Slashdot Mirror
Adrian Lamo Surrenders
clafarge writes "Three days after
Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail."
webmaven
adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News.
He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."
How good are the ones who keep their mouths shut and just steal shit?
This
I must have missed something. What the hell is that webmaven link for in the article?!
"Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."
:-)
You have to negotiate for this now? So if they never tell him what he's charged with, can he get a reduced punishment?
What would you want to bet that Lexis/Nexis just winks and nods at their huge customer, The New York Times, Inc., and waives much of the actual charges that resulted from automated searches on Adrian Lamo. At their prices, there is probably still over $25K worth of manual labor involved... Lexis/Nexis is a premier service with some amazingly in-depth methods.
Plus, the scouring job that's required by NYT's IT department to ensure there aren't any new "easter eggs" in their system will go into significant coin too. I don't agree with the preposterous insurance-claim oriented figures that go into these 'cracking' news stories, but you can't just trust a superficial system cleanup after being cracked.
[
Well, he apparently told them how to fix it (or did he not with the New York Times?) - so if he did it I wouldn't think it would cost anywhere near $25,000.
read the article about the nature of the 'damage'
What article? How about a link?
Gawd.
Who cares about some Lamo. I'm sick of asshole kids and this uber-l337 hax0r crap. Stay out of other peoples computers, just like you stay off their property and out of their homes.
Who cares if he caused $X amount of actual damage? There's such a thing as punitive damages. If you smash up my car, I can get the value of the damage plus some, just to punish you for being a stupid dickhead.
AT LEAST WATCH AN EPISODE OF FUCKING JUDGE JUDY BEFORE YOU OPEN YOUR YAMMERING IANAL MOUTHS.
Here's hoping Lamo goes to a federal pound-me-in-the-ass prison, and a message is sent to the rest of you uber-hax0rz out there (read script kiddies).
I don't need no instructions to know how to rock!!!!
Besides, I'm thinking that there was more than 300,000 dollars worth of damage to their reputaion after this.
They need look no further than their own offices to find fault.
Just because you catch me strolling across your yard doesn't mean I should pay for having it fenced.
first off you need to remember that Judges are first and foremost lawyers. that's what they were before they were judges.
and anyone that would expect that an Ex-lawyer is fair or honest in any way is a complete fool.
This judge knows nothing about what he is passing his "judgement" on and therefore is incapable of hearing such a case.
The entire judicial process in the United states is based on "who has the most influencial or resourceful lawyer" not who is innocent or guilty.
it hasn't been about innocence or guilt for 50 years.
Do not look at laser with remaining good eye.
Why are you comparing it to your home? He hacked corporate servers! It's more like finding an intruder has manged to get past your security and knocked on your office door.
The problem is, how do you trust someone who's just broken into your systems to tell the truth about how they did it? Or to tell you everything they did? You can't, so you must look over everything, and probably reinstall your systems.
From The Reg:
;^)
Under the terms of his release, Lamo's future wanderings will be confined to the northeastern half of California, and southern New York state, unless he gets prior approval of the court to travel elsewhere.
Hrm. Wandering from NE Cali to south NY w/out going anywhere inbetween would seem about as easy a commute as getting from the West Bank to the Gaza Strip.
Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there.
To completely switch gears, did anyone else find it weird that a paper would have SS#'s for people who have written op-ed pieces [for Lamo to find]? I suppose that implies they were *paid* for the pieces, but it still seems a bit strange.
It's all 0s and 1s. Or it's not.
It's more like finding an intruder has manged to get past your security and knocked on your office door.
Well, since their servers also held their files, it's actually more like gaining entry to the office and rifling through filing cabinets. And in order to ensure that nothing was awry, someone had to get paid to check things out.
(Anonymous for obvous reasons)
I don't live in the US. In my early days on the university I was involved on a serious case of hacking. Being a nerd for network security I once told a university network administrator, that happened to be a good friend of mine and a student of one of the classes I gave at the time (on network security) on a institution unrelated to the university, that the university network was 'easy hackable', he challenged me for a proof and I responded. About four months later I found myself in deep trouble: my network account was surrendered and all my e-mail was analyzed by the network administrators. For some reason (only known to a 18 years old) I had sent an email to a friend telling him that I had cracked about 2000 passwords on the university network.
It turned out that since my 'friend' spoke with me he went with his superior and 'bought' a promotion for turning me in. The only proof they had was the email and a private conversation recorded without my permission (by a university student, not a government office) where I admitted to have cracked the university super-computer and a cluster to write, compile and run a distributed program that kept running for a little over two months (without anyone noticing it, it stopped running because I decided to stop it).
To get on-topic: They claimed that my actions had caused over US$ 100K. After 6 months of trial (where I has assisted by some great voluntary people) I walked out with a restraint to use any university computer for 4 years, and being unable to create accounts for any ISP in the state for 2 years.
The morale of the story is this: You fight. And fight hard. If you do so the people will support you, because you are fighting from the right side. Take it to the end, at some point justice will be served.
One of the first things you learn when you begin working in computer security, especially as an outside contractor, is that your customers don't trust you as far as they could throw the Empire State Building.
In fact, you will be reviled. You will have a hard time convincing many people to hire you because they're scared to death of you in the first place. Once they do hire you you will be assumed at some lizard brain level to be doing something nefarious.
This is one of the reasons why network security is so poor. Companies are loath to allow outside security experts anywhere near the place.
This is one of the reasons white hat hackers like Lamo do what they do. The companies aren't doing what they should, out of fear, thus leaving all the doors wide open. It's a deriliction of duty that the white hats expose to the public.
The companies don't always take kindly to the fact that their customers then know how poorly their personal data is being protected.
Obviously the way to handle the matter is to attack the white hat. Go figure.
Now these same companies don't hesitate a second to call in a locksmith to handle their physical security. They don't worry that when a lock gets changed the locksmith is secretly making a copy of the key so he can break in at night and clean them out, even though this occasionally actually happens.
Why not? Because physical locks aren't black magic beyond their understanding.
Rather than gain that understanding they'd rather fear. Again, go figure.
Computer security experts are like people who treat lepers. We aknowledge that they are needed, but we don't want them around our house.
God forbid they should marry our daughter or something. We'll never sleep at night.
KFG
"It's more like finding an intruder has manged to get past your security and knocked on your office door."
Which is also trespassing. Which is also not wanted, and illegal. You do understand thay there are places in this world that you are not allowed to go without express permission right?
We'll never know who the best are. Because they're SMART ENOUGH NOT TO BRAG ABOUT IT IN PUBLIC.
All sarcasm aside, I once heard Prof. Gene Spafford of CERIUS say that some of his best students had simply dissapeared from the face of the Earth. He suspected that they were either recruited by Government organizations, or major corporations; and he was afraid that some even went to work for organized crime.
THESE people are the real pros. They get the job done, get paid, and quietly move on. They could live next door to you, and you'd have no clue that they crack heavily guarded systems for a living. For every Adrian Lamo or Kevin Mitnick, or even Peter Shipley for that matter, there are a half dozen guys way better that you'll never hear about.
Life is hard, and the world is cruel
The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.
...but he didn't take down the NYT site, or make it unavailable. He trespassed. Would trespassing in the NYT building cause $25K in damages?.. even if he rifled through file cabinets? I doubt it.
.:diatonic:.
Private individuals using LexisNexis for viewing court doduments will be charged $9 per document (not by search). I'm sure the NYT gets some kind of volume discount. This means Lamo would have had to fetch over 30,000 documents to rack up such a sum. Now assuming your average legal document is ten pages long (many are shorter, some are way longer) that makes 300,000 pages worth of legal documents. A full bookshelf of legal reference material. Why am I not buying this?
How much are you willing to bet the NYT took their monthly (yearly?) bill from LN and claimed that since Lamo had illegally benefitted from access to that material, he should pick up the whole tab?
Read the subject. The problem is the damage figures.
I haven't been following the story closely, but nothing I've seen has suggested that he attacked them in any way, DoS or other.
How did it cost the NY Times to have someone find a security flaw in their system? How much did it save them that the guy who found it didn't exploit it?
If someone tells me my shoe is untied, I can't sue them for the time it takes me to tie the shoe. Whether I was told or not, the shoe would have been untied. At least I now know the lace is loose and I can fix it before I trip and hurt myself.
Let's change the scenario, shall we? I drop my keys next to my car in a parking lot. Someone picks them up and tries my lock to see if they have the right car. They do, and they go through the car looking for an address and phone number. They find my business card and call me at work to give my keys back. Do I charge them with breaking and entering? Hell no. I give them a $20 for not allowing anyone else to steal my car.
Who defines "breaking into"?
If someone misconfigures their web server so it points at "C:\My Finances" and you surf to their site, are you breaking into their system? What if they configure it so it points to "C:\" and you click on the "My Finances" link? What if they have a default "Welcome to XXX" page but you type in the url: "http://www.icantconfigureiis.com/My%20Finances/"? What if you do a portscan on them and try to connect to a nonstandard port? What if you run a rootkit on them?
Obviously the latter examples are reasonably defined as "breaking in", and the former ones are not, but where do you draw the line? Is it a judgement call about what someone reasonably expects you to be able to see?
From what I have read, it is pretty obvious that this guy saw some things that he reasonably couldn't believe he was supposed to see. On the other hand, he did it all through a web browser. It's not like he was running rootkits. He was simply poking around and being nosy. The onus should be on the NY Times to have some reasonable standard of security in place that can't be compromised by Mozilla.
"If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?"
No, let's say you have cancer, but you don't know it, and you are not getting proper check-ups so you aren't going to find out. Some self-proclaimed doctor rigs the urinal you are about to use so that he can get a sample of your urine. He then takes the sample to his lab in the basement (without your knowledge) and performs a urinalysis. When he discovers you have cancer, he fully discloses to the world (without your permission 'cause he knows doctor-phobes, like yourself, would never give him permission) that you have cancer saying, "See how screwed up it is not to get regular check-ups at the doctor's office. This guy had CANCER, and he was going to DIE just because he refused to get check-ups." In other words, the social issue takes priority to the individual's rights.
Now, regardless of whether you agree with this or not, you have to admit that this is more accurate than the "sex" analogy. If you can come up with a more accurate analogy to what actually happened, by all means post it, but arguments supported by poor ananologies are poor arguments, regardless of the core ideas behind them.
Sdelat' Ameriku velikoy Snova!
I can understand the "good faith" approach here in our country, but the nature of Internet-connected networks is that you may be dealing with people who aren't even on your native soil, or people that have absolutely no qualms about seriously messing-up your network, or even people who lack the maturity to exercise some restraint. This can be due to either malicious intent, different social customs, or the fact that the person on the other end is a latchkey kid bereft of character and ethics. It's a different ballgame, and social expectation is no excuse for poor security practice!
It isn't the analog of a bank. People that frequent a bank are mostly locals, and if they are not local, they are at least fellow citizens, and they programmed from birth to follow our puritanical social customs. In addition, there is a pretty good chance that they are mature adults who have managed to budget and save some money.
Imagine if you will this fictional example: A bank from a western culture opens up a bank in the country of Ugrabit. In this culture, it is perfectly legal to run up and grab things of value out of the hands of the unsuspecting, and perfectly legal for the potential victim to bludgeon the perpetrator with a yak's femur. Western visitors are shocked and appalled when local residents run and grab the cash out of their hands as they stand in front of the teller. Westernized bank employees also refuse to beat the perpetrators senseless as it goes against their beliefs. Is it the fault of the locals? No! The bank didn't understand the potential hazards before placing themselves in harm's way.
Fred
"A fool and his freedom are soon parted"
-RMS
I bought a car alarm for my car. If I find someone trying to break into my car, can I charge the burgler for the cost of the alarm?
outragous? yes.
I bought a car alarm for my car. If I find someone trying to break into my car and need to update my car alarm, can I charge the burgler for the cost of the NEW alarm?
outragous? HELL YES.
but.. whatever, its a computer crime, i'll strangle the terrorist myself.
I remember a classic episode of The Screen Savers in which Mitnick and Woz were hosting the show. One part Mitnick interviews Lamo...and he asked rather simple questions like "Now I use to hacker b/c I was curious why do you do it?"
All of Lamo's responses were rather "crackhead" like...I'm not trying to knock the guy, but it didn't really seem he had an answer for why he hacks...not because he's curious or because he's trying to help companies...he just kept saying that he considered himself "at the right place at the right time".
It's possible he was just camera shy.
Some aim to please, I aim to tease.
That's why you employ two or three of them remotely, without telling them about eachother. Any back doors that one of them puts in, the other will find, and vice versa. As long as they don't know about the other(s), you should be in the clear.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.