Slashdot Mirror
Adrian Lamo Charged With Hacking
retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."
Maybe the real problem that the New York Times has with Lamo is that he was able to read stories without having to register for a free account. (Hell, that stupid registration requirement make me want to hack them too.)
Who needs more greyhats running around testing security without so much as permission?
Maybe I didn't install a deadbolt and an alarm system, but who made this guy the "helper" of my problems?
There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.
SIG:Slashdot: indymedia for nerds.
Here's a link to The Screen Savers (on Tech TV) that has some information about what Adrian had to say when he called in live to speak with Leo.
-- Never monkey with another Monkey's monkey
Well, zero tolerance. The thing here is that to an awful lot of people, and especially those who make the laws, hacking is hacking is hacking, who cares what someone says they were doing it for.
I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."
I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.
Heheh... when the agents wanted to come into her home, she told them to get stuffed and come back with a warrant...
That's love, folks.
It would be ironic if this was set up by the NYtimes. I thought investigative/secret camera/sting operation reporting was supposed to be agressive journalism... couldn't his "hack" be considered the same sort of thing? "Unsporting" doesn't begin to describe it, particularly if he was up-front and honest about helping them out. If the NYtimes can investigate, blow the whistle on others, and embarass them into action, I'd say the same card can be played against the Times. "Sour Grapes" anyone?
Yes, he was likely technically in the wrong, no doubt about it, particularly if you adhere to the letter of the rule, rather than the spirit of the rule... even so, this seems a bit heavy-handed.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
If he's going to hack websites, even with the best intentions he's still breaking the law. It seems it would be better for him to work at a security firm (or open his own) and at least get paid for all his troubles. Then he'll be rich and he'll be praised for basically doing the same thing.
I am not sure what he did at the New York Times can even be considered hacking.
So far as I can tell he set his web proxy to the address of the company infranet, surfed around that, downloaded some documents and used the information contained in these to get some more.
Whilst I don't approve of hacking per-se, I'd have to say that here, this is very little more than exposing a badly designed web site.
Imagine that you go to you Gas company's online web site, look at the URL and see your account number in it. You think to yourself, I wonder what would happen if I changed one of the digits. You do and lo and behold up pops all the information to another customer.
Now you can go for your 15 minutes of fame and ring up SecurityFocus or you can have a quiet word with the Webmaster of the Gas company - either way, you are not a hacker.
Slashdot's first reaction to VMware
If you break into someone's house, telling him after the fact how yo got in does not automatically pardon you from the crime...
Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.
Instead, he took his time cracking the system, widening the holes so to speak, and then went to a reporter(!), of all people.
There is nothing inherently wrong with his desire to improve security. There is nothing wrong with him looking around the public spaces on the internet for chinks. What was wrong was that he failed to tell the people maintaining the chinks directly about them, widened them until he got at valuable data, didn't tell the affected people about the data he had received, but then went to a third party and told them about the wanging big hole he had made. I'm sure he views himself as a knight in shining armor, but in this matter he behaved like a publicity-seeking self-promoter.
Yes, shame on the NYT for misconfiguring their systems, but even more shame on Adrian for doing something so illegal and counterproductive.
It does not matter if a person thinks he's a good guy, he still does not have carte blanche to do whatever he wishes.
From the article:
"'I hope there will be a time when Adrian can do positive things that everyone agrees are positive,'"
This service analogy, or the positive light of the grey hacker's actions, does have some weight, as the hacker can inform the admins about the specific flaws of their system security.
But then again, any service should be prompted or invited. And a larger problem is this isn't just washing windows, these are problem areas, flaws, and security flaws at that. These might even give access to a company's dirty laundry. So not only is this service uninvited and not approved, it gives access to private company resources and information, and uses the security holes to get in.
Yes, I assume if security is the only dimension that your job entails, then this is all worth it. But to most people in charge, and arguably the general populace at large, this is an intrusion by illegal means.
I personally value my private virtual space. If you get on my computer and get into my root account, it's an intrusion. Yeah, I will listen to how you did it, but for your troubles you'll never use my computer again.
What if I just leave a signed note on the inside of your car that says "follow these three easy steps, and then no one else will be able to break into your car again"? Do you say "hey, thanks, buddy!", or "hey, someone broke into my car!"...
pb Reply or e-mail; don't vaguely moderate.
OK, white hat cracking someone is still cracking their system, no matter how benevolent the intent. But this part just makes my blood boil:
French did not know what the specific allegations were, because the charging document is sealed.
Especially in light of this part of another article that people need to spend more time reading:
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.
Excuse me, what part of cracking the NY Times is a threat to national security? Why are so many court documents sealed these days? There is NO legitimate reason for securing this sort of charge. Even if the prosecutors were to go as far as claiming he were a terrorist, there's still no nuclear weapons secrets (which we all know by now anyway, despite being classified) in the NY Times payroll database.
He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty.
I don't support this sort of vigilante white hat hacking, but I oppose ignoring the constitution even more.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
If he was hired to test security it would be a different matter. But he allegedly broke into those systems without permission. That puts him in violation of Cybercrime laws.
I feel sorry for him, because he did allegedly report the weaknesses to the admins and he could have just read the data and not told anyone and used the information for his on purposes. So his intentions were good, to plug security holes by finding them and telling the admins about it. But he is doing it the wrong way, without permission.
He may want to think about pleading guilty and making a deal to get reduced charges. This will make him famous and when he gets out of jail and ends probation, he can become a security consultant. Otherwise they may try to make an example out of him and charge him with a full pentalty and any other charges they can think of.
But then the places he broke into didn't use good security practices and didn't apply the latest updates. Personally, I wouldn't put a machine on the Internet that contains sensitive data on it that only my company should have access to like contact information, credit card numbers, etc.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I know what many of you are thinking. Why not tell these companies BEFORE you break in?
Because IT'S NOT FUN, that's why. Or perhaps more accurately, it's not stimulating.
Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!" The fact that he does nothing malicious afterwards and even calls and helps the sysadmins unfuck their systems is a testament to his character.
For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels.
"Uhhh... hey dude. Your lock is vulnerable."
See? Just not the same.
Getting past a computer's defenses is not the same as physically entering a home or bank vault, though I would find the latter far less intrusive than home invasion, especially if he never even touched the money.
Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.
Misdemeanor, at most.
It doesn't matter what he could have done while inside, it matters what he did, or more specifically did not do while inside the system.
"That bastard! He saw my FILE NAMING SCHEME!"
Yeah, he should fry for that...
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
The law make distinctions between trespass, breaking and entry, armed robbery and so on.
The guy who wanders around your house is a trespasser not an armed robber. It seems here that a better analogy would be :
A guy walks in to your unlocked house, boasts about it and you insist that he prosecuted for the worst possible crime he *may* have committed, not the crime he did commit (to walk through an unlocked door).
So he's a gray hat hacker who has fallen into shadow. Will he come back as a white hat hacker, more powerful than before?
Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.
We can begin with what we do know for sure about hacking. A hacking incident is when someone sends packets of information (in some form and by some medium) from a computer or computers to someone else's computer or computers. Which packets are illegal and which are not? Any exact definition raises problems. You can say that any packets that change the functioning of the target system in an unintended way is hacking. So the ignorance of the owner becomes the limit of what is or is not hacking. Faking an email address on a badly designed sign up page (or using mailinator) might be hacking under that definition. Other definitions are similarly problematic. Currently our legal system tends to default (once it actually gets to jury trial) to the above definition, but (in effect) adds that the act must be highly technical and use specialized tools. (Other definitions exist, and I am of course willing to bust holes in any particular one you care to suggest--so go ahead and suggest them.)
But there is such a thing as computer hacking. Everyone knows that. Even if we cannot have an exact legal definition, we know that some things are clearly computer hacking. What is the best way of creating law (which is now inexact) to deal with this behavior? I would suggest making the motive of the hacker one of the main considerations of law. It is always hard to for legal systems to judge guilt based on motive--and they should not if they can avoid it--but in this case, they must either judge the motive of the victim or the perpetrator. If the motive is vandalism or theft, then the act should be punished. Adrian Lamo's motive appears to have been an act that should not have been punished--though it is highly important to state that we do not yet know the facts.
you
Drago - you are a fool. If you are hacking people's systems without their permission, YOU ARE BREAKING THE LAW. PERIOD. END OF STORY. If people were allowed to say "Well, I was doing it so I could help their security", then you would have all sorts of Blackhats hacking systems, and then claiming, "I was going to help, but you arrested me first." No.
Look, there are ways to do security checks like this, without the security teams knowing that you are doing it. Get permission, make sure that no one is tipped off, and then test the systems.
If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.
It is human nature to take shortcuts in thinking.
Your argument falls flat on a number of points.
Reportedly, his access to the NYT systems was by using publically accessible proxy servers. Saying he needs prior authorization to do that is naive -- do you need prior authorization to access arbitrary mail or web servers on the Internet? Leaving the systems open is prima facie authorization. There would have to be some indication that only NYT employees (or whomever) were authorized to use the system.
You are amused that he uses the same tactics to access many poorly secured networks. Does it not worry you that so many networks are poorly secured in identical ways? I believe that is a much more significant issue.
You are further amused that he does it not for money, but for publicity. HELLO MCFLY. There are an unknown number of other systems just waiting for someone to break into them. If Mr. Lamo publicizes the existence gaping security problems (especially after working to help close the specific examples he finds), it encourages other businesses to close their holes. Without him, many of them would rather than sit fat and lazy and hope whoever penetrates them gets caught.
That publicity also brings business to the security professions who you think consider him a joke. Talk about biting the hand that feeds you.
and that's ethical vs not, whether it's hacking, or journalism.
Journalists are supposed to operate by an ethical code, and the vast majority do so. Journalistic ethics would say that you cannot break the law in order to get a story... though that's not say it hasn't been done. Check out this link. It would seem that ethical standards in journalism are quite flexible, and that there is no set rulebook. Instead, as in ethical dilemmas in many disciplines, one must weigh competing evils. The evil of impersonating someone, or operating under a false identity, veruse letting a politician go on with corrupt, harmful actions... which weighs more, and who decides?
By the same token, one might make the same argument for Adrian's actions. He intended no harm (as an investigative reporter might intend no harm in impersonating someone else to get a story), so the Mens Rea AKA "guilty mind" did not exist. Reporters often argue, when investigating and digging into the lives of public figures and officials, that those officials have less of an expectation of privacy than regular citizens... and to some extent they're right. Yet, how does the watchdog presume to waive the privacy of others in the pursuit of a story, while immediately running to the FBI? The media also argue that they have the right to dig, based on the fact that they are defending the public's "right to know." (how many times have we heard that?) The media assumes that power as society's watchdog... but who's watching them? Apparently, Adrian was, and they are NOT happy about it.
It's doubly ironic that an organization dedicated to exposing the truth (ostensibly in a transparent, above-board, and for-the-greater-good fashion), is getting their panties in a bunch over someone showing them some truth in a like manner. Apparently the old grey lady doesn't have a problem airing the dirty laundry of others, but is awfully sensitive about her own problems... and from an ethical standpoint, Adrian's actions are probably arguable either way.
I'm sorry, but I find this whole thing incredibly funny.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I understand most of the arguments against what Lamo did, but there are a few points I want to get off my chest:
1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.
2. I don't know how it needs to be done, but truthfully do you (the collective Slashdot you) trust companies to secure their networks, perform audits and be upfront and honest about their failures? If I were a NYT partner I would be furious that my information may have been publicly accessible, yet I would never have known about its vulnerability without Lamo. How many companies have been hacked, had credit card or other info stolen, and just not said anything about it? When Acxiom was hacked, personal information on individuals was stolen over 8 months before they "discovered" the hack - and the hack was found by Hamilton County, Ohio Prosecutor's office when investigating another case that had come forward. What are the chances that Acxiom KNEW they had been hacked, compromised personal information, and said nothing? I am guessing with the current climate of corporate ethics, a pretty high chance exists that a lot of information is being disseminated by people who stole it and consumers have no idea because the company in question is sweeping it under the rug.
Hacking into someone else's system is bad. Nobody can disagree there, but the bottom line is a tradeoff of negative impacts - for what Lamo did I see a lot fewer negative consequences than today's corporate irresponsibility with personal information and computer security.
I say, "Why did you have to break into my car to write me a note?"
"Sufferin' succotash."
The NYT is one of the most hypocritical organizations today. They sue to get 9/11 tapes of people dieing - all in the name of "openess" and "public information", yet they have a network connected to the public network - which is open and transparent through their own doing - and thats bad/illegal? PLEASE - The NYT's proxy servers were so misconfigured that it was akin to them posting information in the window of the downtown offices and then getting pissed if people read what they posted.
You can bet your rear quarters that if our hacker had been a reporter on a story for the NYT that they would be vigorously defending his actions. Like most large corporate entities the NYT has no moral basis for anything it does, in the end it's about money, not honesty, truth or enlightenment. It sure as hell isn't about the times mission statement which is "The Company's core purpose is to enhance society by creating, collecting and distributing high-quality news, information and entertainment."
Perhaps our hacker should have "enhanced society" by distrubiting the inromation he found to the world. It would have been high quality news to see how one of the most influtential papers is really run.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
They were worried he knew just how much of their news was faked.
----- LoboSoft specializes in Digital Language Lab
If you leave your front door open and I take a look inside your house, what crime have I committed? At most, I am told, trespass. If you left the keys under the mat and I opened the door, it's breaking and entering.
Similarly, if I take your car with the clearly stated intention to return it when I am done (e.g. if I desperately needed to drive someone to the hospital), I haven't stolen it, I've borrowed it -- with or without your permission.
Theft, burglary, etc. are crimes defined in part by the intention of the alleged perpetrator and the damages suffered by the alleged victim.
OTOH we live in a world where one of the first "terrorist" groups targeted by the government after 9/11 were Environmental Activists who destroy machinery but have been careful never to hurt anyone.
But I'm no lawyer.
Yep, how do you think the New York Times felt when they'd heard that their site had been hacked by some Lamo? Of course they're going to take it personally! Now if they'd heard that Max Power had hacked into their site... that could have been another matter.
It seems pretty obvious to me that hackers doing this sort of thing are simply trying to draw as much attention to themselves as possible, in order to boost their ego and enhance their career options.
Not at all like, say, teen athletes, who play sports for the sheer fun of it.
Besides, if he was so confident his activities were legal and ok, why is he running around from state to state, in hiding?
Well, according to the article, he's in California working on a documentary. Not exactly the kind of thing you'd do if you were "in hiding".
If he felt he had a strong case in his favor, you'd think he'd just turn himself in to the FBI right away, so he could show their folly in court and walk away righteous.
This just tells me he's not an idiot. Talking to a lawyer before the cops is good sense, and perfectly legal. Nothing in the law requires him to turn himself in, so he can take his own sweet time and make sure his rights are protected.
You got some kinda grudge against this guy, or did you just not read the article?
King TJ, you should read a bit on Mr. Lamo before you go casting stones.
1. He has repeatidly turned down anything from the companies he's helped.
2. He has always agreed to sign whatever NDA's are required of him. 3. That hardly fits the profile of somone trying to "bolster" his profile.
4. He has done this for *years*.
5. He has (A far back as I can remember hearing him speak) been aware that one day someone would not take too highly of his efforts.
6. He's hardly on the run, he's trying to get in touch with his Lawyer to setup the details of turning himself in.
7. He has NEVER released (as far as I can remember) the exact details of ANY of his corporate hacks.
Want proof? Go seach SecurityFocus, he hangs out on BugTraq and a few of the other lists. For heavens sakes man, quit trolling without at least reading about the guy.
Bugs Bunny was right.
I'm sorry, but I think your analogy is unsound. A true white hat hacker doesn't drink the beer, try on the underpants, eat the pizza. More like someone you would drive by with your trunk door open, and they tell you that it's open so that all your stuff, which might be your private underclothes, doesn't end up in the middle of the road for everyone to see.
People often make the assumption that morality dictates law. This is simply not true. In other words, if someone breaks into your system and tells you about it and helps you fix the holes instead of using your system for their own personal gain, then he's done you a favor by doing your job for you and saving your employers money if someone ever did exploit you maliciously.
stuff
I agree that the analogy does not work. I think a better analogy is:
You happen to figure out the combination for the lock of my safe. You open it up, look at all the nudie photos of my girlfriends (and maybe watch one of the videos). So then you tell me you figured out the combination to my safe and opened it. I know what you've seen.
So say a someone breaks in but doesn't appear to do anything malicious. How do you know he didn't look at anything? How do you know he didn't read everyones personal mail, or log any credit card numbers or passwords? You don't. Sure, a true white hat should not be doing these things, but do you really trust someone to be a true white hat?
When I was a teenager, I used to gain unauthorized access to systems for fun, but never did anything malicious. I was a bit of a white hat, and got rid of other people who had cracked the systems. However, I was keenly aware of the fact that I could be arrested and charged heavilly for what I was doing. If you do something illegal, you can be charged for it. Sometimes the law isn't right, but I'm finding it hard to side on Adrian Lamo's case here.
I would love to go around cracking systems for fun and telling the admins how to fix the problems without having to worry about getting arrested. But this is simply not the case.
Zoot!
I'd also like to add, I don't think the term "white hat" can apply to people who illegally break into systems. A white hat would be someone who sets up his own systems and tests security on them, or has permission to work on a system. He would announce vulnerabilities when he finds them, usually contacting the author of the vulnerable software first. He's the true "good guy" who has done nothing wrong.
There's another term for someone who breaks into systems illegally, but does not do anything malicious, who may or may not do anything to help fix the problems. I believe they are called "grey hats." Hence the grey area here.
Of course the black hats are the true criminals, who are doing other illegal activities besides the break-in (stealing credit card numbers, desctruction/defacing of the systems, etc).
Zoot!