Slashdot Mirror
Adrian Lamo Charged With Hacking
retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."
Maybe the real problem that the New York Times has with Lamo is that he was able to read stories without having to register for a free account. (Hell, that stupid registration requirement make me want to hack them too.)
Here's a link to The Screen Savers (on Tech TV) that has some information about what Adrian had to say when he called in live to speak with Leo.
-- Never monkey with another Monkey's monkey
Well, zero tolerance. The thing here is that to an awful lot of people, and especially those who make the laws, hacking is hacking is hacking, who cares what someone says they were doing it for.
I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."
I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.
If you ask and tell theam your going to try to hack. Then they will tighten security. Thats exactly why you can't tell theam. You have to just do it. at a random time without theam knowing , then see if they catch it. Thats the only true way to "test" Do it Blind or it is not real. A BlackHat will never ask or tell you when.
Heheh... when the agents wanted to come into her home, she told them to get stuffed and come back with a warrant...
That's love, folks.
It would be ironic if this was set up by the NYtimes. I thought investigative/secret camera/sting operation reporting was supposed to be agressive journalism... couldn't his "hack" be considered the same sort of thing? "Unsporting" doesn't begin to describe it, particularly if he was up-front and honest about helping them out. If the NYtimes can investigate, blow the whistle on others, and embarass them into action, I'd say the same card can be played against the Times. "Sour Grapes" anyone?
Yes, he was likely technically in the wrong, no doubt about it, particularly if you adhere to the letter of the rule, rather than the spirit of the rule... even so, this seems a bit heavy-handed.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Agreed. If he wanted to perform white hat hacking, he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.
... but it isn't as if he was doing the internet equivalent of rescuing the baby in a house fire.
But he did commit a crime - he broke into and entered their systems without permission. Sure, he did it for a good reason in his own head, and wasn't going to be malicious
I am not sure what he did at the New York Times can even be considered hacking.
So far as I can tell he set his web proxy to the address of the company infranet, surfed around that, downloaded some documents and used the information contained in these to get some more.
Whilst I don't approve of hacking per-se, I'd have to say that here, this is very little more than exposing a badly designed web site.
Imagine that you go to you Gas company's online web site, look at the URL and see your account number in it. You think to yourself, I wonder what would happen if I changed one of the digits. You do and lo and behold up pops all the information to another customer.
Now you can go for your 15 minutes of fame and ring up SecurityFocus or you can have a quiet word with the Webmaster of the Gas company - either way, you are not a hacker.
How different is this from the investigative reporters on your local news broadcast. In many cases a white hat my find that customer's CC numbers or SS numbers are accessable via an exploit or weak security. In a way, he/she would be helping the public by giving the company and opportunity to correct the situation or at least take it public. An investigating reporter may find that a company or governemnt office is throwing out sensitive info without shredding it or taking the proper preventative measures. If I am giving a company like Amazon my CC#, I want to oknow that they are going to protect that info. Who is going to watch/audit the company if they get lazy?
The Tools Of Ignorance wanna be a tool?
Switch back to Slashdot's D1 system.
If you break into someone's house, telling him after the fact how yo got in does not automatically pardon you from the crime...
Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.
Instead, he took his time cracking the system, widening the holes so to speak, and then went to a reporter(!), of all people.
There is nothing inherently wrong with his desire to improve security. There is nothing wrong with him looking around the public spaces on the internet for chinks. What was wrong was that he failed to tell the people maintaining the chinks directly about them, widened them until he got at valuable data, didn't tell the affected people about the data he had received, but then went to a third party and told them about the wanging big hole he had made. I'm sure he views himself as a knight in shining armor, but in this matter he behaved like a publicity-seeking self-promoter.
Yes, shame on the NYT for misconfiguring their systems, but even more shame on Adrian for doing something so illegal and counterproductive.
It does not matter if a person thinks he's a good guy, he still does not have carte blanche to do whatever he wishes.
So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?
But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?
The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.
OTOH, your mention of the deadbolt and alarm does apply, but only in the sense that if I did buy/install a deadbolt and alarm, I'd be royally pissed if they didn't work.
Read, L
What if I just leave a signed note on the inside of your car that says "follow these three easy steps, and then no one else will be able to break into your car again"? Do you say "hey, thanks, buddy!", or "hey, someone broke into my car!"...
pb Reply or e-mail; don't vaguely moderate.
OK, white hat cracking someone is still cracking their system, no matter how benevolent the intent. But this part just makes my blood boil:
French did not know what the specific allegations were, because the charging document is sealed.
Especially in light of this part of another article that people need to spend more time reading:
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.
Excuse me, what part of cracking the NY Times is a threat to national security? Why are so many court documents sealed these days? There is NO legitimate reason for securing this sort of charge. Even if the prosecutors were to go as far as claiming he were a terrorist, there's still no nuclear weapons secrets (which we all know by now anyway, despite being classified) in the NY Times payroll database.
He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty.
I don't support this sort of vigilante white hat hacking, but I oppose ignoring the constitution even more.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
If he was hired to test security it would be a different matter. But he allegedly broke into those systems without permission. That puts him in violation of Cybercrime laws.
I feel sorry for him, because he did allegedly report the weaknesses to the admins and he could have just read the data and not told anyone and used the information for his on purposes. So his intentions were good, to plug security holes by finding them and telling the admins about it. But he is doing it the wrong way, without permission.
He may want to think about pleading guilty and making a deal to get reduced charges. This will make him famous and when he gets out of jail and ends probation, he can become a security consultant. Otherwise they may try to make an example out of him and charge him with a full pentalty and any other charges they can think of.
But then the places he broke into didn't use good security practices and didn't apply the latest updates. Personally, I wouldn't put a machine on the Internet that contains sensitive data on it that only my company should have access to like contact information, credit card numbers, etc.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I know what many of you are thinking. Why not tell these companies BEFORE you break in?
Because IT'S NOT FUN, that's why. Or perhaps more accurately, it's not stimulating.
Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!" The fact that he does nothing malicious afterwards and even calls and helps the sysadmins unfuck their systems is a testament to his character.
For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels.
"Uhhh... hey dude. Your lock is vulnerable."
See? Just not the same.
Getting past a computer's defenses is not the same as physically entering a home or bank vault, though I would find the latter far less intrusive than home invasion, especially if he never even touched the money.
Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.
Misdemeanor, at most.
It doesn't matter what he could have done while inside, it matters what he did, or more specifically did not do while inside the system.
"That bastard! He saw my FILE NAMING SCHEME!"
Yeah, he should fry for that...
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
The law make distinctions between trespass, breaking and entry, armed robbery and so on.
The guy who wanders around your house is a trespasser not an armed robber. It seems here that a better analogy would be :
A guy walks in to your unlocked house, boasts about it and you insist that he prosecuted for the worst possible crime he *may* have committed, not the crime he did commit (to walk through an unlocked door).
So he's a gray hat hacker who has fallen into shadow. Will he come back as a white hat hacker, more powerful than before?
That's a really awful analogy.
If someone steals your car they are doing you a serious disservice and actively depriving you of something you cannot easily do without.
To use your analogy in a way that actually makes sense:
He isn't stealing your car. He is walking up and seeing if the door is unlocked and the keys are in the ignition. At the very MOST he is starting the car to prove he COULD steal it if he wanted to. But he never actually steals the car or harms you in any way (except maybe making you feel really stupid for having such an easily stolen car). He doesn't deprive you of it "for a month".
Basically he's checking to see if he COULD steal your car, NOT stealing it. Then he tells you what to do to keep others from stealing it.
Doesn't sound like evil incarnate to me. If I was being a total idiot as regards security I think I'd appreciate it if someone pointed that out to me before someone else came along and took advantage of it and ended up doing real harm.
The shame would be worth it in the end, I think. Unless you happen to be the NY Times, which is probably pretty sick of being shamed at this point.
The difference is that he didn't hijack the servers and use them for his own deeds for a month and returned them. He got in, observed how severe the exploit was, got out, and told the admins that they need to fix it. If someone broke into my car without doing any damage to it and then left a note giving me suggestions I'd welcome it, it's not like they drove off with the car and they might have saved my car from future theft.
Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.
We can begin with what we do know for sure about hacking. A hacking incident is when someone sends packets of information (in some form and by some medium) from a computer or computers to someone else's computer or computers. Which packets are illegal and which are not? Any exact definition raises problems. You can say that any packets that change the functioning of the target system in an unintended way is hacking. So the ignorance of the owner becomes the limit of what is or is not hacking. Faking an email address on a badly designed sign up page (or using mailinator) might be hacking under that definition. Other definitions are similarly problematic. Currently our legal system tends to default (once it actually gets to jury trial) to the above definition, but (in effect) adds that the act must be highly technical and use specialized tools. (Other definitions exist, and I am of course willing to bust holes in any particular one you care to suggest--so go ahead and suggest them.)
But there is such a thing as computer hacking. Everyone knows that. Even if we cannot have an exact legal definition, we know that some things are clearly computer hacking. What is the best way of creating law (which is now inexact) to deal with this behavior? I would suggest making the motive of the hacker one of the main considerations of law. It is always hard to for legal systems to judge guilt based on motive--and they should not if they can avoid it--but in this case, they must either judge the motive of the victim or the perpetrator. If the motive is vandalism or theft, then the act should be punished. Adrian Lamo's motive appears to have been an act that should not have been punished--though it is highly important to state that we do not yet know the facts.
you
I think you're confusing what Lamo did with something that the NYT actually gave permission for. I agree with you, that a penetration test should be performed in such a way as to be unexpected, so paranoid admins can't do stupid things to improve the results (like turn off all inbound access for a day). But this wasn't a penetration test, it was nothing more than an uninvited and deeply illegal intrusion plus some spin control for the media.
I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about? I wouldn't, and the resulting cleanup to make sure that nothing more was done is an expensive and disruptive process. This is part of why the damages for relatively minor hacks end up being so enormous in many cases.
We're always pushing ourselves to question what we're being told by the media, by our leaders, by our educators, by big business...we should really question anyone who might have an ulterior motive.
For your security, this post has been encrypted with ROT-13, twice.
Drago - you are a fool. If you are hacking people's systems without their permission, YOU ARE BREAKING THE LAW. PERIOD. END OF STORY. If people were allowed to say "Well, I was doing it so I could help their security", then you would have all sorts of Blackhats hacking systems, and then claiming, "I was going to help, but you arrested me first." No.
Look, there are ways to do security checks like this, without the security teams knowing that you are doing it. Get permission, make sure that no one is tipped off, and then test the systems.
If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.
It is human nature to take shortcuts in thinking.
An interesting analogy.
After drinking heavily in a bar, a friend of mine and I bought some slices of pizza at a shop, and went outside to eat. Since we were too drunk to stand up, we sat down on the steps outside another shop, which was closed for the night. That is, it should have been. My friend was leaning his back on the door, which was open. He fell right in.
Now, the right thing to do, according to you, would be to go away, minding his own business. And what the hell was he doing, trespassing on the steps outside the shop and all. If this was in Texas, he would be rightfully shot. However, my friend, being both an imbecile and a crook with neither morals, nor respect for private property, went inside to look for a telephone and hopefully the phone number to the owner (we were both too tired to do any serious looting). And so the owner was noticed and the door was closed, and my friend got a serious hangover.
The moral of this story is: if you drink, you get a hangover, so alchohol is bad, 'mkay?
I understand most of the arguments against what Lamo did, but there are a few points I want to get off my chest:
1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.
2. I don't know how it needs to be done, but truthfully do you (the collective Slashdot you) trust companies to secure their networks, perform audits and be upfront and honest about their failures? If I were a NYT partner I would be furious that my information may have been publicly accessible, yet I would never have known about its vulnerability without Lamo. How many companies have been hacked, had credit card or other info stolen, and just not said anything about it? When Acxiom was hacked, personal information on individuals was stolen over 8 months before they "discovered" the hack - and the hack was found by Hamilton County, Ohio Prosecutor's office when investigating another case that had come forward. What are the chances that Acxiom KNEW they had been hacked, compromised personal information, and said nothing? I am guessing with the current climate of corporate ethics, a pretty high chance exists that a lot of information is being disseminated by people who stole it and consumers have no idea because the company in question is sweeping it under the rug.
Hacking into someone else's system is bad. Nobody can disagree there, but the bottom line is a tradeoff of negative impacts - for what Lamo did I see a lot fewer negative consequences than today's corporate irresponsibility with personal information and computer security.
YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!
I would bust his skull open with my tire iron, then call the cops.
Okay, so busting this guys skull open is breaking the law for:
a) A good reason.
b) A bad reason.
c) No reason at all.
d) None of the above.
BTW, the thief will sue you from here to eternity. Maybe if you make it out of jail alive some day, you might be able to find a job to pay off that lifetime of debt to him.
; )
You can't just go around breaking open skulls because someone pisses you off. YOU CANNOT BREAK THE LAW, EVEN FOR GOOD REASONS! IF YOU DO, EXPECT TO GO TO JAIL!
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
The home invasion analogy is a very bad one. A home is by its very nature badly protected (you don't spend millions securing it, do you?) but it is also a sanctuary, a place where a break-in results in a certain emotional stigma.
A better analogy would be this one: Suppose that somebody is waiting in an airport's lobby. He has not gone through the security checks yet. While waiting, he notices airport personnel going through what seems to be an unlocked employee-only door. A thought flashes in his mind: "This doesn't seem very secure. I thought airports were supposed to be secure." So he goes to the door and lo and behold, it is unlocked! He goes through it and find a bunch or corridors and doors.
Naturally curious and a little adventurous, our guy wonders how far he can go. He goes forward and manages to get to the departure area WITHOUT going through security. He feels a little proud of having easily broken a system on which governements and airlines has spent millions.
Being a good citizen, our guy then goes to the security counter and shows his finding to the cop. But suddenly, the cop puts cuffs on him and charges him with trespassing and attempting to bypass security in an airport. Of course, the proper action would have been for the guy to go to security as soon as the unlocked door was found. Adrian Lamo should have stopped his investigation at the misconfigured proxy.
However, is it reasonable to charge somebody with a federal crime for having gone a little further in testing the security of a system? Whether is was an airport or NYT's intranet.
I don't think so. The FBI can claim that they don't know whether the guy smuggled dope during his attempt and the NYT can claim that they'll have to check every system for backdoors but I believe it's mostly bad faith from people lashing out because they felt humiliated. Get a grip... fix your stuff and move on. Destroying the life of somebody who tried to help you is just stupid and cruel.
What companies do about those who warn them is what irks me. Not only do they press charges as if they had been maliciously broken into, but they tend to want to bill the white hat hacker for EVERYTHING related to the incident, including but not limited to ignorant PHBs spending months in meetings about it, as well as the price for fixing the mess.
It's like you getting to work one day and finding a note stating "the bathroom window opens from the outside, and the spare key for the filing cabinet where you keep customer data shouldn't be taped to the bottom of the counter." Then what do you do? Call in all the staff, and close up the store for a week while you hold meetings, followed by changing all the locks and buying a gun, and finally suing the person who left the note, charging him with the total costs of what you did?
Or you tell a farmer that you were hiking in his woods when you discovered that his game warden was poaching. The farmer's reaction is charging you with trespassing. While he may have a legal right to do so, he'd be a real jerk AND idiot to do so.
The above is, unforunately, the analog to what's happening in the electronic world.
I'm not saying that Lamos and other self-appointed white hat hackers are RIGHT in what they do (I believe they aren't), but even if the messenger isn't welcome, you don't shoot him or blame hime for all the problems he reports.
The main reason why you shouldn't do that isn't just because it's a petty thing to do, but because you HURT yourself and others in the long run.
See, if I were a hacker operating like Lamos, and saw companies doing that, instead of alerting the companies and risking facing their and the paranoid law makers full wrath, I would stop alerting the companies about their flaws -- instead, I would anonymously alert the PUBLIC.
Seen from the viewpoint of a company, what's better about that? Yet, that's what they're pushing hackers into.
The companies might argue that they would want people to stop rattling doors in the first place, and that's a valid argument. However, it's not going to happen until you have exterminated every potential criminal and curious kid on the planet.
In a Utopia, you don't even need a door lock, because no-one would ever walk through the door without a right to do so. However, companies can't argue that as a defense -- not installing a lock would be seen as gross negligence, because it's expected that criminals and curious people will trespass unless minimal safety measures are taken. That's how our society is.
Charging Lamos is a signal, all right. Unfortunately the signal isn't "don't test our security uninvited", but "once you've tested our security uninvited, don't tell us -- stay anonymous and tell it to everyone else".
Regards,
--
*Art
The NYT is one of the most hypocritical organizations today. They sue to get 9/11 tapes of people dieing - all in the name of "openess" and "public information", yet they have a network connected to the public network - which is open and transparent through their own doing - and thats bad/illegal? PLEASE - The NYT's proxy servers were so misconfigured that it was akin to them posting information in the window of the downtown offices and then getting pissed if people read what they posted.
You can bet your rear quarters that if our hacker had been a reporter on a story for the NYT that they would be vigorously defending his actions. Like most large corporate entities the NYT has no moral basis for anything it does, in the end it's about money, not honesty, truth or enlightenment. It sure as hell isn't about the times mission statement which is "The Company's core purpose is to enhance society by creating, collecting and distributing high-quality news, information and entertainment."
Perhaps our hacker should have "enhanced society" by distrubiting the inromation he found to the world. It would have been high quality news to see how one of the most influtential papers is really run.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
The University of Washington had a "student run" program where returning students could volunteer to help freshmen move into their dorm room. In return for their help, the UW would supply the volunteers with free food (Usually through SubWay, Dominos, etc, with a student leader ordering the food using UW budget codes). After everyone moved in, the group would disband and everyone would forget about it until the following fall. Approximately six years ago, the student leader who was in charge of ordering food decided in Winter quarter that he would use the budget codes and try to order up some food for him and his friends (http://tinyurl.com/mhck) . What was Eric's excuse when he was eventually caught? "I was just trying to show how insecure the system was" and "I was really doing Res. Life a favor". Sound familiar? Eric Feigenbaum then wrote a series of articles to the student newspaper, The Daily, regarding his experience and how the university didn't appreciate his 'generous act'. Personally I become extremely nervous when someone decides to conduct some unannounced public service, especially through illegal means. Usually the "I'm just misunderstood. I was really trying to help out" excuse comes out after the individual gets caught, but some individuals will come forward first, hoping that it'll cover their tracks. For example, I had one employee to came up to me and said that they learned how to use the copier without first putting in their copy code. Turns out the employee decided to "test" his method by making over 5000 copies over a period of three days (all after hours). Another employee within the firm reported that some equipment was missing (it would have been discovered later that week). It was eventually discovered that the very same employee had stolen the equipment the night before. I don't know the first thing about Adrian Lamo besides what's written in the referenced article. He may be the most honest, altruistic, and generally nice guy in the world. Good for him. The problem is that the next Adrian Lamo may not be.
I'm sorry, but I think your analogy is unsound. A true white hat hacker doesn't drink the beer, try on the underpants, eat the pizza. More like someone you would drive by with your trunk door open, and they tell you that it's open so that all your stuff, which might be your private underclothes, doesn't end up in the middle of the road for everyone to see.
People often make the assumption that morality dictates law. This is simply not true. In other words, if someone breaks into your system and tells you about it and helps you fix the holes instead of using your system for their own personal gain, then he's done you a favor by doing your job for you and saving your employers money if someone ever did exploit you maliciously.
stuff