Adrian Lamo Surrenders

clafarge writes "Three days after Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail." webmaven adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News. He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

Reasonable damage figures

[JohnGrahamCumming]

more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
his own name to the tune of $300K! I always find it interesting that so little tinkering
can cause so much 'damage' (if you didn't get that wink, read the article about the
nature of the 'damage').

No I don't get the 'wink'.

These damage figures really don't seem very unreasonable, especially given what Kevin
Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
cost of the people of had to evaluate and repair his intrusion into the network). As for
the LexisNexis searches that cost is probably easy to calculate because they charge for
use of the service and he probably used $300,000 worth of the service without paying for it.

If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
that the prosecutor was going overboard, but this seems pretty sane to me.

John.

Re:Reasonable damage figures

[Trigun]

As long as they have to prove the damages, rather than having the judge readily accept them. In fact, who cares about how much damage is done, as long as it's over the $5,000. If he broke the law, he broke the law, he didn't break the law by $320,000. That would be essentially ridiculous, turning law from an ethical measure to a monetary one (well, more so).

Re:Reasonable damage figures

[InsaneGeek]

I never quite got this... would you really trust a hacker to tell you everything he did? Some anonymous person on the internet breaks into your system and you will just take his word for it? A security incident is a security incident you have to do the same work either way:

offline the system
investigate the system to find intrusion
do a complete reload from scratch
identify other systems on the network with same vulnerability accessable by compromised system
make decision to roll dice and guess others were not compromised or rebuild those systems also

number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system

Re:Reasonable damage figures

[kfg]

I do get the wink.

Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

Or is that maybe a capital expense that's my responsibility in the first place? Especially if I've taken on the responsibility for protecting the safty of other people's property and papers as part of a commercial operation.

Also, is this expense an actual additional one, or did I maybe already have a handyman on salary who simply did it as part of his normal duties?

For $25K the NYT could have hired me for a full quarter to go over their security systems. Did they really do something like that, or did a couple of guys on staff have to spend some of the time they normally would have spent goofing off actually doing their jobs?

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

( The answer, of course, is that Lamo made his audit public. Still, it's not the simple B&W issue you might think)

The Lexis-Nexis thing is clear theft of services. Given the white hat Lamo was wearing I can understand that he had to do that just to demonstrate that he ( and thus anyone else) could, but it might not have been the smartest thing to do. I'd sure as hell want to see the actual bill though before I'd assent to the fact that he actually used $300k worth of the service.

KFG

Re:Reasonable damage figures

[Proaxiom]

To start with, the damage figures in the Kevin Mitnick case were entirely unreasonable.

And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).

LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.

Re:Reasonable damage figures

[badasscat]

No I don't get the 'wink'.

Nor do I. I don't know what's up with Slashdot lately; this is a tech news site, not a script kiddie site. We're not here to learn from famous crackers or to congratulate each other for taking big sites down. Crackers are criminals and they need to be punished. They do cause damage. The implication in the comments at the head of this are that this guy didn't really do anything wrong and so should get off... just like the 18 year old "kid" who got busted for the MSBlaster virus variant a couple weeks ago, at which time I read similarly ignorant and even stupid comments here.

The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.

But then I shouldn't need to explain why crackers should go to jail. This is Slashdot, we should all understand this stuff already. There's no reason why a tech news site should favor crackers over commercial internet interests; it's all tech, it's just that one side of the issue here happens to be criminal.

My company's web sites have been the victim of numerous DoS attacks (no, I do not work for SCO - I work for a company you guys like, though I don't really want to say which), which while using different methods amount to the same thing this guy did - it's all denial of service, and it does cost companies money. I have absolutely no sympathy for this guy and hope he gets the book thrown at him.

Re:Reasonable damage figures

But if they had discovered this on their own, they would have still had to have gone to the same expense.

Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.

Re:Reasonable damage figures

[Morosoph]

It seems to me that engineers view security breaches very differently from most people; we're used to having to fix all bugs, and it becomes natural to think of someone who's managed to break a system as having done good; the clean-up costs are not the costs of the breach, but the costs of the bug, as yet unforseen.
I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
By contrast, the engineer is almost grateful, at least once the bug's been fixed!
My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.

Re:Reasonable damage figures

[Evil+Adrian]

Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

END OF STORY!

Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!

Re:Reasonable damage figures

[greenhide]

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."


Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".

These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?

I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.

I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.

Re:Reasonable damage figures

[_bug_]

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.

That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.

Re:Reasonable damage figures

[Jerf]

If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data).

I disagree. One of the problem is that when a hacker attacks, you can't necessarily trust the logs. In fact there's a lot of people of the opinion (and I'm one of them) that unless you really know exactly which vulnerability was exploited and how it was exploited (like a common worm comes in that doesn't install a shell and there's no evidence that there was any other person actively involved in the hack), the only proper thing to do is completely re-install the system from either known-good backups (and labelling backups "known good" is itself an interesting challenge), or even from the original CDs.

Things like "tripwire" are just that... tripwires. They really shouldn't be used to help repair the system because once the system is compromised you can no longer trust the output.

For a business-critical machine, and well-paid admins (which you should have!), and counting downtime, $25,000 is entirely reasonable.

Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact).

Since fixing a vulnerability is typically a matter of applying a patch, odds are it does not account for more then $100 or $200 of the damage if it was computed rationally. Evaluation, analysis (which even if you re-install from scratch MUST be done, to see if any customer or private data was compromised), re-install, and lost business swamps that expense. Trying to talk the damage value of this down isn't really useful since it's such a small part of the value, in all likelihood.

$25,000 is quite reasonable.

Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money.

Yes, this is most likely absurdly inflated.

1 for 2 is actually a significant improvement for our system, and this is a good sign, IMHO.

Re:Reasonable damage figures

[Theatetus]

Yes, a total rebuild is required after any intrusion.

BUT they have *NEEDED* to do a rebuild for a long time; Lamo simply proved that fact. If your system could have been compromised, you must assume that it has been.

To be honest, I don't think Lamo added one cent to what NYT has to pay to fix its systems. If they were running an exploitable system, they need to rebuild and secure it. Lamo cracked them and admitted it, they STILL need to rebuild and secure it. How has he added any extra cost to their operation?

you know what to do

[SirSlud]

Jail that obviously highly intelligent individual!

Yes, I'm joking. This kid sounds like a bright fish .. why jail him? Surely he can contribute in a positive way to society? It sure sounds like he doesn't have any malicious intentions other than prove what every engineer knows - you often need to experience failure before you address a weakness in your design. Better to have failure 'encouraged' by a guy who's willing to help you lock down your network after the fact than some dude who gets in the door and heads straight for client lists, credit info, etc ..

Adrian Lamo Surrenders

[Morosoph]

This story makes me sad. The judge had a "last minute" idea, "Oh yeah, let's ban him from using computers", probably the only thing that really gave purpose to the life of a tramp. Getting a "real" job cannot be a substitute, and as The Register points out, Adrian wasn't exactly writing viruses. Quote:

Following the recommendation of a federal pretrial services officer who interviewed the hacker in custody, Hollows ordered Lamo to obtain full-time employment or enroll in college pending trial. The ban on computer use was the judge's idea.
"This whole business of computer hacking, viruses and so forth is getting very wearisome," said Hollows, explaining his thinking from the bench.

There is something depressing about the whole "join society" ethos, that is, conform to everyday mediocrity.

Re:Adrian Lamo Surrenders

[cindik]

I wonder how many "real jobs" are left that involve no contact whatsoever with computers.

Re:Lexis/Nexis and NYT

[exhilaration]

You forgot the costs of retraining new network admins after firing the incompetent fools that left the NY Times network wide open.

Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".

Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.

How old are you? 5?

[NDPTAL85]

Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?

Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?

Don't Reward Burglars, or This Guy

[reallocate]

Sounds like a kid with an inflated ego and a bit of a Robin Hood complex.

I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.

Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.

Letting others protect you

[tarnin]

This is again along the lines of "We dont really want to make sure were secure so we'll just sue/have arrested anyone who finds anything." These are also the same people who loby the gov to pass laws to do this. It's amazing how little people acutally care about how secure their network or computers are and instead care more about huge fines and sentences so they can keep their networks insecure.

None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".

I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.

Re:Uh - shouldn't they sue themselves?

[greenhide]

Hmmm... I have a feeling they didn't leave the site open. They just didn't make it unhackable.

It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.

Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?

Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.

If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.

And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.

If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.

Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.