles. Then he'll be rich and he'll be praised for basically doing the same thing.
I am not sure what he did at the New York Times can even be considered hacking.
So far as I can tell he set his web proxy to the address of the company infranet, surfed around that, downloaded some documents and used the information contained in these to get some more.
Whilst I don't approve of hacking per-se, I'd have to say that here, this is very little more than exposing a badly designed web site.
Imagine that you go to you Gas company's online web site, look at the URL and see your account number in it. You think to yourself, I wonder what would happen if I changed one of the digits. You do and lo and behold up pops all the information to another customer.
Now you can go for your 15 minutes of fame and ring up SecurityFocus or you can have a quiet word with the Webmaster of the Gas company - either way, you are not a hacker.
He must have been living under a very large big rock for a long time, if he thought this kind of behaviour has ever been accepted by the authorities and most sysadmins.
And by the way, hacking systems without permission have never been white-hat. At best, I would call it grey-hat, although black-hat is certainly also fitting.
If we start judging people on intentions instead of what they do, I think most people will start complaining. "No, I was only trying to help the sysadmin, so I haven't done anything illegal", is about as stupid as "You thought about stealing that car, so you should go to jail for that".
How different is this from the investigative reporters on your local news broadcast. In many cases a white hat my find that customer's CC numbers or SS numbers are accessable via an exploit or weak security. In a way, he/she would be helping the public by giving the company and opportunity to correct the situation or at least take it public. An investigating reporter may find that a company or governemnt office is throwing out sensitive info without shredding it or taking the proper preventative measures. If I am giving a company like Amazon my CC#, I want to oknow that they are going to protect that info. Who is going to watch/audit the company if they get lazy?
The Tools Of Ignorance wanna be a tool?
that he knew he did not have permission to access, by his own admission.
Any way you slice it, that breaks the letter of the law.
If you want to test the secrurity of my network without getting charged if you break in, then I suggest you obtain myh persmission to do so in the first place.
Analogy: You find a guy walked in your front door cause it was open, snooped around your house, your bedroom, your closet... then told you "You shouldn't leave that box of money in your closet, and you should leave your door locked".
Is he guilty of trespass / unlawful entry? Damn straight. Would you feel violated? Damn straight.
If you break into someone's house, telling him after the fact how yo got in does not automatically pardon you from the crime...
Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.
Instead, he took his time cracking the system, widening the holes so to speak, and then went to a reporter(!), of all people.
There is nothing inherently wrong with his desire to improve security. There is nothing wrong with him looking around the public spaces on the internet for chinks. What was wrong was that he failed to tell the people maintaining the chinks directly about them, widened them until he got at valuable data, didn't tell the affected people about the data he had received, but then went to a third party and told them about the wanging big hole he had made. I'm sure he views himself as a knight in shining armor, but in this matter he behaved like a publicity-seeking self-promoter.
Yes, shame on the NYT for misconfiguring their systems, but even more shame on Adrian for doing something so illegal and counterproductive.
It does not matter if a person thinks he's a good guy, he still does not have carte blanche to do whatever he wishes.
I think that the reason he didn't ask for permission is because no company would have permitted hacking their systems, regardless of purpose. Yahoo does not need super-secure systems, so they have no need for a security consultant. In my opinion, the guy only wanted publicity.
It seems like people don't quite understand that hacking someone's system and then "helping" them fix the holes is not a positive thing. If you steal my car, return it a month later, and then "helpfully" point out that I should get a security system, you deserve to be in jail.
So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?
But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?
The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.
OTOH, your mention of the deadbolt and alarm does apply, but only in the sense that if I did buy/install a deadbolt and alarm, I'd be royally pissed if they didn't work.
Read, L
What if I just leave a signed note on the inside of your car that says "follow these three easy steps, and then no one else will be able to break into your car again"? Do you say "hey, thanks, buddy!", or "hey, someone broke into my car!"...
pb Reply or e-mail; don't vaguely moderate.
If he was hired to test security it would be a different matter. But he allegedly broke into those systems without permission. That puts him in violation of Cybercrime laws.
I feel sorry for him, because he did allegedly report the weaknesses to the admins and he could have just read the data and not told anyone and used the information for his on purposes. So his intentions were good, to plug security holes by finding them and telling the admins about it. But he is doing it the wrong way, without permission.
He may want to think about pleading guilty and making a deal to get reduced charges. This will make him famous and when he gets out of jail and ends probation, he can become a security consultant. Otherwise they may try to make an example out of him and charge him with a full pentalty and any other charges they can think of.
But then the places he broke into didn't use good security practices and didn't apply the latest updates. Personally, I wouldn't put a machine on the Internet that contains sensitive data on it that only my company should have access to like contact information, credit card numbers, etc.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I wonder how much trouble he would be in if he had asked the companies' permissions before plying his trade
He wouldn't be in any trouble at all. Most responsible CIO/CFOs regularly contract with third parties to test their security. These usually involve full on intrusion attempts including social engineering attempts. They pay a hefty sum for such services and usually feel a little better if something(preferrably minor) is actually found. That way they have something to fix and feel even more secure than when they are told that they are completely secure from the outset.
What Lamo does is simple, straightforward, black hat cracking that he feels is justified and made legitimate by not causing damage and then reporting his findings to the appropriate people. What it really is is bragging on his part in an effort to boost his pathetic ego.
I know what many of you are thinking. Why not tell these companies BEFORE you break in?
Because IT'S NOT FUN, that's why. Or perhaps more accurately, it's not stimulating.
Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!" The fact that he does nothing malicious afterwards and even calls and helps the sysadmins unfuck their systems is a testament to his character.
For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels.
"Uhhh... hey dude. Your lock is vulnerable."
See? Just not the same.
Getting past a computer's defenses is not the same as physically entering a home or bank vault, though I would find the latter far less intrusive than home invasion, especially if he never even touched the money.
Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.
Misdemeanor, at most.
It doesn't matter what he could have done while inside, it matters what he did, or more specifically did not do while inside the system.
"That bastard! He saw my FILE NAMING SCHEME!"
Yeah, he should fry for that...
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Except we was in the systems and could have done anything while in there. Maybe he is a true "white hat" and didn't do anything bad and told them everything. But it is just as likely that he left a trojan or backdoor in the system. They can't tell what he did or didn't do, so they now have to not only secure their systems against whatever hacks he used to get in, but they have to scour everything on the system to make sure he didn't change any data or leave anything behind (and there is no way to tell whether he copied anything from the system).
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
That's a really awful analogy.
If someone steals your car they are doing you a serious disservice and actively depriving you of something you cannot easily do without.
To use your analogy in a way that actually makes sense:
He isn't stealing your car. He is walking up and seeing if the door is unlocked and the keys are in the ignition. At the very MOST he is starting the car to prove he COULD steal it if he wanted to. But he never actually steals the car or harms you in any way (except maybe making you feel really stupid for having such an easily stolen car). He doesn't deprive you of it "for a month".
Basically he's checking to see if he COULD steal your car, NOT stealing it. Then he tells you what to do to keep others from stealing it.
Doesn't sound like evil incarnate to me. If I was being a total idiot as regards security I think I'd appreciate it if someone pointed that out to me before someone else came along and took advantage of it and ended up doing real harm.
The shame would be worth it in the end, I think. Unless you happen to be the NY Times, which is probably pretty sick of being shamed at this point.
The difference is that he didn't hijack the servers and use them for his own deeds for a month and returned them. He got in, observed how severe the exploit was, got out, and told the admins that they need to fix it. If someone broke into my car without doing any damage to it and then left a note giving me suggestions I'd welcome it, it's not like they drove off with the car and they might have saved my car from future theft.
Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.
We can begin with what we do know for sure about hacking. A hacking incident is when someone sends packets of information (in some form and by some medium) from a computer or computers to someone else's computer or computers. Which packets are illegal and which are not? Any exact definition raises problems. You can say that any packets that change the functioning of the target system in an unintended way is hacking. So the ignorance of the owner becomes the limit of what is or is not hacking. Faking an email address on a badly designed sign up page (or using mailinator) might be hacking under that definition. Other definitions are similarly problematic. Currently our legal system tends to default (once it actually gets to jury trial) to the above definition, but (in effect) adds that the act must be highly technical and use specialized tools. (Other definitions exist, and I am of course willing to bust holes in any particular one you care to suggest--so go ahead and suggest them.)
But there is such a thing as computer hacking. Everyone knows that. Even if we cannot have an exact legal definition, we know that some things are clearly computer hacking. What is the best way of creating law (which is now inexact) to deal with this behavior? I would suggest making the motive of the hacker one of the main considerations of law. It is always hard to for legal systems to judge guilt based on motive--and they should not if they can avoid it--but in this case, they must either judge the motive of the victim or the perpetrator. If the motive is vandalism or theft, then the act should be punished. Adrian Lamo's motive appears to have been an act that should not have been punished--though it is highly important to state that we do not yet know the facts.
As I have pointed out elsewhere, the open door analogy is basically lame because the problem here is not the crime but, society's response to the crime. A trespasser remains a trespasser. In computer crime, a trespasser can suddenly become an armed robber if the person whose property was invaded has enough political muscle.
Also there is a third party issue here too. One of the files he gained access to contained personal information of another person. Where is the New York Times' legal responsibility to protect the information that it holds from others in this whole discussion?
Or, to extend you analogy, if you borrow you friends laptop and then leave it in an unlocked car, do you not share some responsibility?
Drago - you are a fool. If you are hacking people's systems without their permission, YOU ARE BREAKING THE LAW. PERIOD. END OF STORY. If people were allowed to say "Well, I was doing it so I could help their security", then you would have all sorts of Blackhats hacking systems, and then claiming, "I was going to help, but you arrested me first." No.
Look, there are ways to do security checks like this, without the security teams knowing that you are doing it. Get permission, make sure that no one is tipped off, and then test the systems.
If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.
It is human nature to take shortcuts in thinking.
Your argument falls flat on a number of points.
Reportedly, his access to the NYT systems was by using publically accessible proxy servers. Saying he needs prior authorization to do that is naive -- do you need prior authorization to access arbitrary mail or web servers on the Internet? Leaving the systems open is prima facie authorization. There would have to be some indication that only NYT employees (or whomever) were authorized to use the system.
You are amused that he uses the same tactics to access many poorly secured networks. Does it not worry you that so many networks are poorly secured in identical ways? I believe that is a much more significant issue.
You are further amused that he does it not for money, but for publicity. HELLO MCFLY. There are an unknown number of other systems just waiting for someone to break into them. If Mr. Lamo publicizes the existence gaping security problems (especially after working to help close the specific examples he finds), it encourages other businesses to close their holes. Without him, many of them would rather than sit fat and lazy and hope whoever penetrates them gets caught.
That publicity also brings business to the security professions who you think consider him a joke. Talk about biting the hand that feeds you.
Ok so the person breaks into my car, proves he could steal it, and tells me how to keep others from breaking in.
In the meantime he has taken my credit card number off an old bill I have in the glove compartment, gotten my mother's maiden name from a birthday card I sent to me by my grandmother that's stuck in the visor, and taken my SSN# off a job application I had sitting in the passenger seat. Somehow magially 3 months later my CC is maxed out with charges I never made.
Ok so we let Adrian off. Can you promise all those people on the NYT list that he didn't do anything with the information he had access to?
and that's ethical vs not, whether it's hacking, or journalism.
Journalists are supposed to operate by an ethical code, and the vast majority do so. Journalistic ethics would say that you cannot break the law in order to get a story... though that's not say it hasn't been done. Check out this link. It would seem that ethical standards in journalism are quite flexible, and that there is no set rulebook. Instead, as in ethical dilemmas in many disciplines, one must weigh competing evils. The evil of impersonating someone, or operating under a false identity, veruse letting a politician go on with corrupt, harmful actions... which weighs more, and who decides?
By the same token, one might make the same argument for Adrian's actions. He intended no harm (as an investigative reporter might intend no harm in impersonating someone else to get a story), so the Mens Rea AKA "guilty mind" did not exist. Reporters often argue, when investigating and digging into the lives of public figures and officials, that those officials have less of an expectation of privacy than regular citizens... and to some extent they're right. Yet, how does the watchdog presume to waive the privacy of others in the pursuit of a story, while immediately running to the FBI? The media also argue that they have the right to dig, based on the fact that they are defending the public's "right to know." (how many times have we heard that?) The media assumes that power as society's watchdog... but who's watching them? Apparently, Adrian was, and they are NOT happy about it.
It's doubly ironic that an organization dedicated to exposing the truth (ostensibly in a transparent, above-board, and for-the-greater-good fashion), is getting their panties in a bunch over someone showing them some truth in a like manner. Apparently the old grey lady doesn't have a problem airing the dirty laundry of others, but is awfully sensitive about her own problems... and from an ethical standpoint, Adrian's actions are probably arguable either way.
I'm sorry, but I find this whole thing incredibly funny.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I understand most of the arguments against what Lamo did, but there are a few points I want to get off my chest:
1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.
2. I don't know how it needs to be done, but truthfully do you (the collective Slashdot you) trust companies to secure their networks, perform audits and be upfront and honest about their failures? If I were a NYT partner I would be furious that my information may have been publicly accessible, yet I would never have known about its vulnerability without Lamo. How many companies have been hacked, had credit card or other info stolen, and just not said anything about it? When Acxiom was hacked, personal information on individuals was stolen over 8 months before they "discovered" the hack - and the hack was found by Hamilton County, Ohio Prosecutor's office when investigating another case that had come forward. What are the chances that Acxiom KNEW they had been hacked, compromised personal information, and said nothing? I am guessing with the current climate of corporate ethics, a pretty high chance exists that a lot of information is being disseminated by people who stole it and consumers have no idea because the company in question is sweeping it under the rug.
Hacking into someone else's system is bad. Nobody can disagree there, but the bottom line is a tradeoff of negative impacts - for what Lamo did I see a lot fewer negative consequences than today's corporate irresponsibility with personal information and computer security.
I say, "Why did you have to break into my car to write me a note?"
"Sufferin' succotash."
I would really like to see a slashdot interview with this guy.
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
The home invasion analogy is a very bad one. A home is by its very nature badly protected (you don't spend millions securing it, do you?) but it is also a sanctuary, a place where a break-in results in a certain emotional stigma.
A better analogy would be this one: Suppose that somebody is waiting in an airport's lobby. He has not gone through the security checks yet. While waiting, he notices airport personnel going through what seems to be an unlocked employee-only door. A thought flashes in his mind: "This doesn't seem very secure. I thought airports were supposed to be secure." So he goes to the door and lo and behold, it is unlocked! He goes through it and find a bunch or corridors and doors.
Naturally curious and a little adventurous, our guy wonders how far he can go. He goes forward and manages to get to the departure area WITHOUT going through security. He feels a little proud of having easily broken a system on which governements and airlines has spent millions.
Being a good citizen, our guy then goes to the security counter and shows his finding to the cop. But suddenly, the cop puts cuffs on him and charges him with trespassing and attempting to bypass security in an airport. Of course, the proper action would have been for the guy to go to security as soon as the unlocked door was found. Adrian Lamo should have stopped his investigation at the misconfigured proxy.
However, is it reasonable to charge somebody with a federal crime for having gone a little further in testing the security of a system? Whether is was an airport or NYT's intranet.
I don't think so. The FBI can claim that they don't know whether the guy smuggled dope during his attempt and the NYT can claim that they'll have to check every system for backdoors but I believe it's mostly bad faith from people lashing out because they felt humiliated. Get a grip... fix your stuff and move on. Destroying the life of somebody who tried to help you is just stupid and cruel.
How did SecurityFocus bring up this security flaw to the the NY Times..??? Did they come right out and say "My Client Adrian Lamo hacked your environment and would like to help you fix it???".. or did they say "My Client believes your Website is vulnerable to hacking and would like to help you correct the problems (for a fee (optionally)). Would you like his help?" Note the two distinctions.. The former is putting blame on Adrian and the other is not.
In my opinion, from a societal point of view, what Lamo did was wrong.. From a humanistic (helping humanity) point of view, he was right. But the point I'm trying to make is that right or wrong the problem was not Adrian.. The problem was SecurityFocus for not portraying Mr Lamos exploits in a manner enabling the NY Times to be more acceptable of his actions (Whether they knew what he did or not).
Just my two cents.
I personally am of two minds about this whole thing. I understand that if he really was meaning to be honest and helpful with his exploit of their shoddy system, that he was doing a good thing in helping them correct it. Better someone who would be nice about it than someone who would not tell. but, at the same time, regardless of the intent, he did do something illegal. And regardless of your intention afterwards, it was a violation to their system and property to do so in the first place. So, in all fairness to his intentions, he should be prosecuted after due process. **What IS wrong, however, is that he has not been allowed to see the charges against him. He has said that as soon as he sees the charges against him, as is his Constitutional right, that he will turn himself in, so long as those charges are reasonable. Remember that Kevin Mitnick reportedly had inflated wild charges brought against him in a hacker hysteria and had reportedly had a lot of his rights violated in captivity. If I were him and pending jail time, I would be very nervous in light of this and other previous cracker captures.
My friend was leaning his back on the door, which was open. He fell right in.
The analogy breaks right there. Your friend didn't go around trying lots of doors to see which ones were open. Your friend, upon finding one that was open, didn't go in and wander around.
Sure, if you accidentally find a security hole, notify the people responsible, but if you deliberately break in and then ask them to pay you to help them fix it, then that's nothing short of extortion. How do they know that he didn't leave backdoors? They need to do a complete audit of the systems he gained access to.
What companies do about those who warn them is what irks me. Not only do they press charges as if they had been maliciously broken into, but they tend to want to bill the white hat hacker for EVERYTHING related to the incident, including but not limited to ignorant PHBs spending months in meetings about it, as well as the price for fixing the mess.
It's like you getting to work one day and finding a note stating "the bathroom window opens from the outside, and the spare key for the filing cabinet where you keep customer data shouldn't be taped to the bottom of the counter." Then what do you do? Call in all the staff, and close up the store for a week while you hold meetings, followed by changing all the locks and buying a gun, and finally suing the person who left the note, charging him with the total costs of what you did?
Or you tell a farmer that you were hiking in his woods when you discovered that his game warden was poaching. The farmer's reaction is charging you with trespassing. While he may have a legal right to do so, he'd be a real jerk AND idiot to do so.
The above is, unforunately, the analog to what's happening in the electronic world.
I'm not saying that Lamos and other self-appointed white hat hackers are RIGHT in what they do (I believe they aren't), but even if the messenger isn't welcome, you don't shoot him or blame hime for all the problems he reports.
The main reason why you shouldn't do that isn't just because it's a petty thing to do, but because you HURT yourself and others in the long run.
See, if I were a hacker operating like Lamos, and saw companies doing that, instead of alerting the companies and risking facing their and the paranoid law makers full wrath, I would stop alerting the companies about their flaws -- instead, I would anonymously alert the PUBLIC.
Seen from the viewpoint of a company, what's better about that? Yet, that's what they're pushing hackers into.
The companies might argue that they would want people to stop rattling doors in the first place, and that's a valid argument. However, it's not going to happen until you have exterminated every potential criminal and curious kid on the planet.
In a Utopia, you don't even need a door lock, because no-one would ever walk through the door without a right to do so. However, companies can't argue that as a defense -- not installing a lock would be seen as gross negligence, because it's expected that criminals and curious people will trespass unless minimal safety measures are taken. That's how our society is.
Charging Lamos is a signal, all right. Unfortunately the signal isn't "don't test our security uninvited", but "once you've tested our security uninvited, don't tell us -- stay anonymous and tell it to everyone else".
Regards,
--
*Art
The NYT is one of the most hypocritical organizations today. They sue to get 9/11 tapes of people dieing - all in the name of "openess" and "public information", yet they have a network connected to the public network - which is open and transparent through their own doing - and thats bad/illegal? PLEASE - The NYT's proxy servers were so misconfigured that it was akin to them posting information in the window of the downtown offices and then getting pissed if people read what they posted.
You can bet your rear quarters that if our hacker had been a reporter on a story for the NYT that they would be vigorously defending his actions. Like most large corporate entities the NYT has no moral basis for anything it does, in the end it's about money, not honesty, truth or enlightenment. It sure as hell isn't about the times mission statement which is "The Company's core purpose is to enhance society by creating, collecting and distributing high-quality news, information and entertainment."
Perhaps our hacker should have "enhanced society" by distrubiting the inromation he found to the world. It would have been high quality news to see how one of the most influtential papers is really run.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
It might be more apt to consider what the response might be if you walked up and down the street trying the doors on houses belonging to people who don't know you from Adam, without regard to whether they were home or not.
Exactly (although he did go in and wander a bit). My point being, there are certain grey areas, but most people will agree where the lines between grey and black are. He was definately trespassing, but that was the best way to find a phone (and phone number). And he found the door open purely by accident - he most certainly didn't break in. Using nmap on a large netblock is hardly an accident, neither is willfully sending GET
All those "stealing my car" and "breaking into my house" analogies are completely false, and do not apply. You do not actually "break into" a computer network when you hack, despite the wording: you establish a channel of communication with a computer that sends you back data. So the proper analogy would be that you get to talk to someone on the phone you shouldn't be talking to, and they say things they shouldn't be saying to you. Now, it's clearly their responsibility to determine whether or not they should tell you these things - if they do and you're not supposed to, then you have defective security. If, instead of taking advantage of this, you explain to them how to tighten that security (and free of charge, at that), then you're really doing them a service.
I look at it this way: if Lamo was to crack my own network and then explained to me how to fix it for free, I'd be extremely grateful (and I'd probably give him some money anyway). In fact, I wouldn't be surprised if, should he be arrested and tried, all the corporations he helped over the years helped pay for his defense and testified in his favor.
One thing's for certain, though: please stop with the misleading analogies. They completely miss the point.
As far as I know, John Ashcroft has not yet been able to completely eliminate the distinction between these two distict components of the administration of justice.
Most of the arguments that I've seen here are the sort that Mr. Lamo can make in court. If the court finds that his actions were justified, it has the opportunity to acquit, or to give some other form of discharge.
In my neighbourhood, I would like the police to arrest people they find in jewellery stores late at night, or in my home while I'm on vacation, or on my computer without permission. If the prosecutor or the judge decides that no charge should be made, or that the charge should be dropped, fine.
While I feel some sympathy for this self-appointed security checker, I can't immediately fault the police. Especially without access to the facts of the case, which will be exposed in the judicial process.
One might argue that Mr. Lamo is being punished by having to go to court. I think not. He must have been well aware that his actions were provocative and that this was a likely outcome. Now he will have the opportunity to justify his actions.
If you leave your front door open and I take a look inside your house, what crime have I committed? At most, I am told, trespass. If you left the keys under the mat and I opened the door, it's breaking and entering.
Similarly, if I take your car with the clearly stated intention to return it when I am done (e.g. if I desperately needed to drive someone to the hospital), I haven't stolen it, I've borrowed it -- with or without your permission.
Theft, burglary, etc. are crimes defined in part by the intention of the alleged perpetrator and the damages suffered by the alleged victim.
OTOH we live in a world where one of the first "terrorist" groups targeted by the government after 9/11 were Environmental Activists who destroy machinery but have been careful never to hurt anyone.
But I'm no lawyer.
Well, the big reason he was taking his sweet time was that the federal prosecutor sealed the charges. When you see sealed charges today, you know that's the thing that goes hand-in-hand with being disappeared and threatened with charges of terrorism if you don't plead guilty.
Sorry, but I don't think I'd do anything different in those circumstances.
"You're never ready, just less unprepared."
"without requiring any specific agreement from them before use"
This is just another example of why our world is going to shit. Too many retarded people that think I have to make you sign something before you can't damage something I own.
Didn't sign an agreement that you can't egg my house on holloween? Guess you can then huh? What are you, stupid?
Our society has become so braindead that unless you tell someone specifically not to do some specific act, they assume they can regardless of the fact general laws exist.
Property laws exist that say you can't damage other people's property. Why? Because common decency has gone out the windows thanks to an abundance of retards that have engulfed our society.
"Therefore you wish him punished as a tresspasser?"
Listen, idiot. You don't need to sign an agreement that you won't damage my property before you're not allowed to.
Unf-in believable. Do the Slashdot community a favor. Pack up your computer and send it back to HP where you got it from.
Ben
Work Safe Porn
Don't alert the public! You'll get sued for defamation or slander or something. You get in trouble either way.
Anyway, since he already did... The customers (or employees) of NYT should sue the NYT for their lax security which puts their personal information at risk.
The problem with this whole thing is that the "right" thing to do is not the same as the "legal" thing to do. It is right to help people. Whether it's helping my car not get stolen or helping me not get sued by all my customers when their info is used for shady purposes. The world is so F'd up and people are so F'd up and nobody trusts anybody and they really have no reason to and It's F'ing pissing me off and I can't thing of anything to do about it. The world is FUBAR and it's everyone's fault and nobody wants to F'ing admit it and so everyone's just sitting there afraid to do anything (and they have every F'ing reason to be afraid) and there's a few powerful people out there who aren't afraid to do anything, in fact they've got some set of F'ing balls. And the number of those people who are evil is exponentially greater than the number of those who are good. It's all just so F'd up. You can't do a damned thing for anyone anymore without having to worry about getting sued. You try to do something nice for someone, something goes wrong and now your up shit's creek without a F'ing paddle. The only good people out there are the people who don't sue people, and they're all F'd because they're all gonna get F'ing sued by some worthless punk who's pretending to be hurt so he doesn't have to work for the rest of his life and who doesn't give a flying F about you or any of your problems and is only thinking about himself. The whole F'ing world seems like it's the same way, "One-Way". ME ME ME I I I and F everybody else and the horse the F'ing rode in on. Nobody accepts a F'ing apology, everyone's out for a quick $ and nobody gives a shit about anyone else. I care about people, I'm nice to people, I help people, and one of these day's I'm gonna get F'ing sued for it or arrested for it, and you know what, I don't give a shit, I'm not going to stop being human because a bunch of greedy F's don't give a F about me or my family, F them, and F anyone who agrees with them.
Frag 'em all...
YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!
Rosa Parks broke the law. Gandhi broke the law. Our founding fathers broke the law. They all seem like pretty good reasons to me.
Adrian Lamo does expect to go to jail. He is willing to turn himself in, once he knows what the charges are.
Heisenberg might have been here.
King TJ, you should read a bit on Mr. Lamo before you go casting stones.
1. He has repeatidly turned down anything from the companies he's helped.
2. He has always agreed to sign whatever NDA's are required of him. 3. That hardly fits the profile of somone trying to "bolster" his profile.
4. He has done this for *years*.
5. He has (A far back as I can remember hearing him speak) been aware that one day someone would not take too highly of his efforts.
6. He's hardly on the run, he's trying to get in touch with his Lawyer to setup the details of turning himself in.
7. He has NEVER released (as far as I can remember) the exact details of ANY of his corporate hacks.
Want proof? Go seach SecurityFocus, he hangs out on BugTraq and a few of the other lists. For heavens sakes man, quit trolling without at least reading about the guy.
Bugs Bunny was right.
This is hardly practical or applicable to the real world.
I disagree. A lot of vulnerabilities are found the way I described. They are only exploited after they've been found and the script kiddies know about it. Doing something illegal is hardly practical, in my opinion.
As for getting permission in advance, how many sysadmins do you know would give a hacker permission to try to get in through security?
I'm talking about hiring a professional to try and penetrate your network in order to determine where the vulnerabilities are. This is what is practical and applicable in the real world. I'm not talking about giving some random kid permission to screw with your network.
Before all of you get high & mighty and denounce what Adrian did, realize that his way of doing things is probably the only one that works.
You mean the one where you get caught?
Zoot!