Adrian Lamo Surrenders

clafarge writes "Three days after Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail." webmaven adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News. He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

Reasonable damage figures

[JohnGrahamCumming]

more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
his own name to the tune of $300K! I always find it interesting that so little tinkering
can cause so much 'damage' (if you didn't get that wink, read the article about the
nature of the 'damage').

No I don't get the 'wink'.

These damage figures really don't seem very unreasonable, especially given what Kevin
Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
cost of the people of had to evaluate and repair his intrusion into the network). As for
the LexisNexis searches that cost is probably easy to calculate because they charge for
use of the service and he probably used $300,000 worth of the service without paying for it.

If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
that the prosecutor was going overboard, but this seems pretty sane to me.

John.

Re:Reasonable damage figures

[Trigun]

As long as they have to prove the damages, rather than having the judge readily accept them. In fact, who cares about how much damage is done, as long as it's over the $5,000. If he broke the law, he broke the law, he didn't break the law by $320,000. That would be essentially ridiculous, turning law from an ethical measure to a monetary one (well, more so).

Re:Reasonable damage figures

[InsaneGeek]

I never quite got this... would you really trust a hacker to tell you everything he did? Some anonymous person on the internet breaks into your system and you will just take his word for it? A security incident is a security incident you have to do the same work either way:

offline the system
investigate the system to find intrusion
do a complete reload from scratch
identify other systems on the network with same vulnerability accessable by compromised system
make decision to roll dice and guess others were not compromised or rebuild those systems also

number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system

Re:Reasonable damage figures

[kfg]

I do get the wink.

Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

Or is that maybe a capital expense that's my responsibility in the first place? Especially if I've taken on the responsibility for protecting the safty of other people's property and papers as part of a commercial operation.

Also, is this expense an actual additional one, or did I maybe already have a handyman on salary who simply did it as part of his normal duties?

For $25K the NYT could have hired me for a full quarter to go over their security systems. Did they really do something like that, or did a couple of guys on staff have to spend some of the time they normally would have spent goofing off actually doing their jobs?

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

( The answer, of course, is that Lamo made his audit public. Still, it's not the simple B&W issue you might think)

The Lexis-Nexis thing is clear theft of services. Given the white hat Lamo was wearing I can understand that he had to do that just to demonstrate that he ( and thus anyone else) could, but it might not have been the smartest thing to do. I'd sure as hell want to see the actual bill though before I'd assent to the fact that he actually used $300k worth of the service.

KFG

Re:Reasonable damage figures

[Proaxiom]

To start with, the damage figures in the Kevin Mitnick case were entirely unreasonable.

And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).

LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.

Re:Reasonable damage figures

[badasscat]

No I don't get the 'wink'.

Nor do I. I don't know what's up with Slashdot lately; this is a tech news site, not a script kiddie site. We're not here to learn from famous crackers or to congratulate each other for taking big sites down. Crackers are criminals and they need to be punished. They do cause damage. The implication in the comments at the head of this are that this guy didn't really do anything wrong and so should get off... just like the 18 year old "kid" who got busted for the MSBlaster virus variant a couple weeks ago, at which time I read similarly ignorant and even stupid comments here.

The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.

But then I shouldn't need to explain why crackers should go to jail. This is Slashdot, we should all understand this stuff already. There's no reason why a tech news site should favor crackers over commercial internet interests; it's all tech, it's just that one side of the issue here happens to be criminal.

My company's web sites have been the victim of numerous DoS attacks (no, I do not work for SCO - I work for a company you guys like, though I don't really want to say which), which while using different methods amount to the same thing this guy did - it's all denial of service, and it does cost companies money. I have absolutely no sympathy for this guy and hope he gets the book thrown at him.

Re:Reasonable damage figures

But if they had discovered this on their own, they would have still had to have gone to the same expense.

Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.

Re:Reasonable damage figures

[Morosoph]

It seems to me that engineers view security breaches very differently from most people; we're used to having to fix all bugs, and it becomes natural to think of someone who's managed to break a system as having done good; the clean-up costs are not the costs of the breach, but the costs of the bug, as yet unforseen.
I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
By contrast, the engineer is almost grateful, at least once the bug's been fixed!
My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.

Re:Reasonable damage figures

[Evil+Adrian]

Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

END OF STORY!

Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!

Re:Reasonable damage figures

[greenhide]

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."


Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".

These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?

I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.

I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.

Re:Reasonable damage figures

[Elwood+P+Dowd]

No one, least of all Lamo himself, suggest that Adrian Lamo is a really good hacker. He goes after low hanging fruit. He finds b2b systems with default passwords. He finds unpatched systems.

The only reason he's famous is... wait... I can't think of any good reason why he's famous.

IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."

Re:Reasonable damage figures

[jkauzlar]

I have absolutely no sympathy for this guy and hope he gets the book thrown at him

Is it because he has embarrassed you by lessening your company's technical credibility? I'm not trying to troll, but I wonder if $300k really is a realistic fine to apply to someone who essentially is just spraying graffiti, breaking and entering and having a look around.

Slashdot is not supporting this behavior, only trying to keep the possible wild misuse of government and corporate power in check. Most 'script-kiddies', at worst, are just nerds who perhaps need a public playground for their talents. Let's keep some perspective. That's what slashdot is about.

Re:Reasonable damage figures

[_bug_]

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.

That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.

Re:Reasonable damage figures

[Jerf]

If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data).

I disagree. One of the problem is that when a hacker attacks, you can't necessarily trust the logs. In fact there's a lot of people of the opinion (and I'm one of them) that unless you really know exactly which vulnerability was exploited and how it was exploited (like a common worm comes in that doesn't install a shell and there's no evidence that there was any other person actively involved in the hack), the only proper thing to do is completely re-install the system from either known-good backups (and labelling backups "known good" is itself an interesting challenge), or even from the original CDs.

Things like "tripwire" are just that... tripwires. They really shouldn't be used to help repair the system because once the system is compromised you can no longer trust the output.

For a business-critical machine, and well-paid admins (which you should have!), and counting downtime, $25,000 is entirely reasonable.

Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact).

Since fixing a vulnerability is typically a matter of applying a patch, odds are it does not account for more then $100 or $200 of the damage if it was computed rationally. Evaluation, analysis (which even if you re-install from scratch MUST be done, to see if any customer or private data was compromised), re-install, and lost business swamps that expense. Trying to talk the damage value of this down isn't really useful since it's such a small part of the value, in all likelihood.

$25,000 is quite reasonable.

Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money.

Yes, this is most likely absurdly inflated.

1 for 2 is actually a significant improvement for our system, and this is a good sign, IMHO.

Re:Reasonable damage figures

[Theatetus]

Yes, a total rebuild is required after any intrusion.

BUT they have *NEEDED* to do a rebuild for a long time; Lamo simply proved that fact. If your system could have been compromised, you must assume that it has been.

To be honest, I don't think Lamo added one cent to what NYT has to pay to fix its systems. If they were running an exploitable system, they need to rebuild and secure it. Lamo cracked them and admitted it, they STILL need to rebuild and secure it. How has he added any extra cost to their operation?

Re:Reasonable damage figures

[Lightwarrior]

> ...IT'S ILLEGAL TO DO SO.
> END OF STORY!
It's not that simple.

One of the founding principles of the USA is that "right" and "wrong" can change over time - hence the ability to modify our set of laws. As another poster pointed out, slavery was legal for quite some time - that didn't make it right, and people were forced to take action to make it illegal.

Free speech is one of the methods given to US Citizens to let the government know how we think they're doing. However, as has been shown innumerable times over, sometimes doing something "illegal" is necessary in part of the protest. There are times when people won't see how silly a law or rule is until it is broken repeatedly in front of their noses.

We're living in a time when more and more of our information is becoming more and more accessible. There are people out there whose intentions (good or ill) are not being backed by reasonable security. Accessible personal information and light or no security do not mix well.

I'd greatly prefer it if we could live in a world where everyone could be trusted "to behave". If we could trust people not to break into each other's homes, we wouldn't need door locks. Sure, it's illegal to break into another person's home - but does that mean that you don't need to lock your door?

Or that you should never check your door to be sure it's locked?

Most importantly, are you willing to take the risk of leaving personal, private, or otherwise valuable information or things laying around, in plain view, behind an unlocked glass case (alarmed though it may be)?

Every time a case like this gets into the newspapers, it is a bold reminder to corporations that they are at risk. Without a threat of loss, security grows lax. Be greatful this person did not act with a significant malicious intent, and learn from it.

-lw

Re:Reasonable damage figures

[Jayzz]

This guy left a memo to notify the security holes. That proves he was aware that he was intruding.

Re:Reasonable damage figures

[commodoresloat]

If a computer does not belong to you, you are not supposed to access it without explicit or implied permission.

Arguably, leaving port 80 open constitutes implied permission. Nobody expects me to get a signed note from CmdrTaco every time I visit slashdot.org. On what basis can a prosecutor make the claim that leaving port 23 open does not constitute the same kind of implicit permission?

you know what to do

[SirSlud]

Jail that obviously highly intelligent individual!

Yes, I'm joking. This kid sounds like a bright fish .. why jail him? Surely he can contribute in a positive way to society? It sure sounds like he doesn't have any malicious intentions other than prove what every engineer knows - you often need to experience failure before you address a weakness in your design. Better to have failure 'encouraged' by a guy who's willing to help you lock down your network after the fact than some dude who gets in the door and heads straight for client lists, credit info, etc ..

Adrian Lamo Surrenders

[Morosoph]

This story makes me sad. The judge had a "last minute" idea, "Oh yeah, let's ban him from using computers", probably the only thing that really gave purpose to the life of a tramp. Getting a "real" job cannot be a substitute, and as The Register points out, Adrian wasn't exactly writing viruses. Quote:

Following the recommendation of a federal pretrial services officer who interviewed the hacker in custody, Hollows ordered Lamo to obtain full-time employment or enroll in college pending trial. The ban on computer use was the judge's idea.
"This whole business of computer hacking, viruses and so forth is getting very wearisome," said Hollows, explaining his thinking from the bench.

There is something depressing about the whole "join society" ethos, that is, conform to everyday mediocrity.

Re:Adrian Lamo Surrenders

[cindik]

I wonder how many "real jobs" are left that involve no contact whatsoever with computers.

Re:Adrian Lamo Surrenders

[BrynM]

Enrolling in college is out too. Nice of the judge to be so considerate.

Funny enough, I heard he was in town (I'm in Sacramento) by spotting him being interviewed by a local newscaster last week. I was wondering if he was still around because I recognized the place he was interviewed at. Does anyone know if his parents live in this area?

Re:Lexis/Nexis and NYT

[exhilaration]

You forgot the costs of retraining new network admins after firing the incompetent fools that left the NY Times network wide open.

Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".

Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.

How old are you? 5?

[NDPTAL85]

Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?

Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?

Re:Damage is damage

[sixdotoh]

plus a hit to their reputation

parent is somehwat a troll, but anyway...

a hit to their reputation? unless the business is some kind of computer security company, or ISP, i would wager that it does very little to their reputation. come on, any other company (especially outside of any IT related company), which of their customers is even going to *know* the site was hacked. how many of those people are going ever hear that the site was hacked... if they couldn't access they site, they would probably just think their own internet connection was screwy at that time, or just accept the fact that they couldn't access the certain site (happens all the time) and think little of it.

i'm not trying to defend hackers, i'm just trying to set that misconception straight.

Don't Reward Burglars, or This Guy

[reallocate]

Sounds like a kid with an inflated ego and a bit of a Robin Hood complex.

I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.

Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.

Letting others protect you

[tarnin]

This is again along the lines of "We dont really want to make sure were secure so we'll just sue/have arrested anyone who finds anything." These are also the same people who loby the gov to pass laws to do this. It's amazing how little people acutally care about how secure their network or computers are and instead care more about huge fines and sentences so they can keep their networks insecure.

None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".

I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.

Re:Uh - shouldn't they sue themselves?

[greenhide]

Hmmm... I have a feeling they didn't leave the site open. They just didn't make it unhackable.

It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.

Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?

Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.

If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.

And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.

If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.

Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.

Why did he turn himself in?

[Alioth]

Wonder why he turned himself in? If I was in his shoes, I'd go on the run because:
* it seems like anything to do with hacking == terrorism. Justice won't be served, long prison sentence
* being obviously young, not particularly bad looking and probably not physically strong means almost certain prison rape.
* already leading a nomadic lifestyle so why not continue.

However, in his position, I'd probably no longer publicise what I was up to. I think he has made some grave tactical errors in letting his identity being so publically known (and this is why he probably decided not to stay on the run, because his photograph has already been so widely published).

I hope his punishment is in proportion to the crime though - not some arbitrary "war on terror" sentence.

I say again

[BortQ]

Get a slashdot interview with this guy.

Re:You got it

[dasmegabyte]

Not necessarily. It is just as likely that there are no really great hackers. For one thing, there's no proof that there are anythin other than the self important run-of-the-mill kind of hacker other than creepy speculative statements made by self important members of the "security" community. I know a lot of smart people who disappeared off the face of the earth too. Once in a while I rediscover them, working in coffee shops or as security guards at the zoo. They dropped contact when they gave up on intellectualism for a life of hedonistic pleasures like having friends and making a little money.

You know, it's funny...as much as people here hate on Microsoft for using FUD tactics, they seem to okay the computer security industry using the same tactics to scare people into buying expensive security audits. Better buy a new firewall...Bigfoot broke the cisco backdoor and the Loch Ness Monster could be SSH'd into your daughter's underwear drawer right now and we'd never know because they're using special Voodoo IP addresses that cannot be logged!

See, hackers work by writing code to exploit bugs. It is impossible to write code that is bug free. It is just as impossible to write exploits that are bug free (see: that blaster "fix" that did as much "damage" as the worm did). As such, it is impossible to write code that is completely indetectable. There are bound to be bugs in the indetectability. So this whole idea that stealthy ninja superhackers are sliding in and out of our nation's mainframes without anybody knowing is something I tend to place in the same realm of fiction as bible code.

And if you were "good enough" to write invincible code, it seems to me you could lead a much better life without this stupid Swordfish subterfuge, teaching your methods to senior programmers across the country for big bank. Shit, I'm sure MS has an opening somewhere. The New York Times definitely does.