Adrian Lamo Charged With Hacking

retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."

Great Excuse

[Pave+Low]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

Maybe I didn't install a deadbolt and an alarm system, but who made this guy the "helper" of my problems?

There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

Re:Great Excuse

[hattig]

Agreed. If he wanted to perform white hat hacking, he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.

But he did commit a crime - he broke into and entered their systems without permission. Sure, he did it for a good reason in his own head, and wasn't going to be malicious ... but it isn't as if he was doing the internet equivalent of rescuing the baby in a house fire.

Re:Great Excuse

[moonbender]

So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

That analogy doesn't have a lot of merit. You're a private person, he didn't break into private computers. If a bank has a door to their vault which they don't know of and which is never locked, then yeah, they should be grateful for being told about it. Obviously, there's no bank so stupid, but that just goes to show that banks have a lot more experience dealing with real-world break-ins - another reason why this guy should be acknowledged for his deeds, he's making people aware of problems which they are not experienced in dealing with.

Re:Great Excuse

[MrHanky]

An interesting analogy.

After drinking heavily in a bar, a friend of mine and I bought some slices of pizza at a shop, and went outside to eat. Since we were too drunk to stand up, we sat down on the steps outside another shop, which was closed for the night. That is, it should have been. My friend was leaning his back on the door, which was open. He fell right in.

Now, the right thing to do, according to you, would be to go away, minding his own business. And what the hell was he doing, trespassing on the steps outside the shop and all. If this was in Texas, he would be rightfully shot. However, my friend, being both an imbecile and a crook with neither morals, nor respect for private property, went inside to look for a telephone and hopefully the phone number to the owner (we were both too tired to do any serious looting). And so the owner was noticed and the door was closed, and my friend got a serious hangover.

The moral of this story is: if you drink, you get a hangover, so alchohol is bad, 'mkay?

Damn straight he should be arrested

[Servo]

He was violating the law. He did not have prior authorization when he hacked into these systems. While some companies may have been happy to be warned of the vulnerabilities they had, and were glad to have them fixed, what he did was still illegal. He should deserve to be arrested, but given his motives will hopefully be given some leniency when it comes to sentencing.

Re:Damn straight he should be arrested

This is like someone coming up to your car and washing your windows or something, then asking for money. No, if I asked them to do it, fine, go ahead, if they just go ahead and do it I ought to beat them with a stick and yell a firm "NO" so they get the point.

Or, another scenario if you're touchy about bums. If you take your car to a mechanic to get the brakes done, and he comes back and says "oh, while I was in there, I noticed your engine looked shot, so we dropped a new one in there, the bill's $5000, took a lot of time to get done." Same principle as before, you ought to beat the mechanic with a stick for trying to screw you.

I'm sure his intentions were good and a few companies may have been appreciative, but it's kind of like if a psychologist just walks up to you and tells you that you're depressed and you secretly fantasize about your mother due to long-term neglect. You let companies come to you, you don't just go in and decide you're going to help them. It doesn't work like that. Now this guy knows that, maybe he'll pull a Mitnick and open a legit business and let companies come to him...after he serves his sentence, be it 100 hours of community service, or a couple years in a "pound you in the ass" federal prison.

Re:Go Mom!

[LostCluster]

Yeah, there are many reporters through the years who have broken laws in the course of reporting, and I'm sure some archive searchers can come up with NY Times examples, where the investigative reporter escapes punishment because they broke the law in the name of journalism.

Lamo didn't down the company, or commit credit card fraud with Rush Limbaugh's SSN. There are much worse hackers out there, but the FBI's just looking for somebody to make an example of because they can't quite figure out where the first SoBig came from...

Re:hacking...a service

[globalar]

From the article:
"'I hope there will be a time when Adrian can do positive things that everyone agrees are positive,'"

This service analogy, or the positive light of the grey hacker's actions, does have some weight, as the hacker can inform the admins about the specific flaws of their system security.

But then again, any service should be prompted or invited. And a larger problem is this isn't just washing windows, these are problem areas, flaws, and security flaws at that. These might even give access to a company's dirty laundry. So not only is this service uninvited and not approved, it gives access to private company resources and information, and uses the security holes to get in.

Yes, I assume if security is the only dimension that your job entails, then this is all worth it. But to most people in charge, and arguably the general populace at large, this is an intrusion by illegal means.

I personally value my private virtual space. If you get on my computer and get into my root account, it's an intrusion. Yeah, I will listen to how you did it, but for your troubles you'll never use my computer again.

Um, what??

[GrouchoMarx]

OK, white hat cracking someone is still cracking their system, no matter how benevolent the intent. But this part just makes my blood boil:

French did not know what the specific allegations were, because the charging document is sealed.

Especially in light of this part of another article that people need to spend more time reading:

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

Excuse me, what part of cracking the NY Times is a threat to national security? Why are so many court documents sealed these days? There is NO legitimate reason for securing this sort of charge. Even if the prosecutors were to go as far as claiming he were a terrorist, there's still no nuclear weapons secrets (which we all know by now anyway, despite being classified) in the NY Times payroll database.

He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty.

I don't support this sort of vigilante white hat hacking, but I oppose ignoring the constitution even more.

Re:This seems unfair

Isn't what he did sort of like what the New York Times recently did when they rented a boat and penetrated one of the security zones in NYC? The police apprehended them but let them go.

Re:Go Mom!

[SunPin]

Yes, you are correct but he should have covered his ass by setting up a security magazine online so he could enjoy the Freedom of the Press.

Freedom of the Press belongs only to those that own a press. Everyone else will be raped when the system feels like doing so.

What a joke

[Vellocet]

Come on. This guy has been breaking computer laws for years. Entering a system without prior authorization is against the law, period. Two things amuse me about Adrian Lamo: 1) He has never demonstrated significant or diverse knowledge of computer networks. The methods he uses to enter systems are trivial and repetitive. His ego is the only thing that can't be replaced by a simple script. 2) He brags about not accepting or extorting money. It's just as sickening that Adrian Lamo is all about fame. As the article points out "In February, 2002, Lamo told the Times of their vulnerability through a SecurityFocus reporter." As usual, Mr. Lamo talks to the cameras before talking to his victims. This is how this guy gets paid: national press coverage. To any security professional, this guy is a complete joke. Let him slide back into obscurity.

Re:My house, my property

[Henry+V+.009]

So you maintain physical lines for people to send packets of information to your server, without requiring any specific agreement from them before use. You have no contract they must first agree to, and no posted rules that they must first read before sending packets to your computer. Someone uses one of those physical lines to send information to your server. Your server sends information back to him that is not acceptable to you. After the fact, you feel that the information he sent went against some permission that you never explictly stated. Therefore you wish him punished as a tresspasser?

Its a sad world

[madstork2000]

Consider this:
You see an open door at your neighbors house. You know the guy is on vacation.

Do you call the cops? Probably not, you just go over and check out the place for him. Most of the time the door was not securely latched, or the kids watering the plants forgot to close it.

But what if you discover that the place has been trashed and stuff presumably stolen. I would call the cops, and my neighbor. Would they be suspicious of me? Yes probably at first, but in the long run they'll more likely be grateful.

Obvisously, there are good reason for laws, tresspassing is one of the fundemental laws throughout history. But, I'm willing to give up a little privacy if and when someone goes out of their way to HELP me protect my property. I'd much rather a neighbor walk through my house in my absence if they think something is wrong.

I also happen to own a tiny hosting company, and I would definately rather have a white hat let me in on specific exploits my system is vulnerable to rather than leave it alone and let the script kiddies do their thing, if I have screwed up.

Unfortunately for Mr. Lamo a law is a law, and with the overzealous (at least on high profile cases) FBI on the case, they'll probably try to make him into another Mitnick.

It is a sad world, everywhere we go policies, principles, and even laws try to dissuade people from working together and co-operating. Capitalism, democracy are great in principle, and can be in practice, but even the best ideals can be bastardized by people in power.

Free software is said to be communism by its critics, sharing code in a CS course is bound to get you expelled, make a backup copy of a CD and face the rather of the RIAA, the world will probably end if the same DVD Can be played in europe, japan and the USA.

This is in my opinion another example of moral decay. We have all these rules and laws that do not promote morals, but rather promote some arbitrary standard of "rightness".

It is the principles of openess, and co-operation that have drawn me to Linux, and free speech software. I'm trying to raise my children right, to teach them to help others for the sake of helping. When something needs to be done, if you can do it, do it. I try to instill them with team values, that together they can accomplish more than they can by themselves.

Its just ashame that the way things are going I'll likely end up looking like a bad parent...

Re:Fit? Stops. R

[krymsin01]

I'm sorry, but I think your analogy is unsound. A true white hat hacker doesn't drink the beer, try on the underpants, eat the pizza. More like someone you would drive by with your trunk door open, and they tell you that it's open so that all your stuff, which might be your private underclothes, doesn't end up in the middle of the road for everyone to see.

People often make the assumption that morality dictates law. This is simply not true. In other words, if someone breaks into your system and tells you about it and helps you fix the holes instead of using your system for their own personal gain, then he's done you a favor by doing your job for you and saving your employers money if someone ever did exploit you maliciously.

Re:Fit? Stops. R

[zootread]

I agree that the analogy does not work. I think a better analogy is:

You happen to figure out the combination for the lock of my safe. You open it up, look at all the nudie photos of my girlfriends (and maybe watch one of the videos). So then you tell me you figured out the combination to my safe and opened it. I know what you've seen.

So say a someone breaks in but doesn't appear to do anything malicious. How do you know he didn't look at anything? How do you know he didn't read everyones personal mail, or log any credit card numbers or passwords? You don't. Sure, a true white hat should not be doing these things, but do you really trust someone to be a true white hat?

When I was a teenager, I used to gain unauthorized access to systems for fun, but never did anything malicious. I was a bit of a white hat, and got rid of other people who had cracked the systems. However, I was keenly aware of the fact that I could be arrested and charged heavilly for what I was doing. If you do something illegal, you can be charged for it. Sometimes the law isn't right, but I'm finding it hard to side on Adrian Lamo's case here.

I would love to go around cracking systems for fun and telling the admins how to fix the problems without having to worry about getting arrested. But this is simply not the case.

Re:Fit? Stops. R

[zootread]

I'd also like to add, I don't think the term "white hat" can apply to people who illegally break into systems. A white hat would be someone who sets up his own systems and tests security on them, or has permission to work on a system. He would announce vulnerabilities when he finds them, usually contacting the author of the vulnerable software first. He's the true "good guy" who has done nothing wrong.

There's another term for someone who breaks into systems illegally, but does not do anything malicious, who may or may not do anything to help fix the problems. I believe they are called "grey hats." Hence the grey area here.

Of course the black hats are the true criminals, who are doing other illegal activities besides the break-in (stealing credit card numbers, desctruction/defacing of the systems, etc).