Slashdot Mirror
Adrian Lamo Surrenders
clafarge writes "Three days after
Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail."
webmaven
adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News.
He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."
more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
his own name to the tune of $300K! I always find it interesting that so little tinkering
can cause so much 'damage' (if you didn't get that wink, read the article about the
nature of the 'damage').
No I don't get the 'wink'.
These damage figures really don't seem very unreasonable, especially given what Kevin
Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
cost of the people of had to evaluate and repair his intrusion into the network). As for
the LexisNexis searches that cost is probably easy to calculate because they charge for
use of the service and he probably used $300,000 worth of the service without paying for it.
If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
that the prosecutor was going overboard, but this seems pretty sane to me.
John.
Jail that obviously highly intelligent individual!
.. why jail him? Surely he can contribute in a positive way to society? It sure sounds like he doesn't have any malicious intentions other than prove what every engineer knows - you often need to experience failure before you address a weakness in your design. Better to have failure 'encouraged' by a guy who's willing to help you lock down your network after the fact than some dude who gets in the door and heads straight for client lists, credit info, etc ..
Yes, I'm joking. This kid sounds like a bright fish
"Old man yells at systemd"
Wikileaks, no DNS
Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".
Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.
Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?
Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?
Mac OS X and Windows XP working side by side to fight back the night.
parent is somehwat a troll, but anyway...
a hit to their reputation? unless the business is some kind of computer security company, or ISP, i would wager that it does very little to their reputation. come on, any other company (especially outside of any IT related company), which of their customers is even going to *know* the site was hacked. how many of those people are going ever hear that the site was hacked... if they couldn't access they site, they would probably just think their own internet connection was screwy at that time, or just accept the fact that they couldn't access the certain site (happens all the time) and think little of it.
i'm not trying to defend hackers, i'm just trying to set that misconception straight.
This post was brought to you by the number 584811 and the characters / and .
Sounds like a kid with an inflated ego and a bit of a Robin Hood complex.
I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.
Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.
-- Slashdot: When Public Access TV Says "No"
You get burned. Anyone who breaks the law and flaunts it is going to get caught, regardless of how honorable his intentions. Laws do not only exist to punish "bad guys;" they exist to make society an orderly place, and people who run around hacking others' servers willy-nilly are going to be causing chaos (ie the costs of the IT department figuring out wtf's going on with their network, as someone else mentioned). Awhile back the DoD conducted an authorized hacking of their system (with unpleasant conclusions). That is what needs to happen, because when dealing with gray areas there're shades of black. Remember the "good" anti-Blaster patching worm, and how it shut down systems in Canada because of its overly eager replication? It's foolish to presume that we should trust in the skills of a lone ranger. Get off yer high horse, cowboy.
This is again along the lines of "We dont really want to make sure were secure so we'll just sue/have arrested anyone who finds anything." These are also the same people who loby the gov to pass laws to do this. It's amazing how little people acutally care about how secure their network or computers are and instead care more about huge fines and sentences so they can keep their networks insecure.
None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".
I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.
"Most, if not all of them, left gaping holes that amounted to revolving doors at the front end of their networks." If I left the door to my apartment open and someone randomly walked in, I wouldn't be asking him if he wanted something to drink. No one said it had to be hard to be illegal.
He accesses somebody his network, tells them about it "oh but hey i didn't do anything bad".
If YOU were the sysadmin in question, would YOU believe him? No you'd have to check all your systems... And that costs money (=damages).
I am a viral sig. Please help me spread.
Hmmm... I have a feeling they didn't leave the site open. They just didn't make it unhackable.
It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.
Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?
Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.
If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.
And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.
If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.
Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.
Karma: Chevy Kavalierma.
Your trespassing fine will wind up paying for increased police patrols of my neighbourhood.
Now enough with the stupid analogies.
I don't need no instructions to know how to rock!!!!
Wonder why he turned himself in? If I was in his shoes, I'd go on the run because:
* it seems like anything to do with hacking == terrorism. Justice won't be served, long prison sentence
* being obviously young, not particularly bad looking and probably not physically strong means almost certain prison rape.
* already leading a nomadic lifestyle so why not continue.
However, in his position, I'd probably no longer publicise what I was up to. I think he has made some grave tactical errors in letting his identity being so publically known (and this is why he probably decided not to stay on the run, because his photograph has already been so widely published).
I hope his punishment is in proportion to the crime though - not some arbitrary "war on terror" sentence.
Oolite: Elite-like game. For Mac, Linux and Windows
It's by no means a perfect analogy, but it's better than the one alluded to by the "hacking" label. If I took a fire axe to your front door, then by all means, I should owe restitution to replace the door, on top of whatever actual damage I did. But if you took that opportunity to demand I pay for an expensive solid-steel door when the one I smashed was cheap, hollow wood, then you would, in my opinion, be taking unfair advantage of the situation.
In this case, not even a hollow door was "hacked apart". Security was bypassed, not destroyed. No vulnerabilities were induced that weren't already present, and which would have persisted if the attack hadn't taken place. So how is it right to demand he pay for upgrading that security?
Indeed. But don't get too ticked off on /. or some jackass is liable to moderate you as a troll.
The "damage" was irrelevant. He typed his name into Lexis-Nexis. Big stinking deal. The New York Times should be shot for leaving their data unsecured. There were significant people in those lists that were put at risk NOT because of Mr. Lamo. They were unbelievably lucky that some happy-go-lucky dork was nice enough to point out the flaws before a Black Hat got to it.
Laws are for people with no friends.
Who cares if you like how people use the word 'hacking'. It's irrelevant. I don't like that people who trade xbox games online call them "isos".
I agree with the judge. I'm sick of asshat 14 year olds thinking it's open season to screw around with other people's property. It doesnt matter if I have the latest kernel patches or a club and locking boot for my car.
The point is, it's mine, not yours. Mess with it, and pay the piper.
I don't need no instructions to know how to rock!!!!
The Times called the FBI after Lamo browsed sensitive data on its computers, including Social Security numbers for celebrities and government officials who are among the 3,000 contributors to its op-ed page.
Sensative data, sounds like he got more than cc numbers. Also sounds like he has a political ageda, which is ok by my book. You can get lotsa info off of the Nyt's internal system; memo's, drafts, omitted papers, letters from people with political agenda's....
In any case, this is akin to breaking into a musieum to steal stuff, and instead of stealing he took pictures (very exact ones) and left a how-to note. He didn't damage anything, he showed them security holes in exchange for internal data. They don't like the internal data getting out...
BTW, any good company will resecure their systems after any consultancy and scour it for software; some firms can't be trusted.
Candy-Coated Knowledge
"Lamo frequently trespassed on the networks of prominent companies, uncovering security holes and accessing sensitive information. He then informed the companies of his exploits and often worked with them, as a consultant, to close the holes."
On an enormous salary, no doubt. I expect he could pretty much name his price. It doesn't surprise me then that they can make out they are victims, because, essentially, they are victims, of extortion.
The approach needed now is to approach them first, before hacking them, and if they don't want your skills then leave them alone. If they do want your skills, then they can recruit you at a fair price, on mutually agreeable terms, and nobody has anyone over a barrel.
The other benefit of this approach is that they'll be able to tell the difference between malicious hackers and hackers who are only doing it for the good of the community, which I have absolutely no doubt is going to be Lamo's defence ("I'm breaking into your house for your own good, can't you see that?"). The former will hack without a contract; the latter will hack with one.
You know, there is NO excuse for this criminal activity. There is a great expense to keep computers/networks/homes/cars/people secure. The reason for this expense is the criminal, the criminal should be made to pay.
I know it's a non-existent utopia to think that criminals should pay for security systems, but think of all the waste that goes into security because of people doing illegal things. Stop blaming the victems, they were NOT "asking for it" anymore than anyone "asks" to get raped or robbed.
Are you going to blame rape victems for not wearing chasity belts? Where does it end? If you absolutely want to prevent yourself from being raped, you'd have to wear one, wouldn't you? But that's a pretty rediculous extreme, isn't it? And you'd probably get beaten anyway.
Do not tell me they didn't have ANY protection on their website - someone went looking for specific exploits, they didn't stumble upon them randomly, it was a conscious choice to do something illegal. Where does it end? The fact of the matter is people should just respect other people and their property.
Do not stand up for this guy just because he's a hacker like us against a big stupid company. What he did was wrong! The blame goes to the criminal, not the victem.
Stupid sexy Flanders.
Sentencing someone intelligent to mind-numbingly boring manual labour is pretty close to cruel and unusual punishment.
I'm currently unemployed. I could go out and get a job at close on a hundred different places within a week, if I decided to do labouring, shelf-stacking, bar-work or similar levels of work. In practice I'd rather watch my savings deplete, because then I can engage in intellectually stimulating activities instead while looking for a job that I can enjoy and commit to.
Being banned from using computers is harsh too - he can't work at McDonalds, they have computerised cash registers. He can't go to college, it's effectively impossible to get through college without a degree so far.
And as the original poster indicated - he has to apply for work/college with the possibility of an indeterminate period of absence happening.
On another issue, just what on earth is it to do with this judge if this guy isn't working? Is being unemployed and not in education a crime these days? If so I better not go to the US, because that's me..
~Cederic
Get a slashdot interview with this guy.
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
Let's get one thing clear: individuals and corporations do not deserve the same rights.
He wasn't refering to graduates at the time. He was refering to very gifted students, ones that were establishing reputations for themselves, suddenly dropping out of school, or just dissapearing altogether. He wasn't talking about the normal cycle of graduates moving on somewhere else.
Life is hard, and the world is cruel
Not necessarily. It is just as likely that there are no really great hackers. For one thing, there's no proof that there are anythin other than the self important run-of-the-mill kind of hacker other than creepy speculative statements made by self important members of the "security" community. I know a lot of smart people who disappeared off the face of the earth too. Once in a while I rediscover them, working in coffee shops or as security guards at the zoo. They dropped contact when they gave up on intellectualism for a life of hedonistic pleasures like having friends and making a little money.
You know, it's funny...as much as people here hate on Microsoft for using FUD tactics, they seem to okay the computer security industry using the same tactics to scare people into buying expensive security audits. Better buy a new firewall...Bigfoot broke the cisco backdoor and the Loch Ness Monster could be SSH'd into your daughter's underwear drawer right now and we'd never know because they're using special Voodoo IP addresses that cannot be logged!
See, hackers work by writing code to exploit bugs. It is impossible to write code that is bug free. It is just as impossible to write exploits that are bug free (see: that blaster "fix" that did as much "damage" as the worm did). As such, it is impossible to write code that is completely indetectable. There are bound to be bugs in the indetectability. So this whole idea that stealthy ninja superhackers are sliding in and out of our nation's mainframes without anybody knowing is something I tend to place in the same realm of fiction as bible code.
And if you were "good enough" to write invincible code, it seems to me you could lead a much better life without this stupid Swordfish subterfuge, teaching your methods to senior programmers across the country for big bank. Shit, I'm sure MS has an opening somewhere. The New York Times definitely does.
Hey freaks: now you're ju
Obviously I wasn't present during this conversation, but unless there is more to it then you include here, I think you have some serious problems in communicating with your fellow humans. I know if I asked somebody for proof that my systems were insecure I would be thinking more along the lines of "please describe in detail the vulnerability" not "please try to crack my system". If you really believed that you had a legitimate invitation to try to crack the system why did you submit the evidence anonymously?
I think you have a very narrow view of morality then. Greater harm justifications only work if the questionable action was the only way to prevent the greater harm. Why didn't you just document the vulnerability and work your way up the chain of responsibility? (I mean immoral here as reading somebody's diary without permission, not as in assault or extortion.)
The legal penalties attached to cracking are just as much a part of the security infrastructure as encryption. Heck, if unauthorized network intrusion was a simple infraction punishable by a $10 fine I'd probably be wandering around my neighbor's unsecured wireless network right now.