Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adrian Lamo Surrenders

Posted by timothy on from the eh-well dept.

clafarge writes "Three days after Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail." webmaven adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News. He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

101 of 639 comments (clear)

  1. He boasted.... by ellem · · Score: 3, Interesting

    How good are the ones who keep their mouths shut and just steal shit?

    --
    This .sig is fake but accurate.
    1. Re:He boasted.... by Mononoke · · Score: 5, Funny
      How good are the ones who keep their mouths shut and just steal shit?
      We are absolutely incredi...

      Aw crap.

      --
      NetInfo connection failed for server 127.0.0.1/local
    2. Re:He boasted.... by CrashPanic · · Score: 4, Funny

      He blew his cover and then surrendered?!

      Boy what a Lamo

      --
      "There's no set architecture in Linux. All roads lead to madness" -Microsoft
  2. Reasonable damage figures by JohnGrahamCumming · · Score: 5, Insightful

    more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
    his own name to the tune of $300K! I always find it interesting that so little tinkering
    can cause so much 'damage' (if you didn't get that wink, read the article about the
    nature of the 'damage').

    No I don't get the 'wink'.

    These damage figures really don't seem very unreasonable, especially given what Kevin
    Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
    cost of the people of had to evaluate and repair his intrusion into the network). As for
    the LexisNexis searches that cost is probably easy to calculate because they charge for
    use of the service and he probably used $300,000 worth of the service without paying for it.

    If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
    that the prosecutor was going overboard, but this seems pretty sane to me.

    John.

    1. Re:Reasonable damage figures by sekzscripting · · Score: 2, Interesting

      Well, he apparently told them how to fix it (or did he not with the New York Times?) - so if he did it I wouldn't think it would cost anywhere near $25,000.

    2. Re:Reasonable damage figures by Trigun · · Score: 5, Insightful

      As long as they have to prove the damages, rather than having the judge readily accept them. In fact, who cares about how much damage is done, as long as it's over the $5,000. If he broke the law, he broke the law, he didn't break the law by $320,000. That would be essentially ridiculous, turning law from an ethical measure to a monetary one (well, more so).

    3. Re:Reasonable damage figures by InsaneGeek · · Score: 5, Insightful

      I never quite got this... would you really trust a hacker to tell you everything he did? Some anonymous person on the internet breaks into your system and you will just take his word for it? A security incident is a security incident you have to do the same work either way:

      offline the system
      investigate the system to find intrusion
      do a complete reload from scratch
      identify other systems on the network with same vulnerability accessable by compromised system
      make decision to roll dice and guess others were not compromised or rebuild those systems also

      number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system

    4. Re:Reasonable damage figures by nsandver-work · · Score: 3, Interesting

      The problem is, how do you trust someone who's just broken into your systems to tell the truth about how they did it? Or to tell you everything they did? You can't, so you must look over everything, and probably reinstall your systems.

    5. Re:Reasonable damage figures by kfg · · Score: 4, Insightful

      I do get the wink.

      Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

      Or is that maybe a capital expense that's my responsibility in the first place? Especially if I've taken on the responsibility for protecting the safty of other people's property and papers as part of a commercial operation.

      Also, is this expense an actual additional one, or did I maybe already have a handyman on salary who simply did it as part of his normal duties?

      For $25K the NYT could have hired me for a full quarter to go over their security systems. Did they really do something like that, or did a couple of guys on staff have to spend some of the time they normally would have spent goofing off actually doing their jobs?

      Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

      ( The answer, of course, is that Lamo made his audit public. Still, it's not the simple B&W issue you might think)

      The Lexis-Nexis thing is clear theft of services. Given the white hat Lamo was wearing I can understand that he had to do that just to demonstrate that he ( and thus anyone else) could, but it might not have been the smartest thing to do. I'd sure as hell want to see the actual bill though before I'd assent to the fact that he actually used $300k worth of the service.

      KFG

    6. Re:Reasonable damage figures by Proaxiom · · Score: 4, Insightful
      To start with, the damage figures in the Kevin Mitnick case were entirely unreasonable.

      And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).

      LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.

    7. Re:Reasonable damage figures by badasscat · · Score: 4, Insightful

      No I don't get the 'wink'.

      Nor do I. I don't know what's up with Slashdot lately; this is a tech news site, not a script kiddie site. We're not here to learn from famous crackers or to congratulate each other for taking big sites down. Crackers are criminals and they need to be punished. They do cause damage. The implication in the comments at the head of this are that this guy didn't really do anything wrong and so should get off... just like the 18 year old "kid" who got busted for the MSBlaster virus variant a couple weeks ago, at which time I read similarly ignorant and even stupid comments here.

      The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.

      But then I shouldn't need to explain why crackers should go to jail. This is Slashdot, we should all understand this stuff already. There's no reason why a tech news site should favor crackers over commercial internet interests; it's all tech, it's just that one side of the issue here happens to be criminal.

      My company's web sites have been the victim of numerous DoS attacks (no, I do not work for SCO - I work for a company you guys like, though I don't really want to say which), which while using different methods amount to the same thing this guy did - it's all denial of service, and it does cost companies money. I have absolutely no sympathy for this guy and hope he gets the book thrown at him.

    8. Re:Reasonable damage figures by Anonymous Coward · · Score: 5, Insightful

      But if they had discovered this on their own, they would have still had to have gone to the same expense.

      Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.

    9. Re:Reasonable damage figures by Morosoph · · Score: 5, Insightful

      It seems to me that engineers view security breaches very differently from most people; we're used to having to fix all bugs, and it becomes natural to think of someone who's managed to break a system as having done good; the clean-up costs are not the costs of the breach, but the costs of the bug, as yet unforseen.
      I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
      By contrast, the engineer is almost grateful, at least once the bug's been fixed!
      My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.

      --
      Wikileaks, no DNS
    10. Re:Reasonable damage figures by Evil+Adrian · · Score: 5, Insightful

      Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

      Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

      Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

      END OF STORY!

      Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!

      --
      evil adrian
    11. Re:Reasonable damage figures by kfg · · Score: 5, Interesting

      One of the first things you learn when you begin working in computer security, especially as an outside contractor, is that your customers don't trust you as far as they could throw the Empire State Building.

      In fact, you will be reviled. You will have a hard time convincing many people to hire you because they're scared to death of you in the first place. Once they do hire you you will be assumed at some lizard brain level to be doing something nefarious.

      This is one of the reasons why network security is so poor. Companies are loath to allow outside security experts anywhere near the place.

      This is one of the reasons white hat hackers like Lamo do what they do. The companies aren't doing what they should, out of fear, thus leaving all the doors wide open. It's a deriliction of duty that the white hats expose to the public.

      The companies don't always take kindly to the fact that their customers then know how poorly their personal data is being protected.

      Obviously the way to handle the matter is to attack the white hat. Go figure.

      Now these same companies don't hesitate a second to call in a locksmith to handle their physical security. They don't worry that when a lock gets changed the locksmith is secretly making a copy of the key so he can break in at night and clean them out, even though this occasionally actually happens.

      Why not? Because physical locks aren't black magic beyond their understanding.

      Rather than gain that understanding they'd rather fear. Again, go figure.

      Computer security experts are like people who treat lepers. We aknowledge that they are needed, but we don't want them around our house.

      God forbid they should marry our daughter or something. We'll never sleep at night.

      KFG

    12. Re:Reasonable damage figures by greenhide · · Score: 5, Insightful


      Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

      Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

      As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

      The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".

      These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?

      I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.

      I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.

      --
      Karma: Chevy Kavalierma.
    13. Re:Reasonable damage figures by ninthwave · · Score: 2, Informative

      But he didn't mess them up. He just looked.
      Only on Yahoo has it been shown that he changed Data.

      --
      I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
    14. Re:Reasonable damage figures by Elwood+P+Dowd · · Score: 3, Insightful

      No one, least of all Lamo himself, suggest that Adrian Lamo is a really good hacker. He goes after low hanging fruit. He finds b2b systems with default passwords. He finds unpatched systems.

      The only reason he's famous is... wait... I can't think of any good reason why he's famous.

      IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."

      --

      There are no trails. There are no trees out here.
    15. Re:Reasonable damage figures by Martin+Blank · · Score: 2, Insightful

      Because physical locks aren't black magic beyond their understanding.

      No, but to most people they're certainly gray magic at best. Generally speaking, people don't know how a lock operates anymore than they can explain how a password works -- it just does. The difference is that there is a tactile mechanism for it. I've found that some people trust keypads less than they trust combination locks; some have good reaons, and some have not-so-good reasons.

      Something that is usually far beyond the understanding of most people but which still engenders trust is a good combination lock. I'm not talking about padlocks -- I mean major vault locks. People trust them because they're complex, but also because part of the mechanism consists of thick bars locking into the vault walls. They can visualize significant parts of the system. Electronic security is an abstraction that many have difficulty following. Hey, sometimes even those of us in the computer security field have to scratch our heads sometimes as we try to envision what's actually happening.

      --
      You can never go home again... but I guess you can shop there.
    16. Re:Reasonable damage figures by jkauzlar · · Score: 3, Insightful
      I have absolutely no sympathy for this guy and hope he gets the book thrown at him

      Is it because he has embarrassed you by lessening your company's technical credibility? I'm not trying to troll, but I wonder if $300k really is a realistic fine to apply to someone who essentially is just spraying graffiti, breaking and entering and having a look around.

      Slashdot is not supporting this behavior, only trying to keep the possible wild misuse of government and corporate power in check. Most 'script-kiddies', at worst, are just nerds who perhaps need a public playground for their talents. Let's keep some perspective. That's what slashdot is about.

    17. Re:Reasonable damage figures by gregbaker · · Score: 4, Funny
      As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

      Ummm... you should probably be worrying about that anyway.

      I'd like to see how *your* computers handle a hacking attack from this guy.

      So would I. It's hard to know about the flaws in your system--you pretty much keep things patched, watch the logs and hope. An email from a benevolent hacker that says "You really need to change..." would be appreciated.

    18. Re:Reasonable damage figures by Merk · · Score: 2, Interesting

      Read the subject. The problem is the damage figures.

      I haven't been following the story closely, but nothing I've seen has suggested that he attacked them in any way, DoS or other.

      How did it cost the NY Times to have someone find a security flaw in their system? How much did it save them that the guy who found it didn't exploit it?

      If someone tells me my shoe is untied, I can't sue them for the time it takes me to tie the shoe. Whether I was told or not, the shoe would have been untied. At least I now know the lace is loose and I can fix it before I trip and hurt myself.

    19. Re:Reasonable damage figures by _bug_ · · Score: 5, Insightful

      Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

      Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.

      That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.

    20. Re:Reasonable damage figures by dipipanone · · Score: 4, Funny

      IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."

      No, his crime was the break in. Exposing the Times's idiocy was what provided the motive to ensure that that crime was prosecuted to the fullest extent of the law.

      To return to the house with the flawed lock analogy, what Lamo did was equivalent of opening your front door, and then announcing to everyone in the street that you have a taste for erotica featuring barnyard animals.

    21. Re:Reasonable damage figures by Jerf · · Score: 4, Insightful

      If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data).

      I disagree. One of the problem is that when a hacker attacks, you can't necessarily trust the logs. In fact there's a lot of people of the opinion (and I'm one of them) that unless you really know exactly which vulnerability was exploited and how it was exploited (like a common worm comes in that doesn't install a shell and there's no evidence that there was any other person actively involved in the hack), the only proper thing to do is completely re-install the system from either known-good backups (and labelling backups "known good" is itself an interesting challenge), or even from the original CDs.

      Things like "tripwire" are just that... tripwires. They really shouldn't be used to help repair the system because once the system is compromised you can no longer trust the output.

      For a business-critical machine, and well-paid admins (which you should have!), and counting downtime, $25,000 is entirely reasonable.

      Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact).

      Since fixing a vulnerability is typically a matter of applying a patch, odds are it does not account for more then $100 or $200 of the damage if it was computed rationally. Evaluation, analysis (which even if you re-install from scratch MUST be done, to see if any customer or private data was compromised), re-install, and lost business swamps that expense. Trying to talk the damage value of this down isn't really useful since it's such a small part of the value, in all likelihood.

      $25,000 is quite reasonable.

      Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money.

      Yes, this is most likely absurdly inflated.

      1 for 2 is actually a significant improvement for our system, and this is a good sign, IMHO.

    22. Re:Reasonable damage figures by Trigun · · Score: 2, Insightful

      My point was that we are categorizing criminals by the monetary damage which they cause. Is a drunk driver more guilty of the same offense if he rear-ends a Rolls rather than a Buick?

      Leave the monetary damages to the civil cases, that's what they're there for.

    23. Re:Reasonable damage figures by ziriyab · · Score: 3, Funny
      If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

      Very good point. Just one problem: If you look and weigh anything like the rest of us slashdotters, you may be setting your price a bit high. I've found that 10 cents (Canadian) is the most any one of us here can expect for our sexual services (we have to pay for the condom and flowers ourselves). The worse part is when they try to haggle and get more for the 10 cents. I once had to throw in a week of tech support for free.

    24. Re:Reasonable damage figures by Theatetus · · Score: 4, Insightful

      Yes, a total rebuild is required after any intrusion.

      BUT they have *NEEDED* to do a rebuild for a long time; Lamo simply proved that fact. If your system could have been compromised, you must assume that it has been.

      To be honest, I don't think Lamo added one cent to what NYT has to pay to fix its systems. If they were running an exploitable system, they need to rebuild and secure it. Lamo cracked them and admitted it, they STILL need to rebuild and secure it. How has he added any extra cost to their operation?

      --
      All's true that is mistrusted
    25. Re:Reasonable damage figures by Merk · · Score: 3, Interesting

      Who defines "breaking into"?

      If someone misconfigures their web server so it points at "C:\My Finances" and you surf to their site, are you breaking into their system? What if they configure it so it points to "C:\" and you click on the "My Finances" link? What if they have a default "Welcome to XXX" page but you type in the url: "http://www.icantconfigureiis.com/My%20Finances/"? What if you do a portscan on them and try to connect to a nonstandard port? What if you run a rootkit on them?

      Obviously the latter examples are reasonably defined as "breaking in", and the former ones are not, but where do you draw the line? Is it a judgement call about what someone reasonably expects you to be able to see?

      From what I have read, it is pretty obvious that this guy saw some things that he reasonably couldn't believe he was supposed to see. On the other hand, he did it all through a web browser. It's not like he was running rootkits. He was simply poking around and being nosy. The onus should be on the NY Times to have some reasonable standard of security in place that can't be compromised by Mozilla.

    26. Re:Reasonable damage figures by NeoSkandranon · · Score: 2, Insightful

      Does that mean that unless i put a "no trespassing" sign on my door you can come into my house uninvited? Even though the street from which you entered is public property?

      I think not.

      --
      If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
    27. Re:Reasonable damage figures by Christopher+Whitt · · Score: 2, Insightful

      Does that mean that unless i put a "no trespassing" sign on my door you can come into my house uninvited? Even though the street from which you entered is public property?

      Bad analogy - but this is /. after all.

      If you own a private piece of land, but make it into a park and invite people to use it (perhaps charging a small fee for access to some parks of the park, or maybe getting revenue from advertising on park benches), then unless you put a no trespassing sign on that special flower bed over there, I don't think it's unreasonable at all for somebody to walk over and look at those flowers.

      Did he actually damage anything besides just gaining access to the system and telling people he could get in?

      --
      Mozilla
    28. Re:Reasonable damage figures by ThisIsFred · · Score: 2, Interesting

      I can understand the "good faith" approach here in our country, but the nature of Internet-connected networks is that you may be dealing with people who aren't even on your native soil, or people that have absolutely no qualms about seriously messing-up your network, or even people who lack the maturity to exercise some restraint. This can be due to either malicious intent, different social customs, or the fact that the person on the other end is a latchkey kid bereft of character and ethics. It's a different ballgame, and social expectation is no excuse for poor security practice!

      It isn't the analog of a bank. People that frequent a bank are mostly locals, and if they are not local, they are at least fellow citizens, and they programmed from birth to follow our puritanical social customs. In addition, there is a pretty good chance that they are mature adults who have managed to budget and save some money.

      Imagine if you will this fictional example: A bank from a western culture opens up a bank in the country of Ugrabit. In this culture, it is perfectly legal to run up and grab things of value out of the hands of the unsuspecting, and perfectly legal for the potential victim to bludgeon the perpetrator with a yak's femur. Western visitors are shocked and appalled when local residents run and grab the cash out of their hands as they stand in front of the teller. Westernized bank employees also refuse to beat the perpetrators senseless as it goes against their beliefs. Is it the fault of the locals? No! The bank didn't understand the potential hazards before placing themselves in harm's way.

      --
      Fred

      "A fool and his freedom are soon parted"
      -RMS
    29. Re:Reasonable damage figures by Lightwarrior · · Score: 3, Insightful

      > ...IT'S ILLEGAL TO DO SO.
      > END OF STORY!
      It's not that simple.

      One of the founding principles of the USA is that "right" and "wrong" can change over time - hence the ability to modify our set of laws. As another poster pointed out, slavery was legal for quite some time - that didn't make it right, and people were forced to take action to make it illegal.

      Free speech is one of the methods given to US Citizens to let the government know how we think they're doing. However, as has been shown innumerable times over, sometimes doing something "illegal" is necessary in part of the protest. There are times when people won't see how silly a law or rule is until it is broken repeatedly in front of their noses.

      We're living in a time when more and more of our information is becoming more and more accessible. There are people out there whose intentions (good or ill) are not being backed by reasonable security. Accessible personal information and light or no security do not mix well.

      I'd greatly prefer it if we could live in a world where everyone could be trusted "to behave". If we could trust people not to break into each other's homes, we wouldn't need door locks. Sure, it's illegal to break into another person's home - but does that mean that you don't need to lock your door?

      Or that you should never check your door to be sure it's locked?

      Most importantly, are you willing to take the risk of leaving personal, private, or otherwise valuable information or things laying around, in plain view, behind an unlocked glass case (alarmed though it may be)?

      Every time a case like this gets into the newspapers, it is a bold reminder to corporations that they are at risk. Without a threat of loss, security grows lax. Be greatful this person did not act with a significant malicious intent, and learn from it.

      -lw

      --
      Mods: Disagreeing with me != my post Offtopic / Flamebait.
      World without hate or war, invaded. Tragic?
    30. Re:Reasonable damage figures by JVert · · Score: 2, Interesting

      I bought a car alarm for my car. If I find someone trying to break into my car, can I charge the burgler for the cost of the alarm?

      outragous? yes.

      I bought a car alarm for my car. If I find someone trying to break into my car and need to update my car alarm, can I charge the burgler for the cost of the NEW alarm?

      outragous? HELL YES.

      but.. whatever, its a computer crime, i'll strangle the terrorist myself.

    31. Re:Reasonable damage figures by Jayzz · · Score: 3, Insightful

      This guy left a memo to notify the security holes. That proves he was aware that he was intruding.

    32. Re:Reasonable damage figures by commodoresloat · · Score: 3, Insightful
      If a computer does not belong to you, you are not supposed to access it without explicit or implied permission.

      Arguably, leaving port 80 open constitutes implied permission. Nobody expects me to get a signed note from CmdrTaco every time I visit slashdot.org. On what basis can a prosecutor make the claim that leaving port 23 open does not constitute the same kind of implicit permission?

    33. Re:Reasonable damage figures by Slime-dogg · · Score: 2, Interesting

      That's why you employ two or three of them remotely, without telling them about eachother. Any back doors that one of them puts in, the other will find, and vice versa. As long as they don't know about the other(s), you should be in the clear.

      --
      You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
    34. Re:Reasonable damage figures by martyros · · Score: 2, Insightful
      I certainly see where you're coming from, it's the first thought I had in response to this one.

      But remember, there are already tons of government agencies that do inspections of all sorts of things. Aren't you happy there are health inspectors? And the SEC, the FDA, the EPA, and so on? Aren't you glad that governments test the water regularly and investigate corporate polutants and such?

      And remember the focus: not private individuals in their homes, but large corporations who should be protecting your private data, but may not be. The only ones holding them accountable are illegal hackers like the ones in this story; this makes all the wrong incentives for large companies. Why secure your data, when you can just press charges against anyone who exposes your weakness?

      I was at a conference recently, and one of the talks was given by someone from the NSA. After introducing himself, he sad as an aside, "By the way, I just want to assure you that all the people I know at the NSA, FBI, etc take their vow to uphold and defend the Constitution of the United States very seriously -- and that includes the first and fourth amendments. We're not part of some government conspiracy to take away your liberties, but to protect them." And that's why the vow is not allegiance to the government -- which may be good or bad, honest or corrupt -- but to the constitution.

      It's always a good idea to keep a suspicious eye on the government, especially in cases like this. But when people suggest that Bush is working up to institute a military coup, it shows that they're completely ignorant of what the US military is like. The military is made up of Americans, who hold the same values of freedom and liberty that you do. You can bet that if their superiors told them to be oppressive to other Americans, they'd tell their superiors to go to hell.

      --

      TCP: Why the Internet is full of SYN.

    35. Re:Reasonable damage figures by bareminimum · · Score: 2, Insightful

      However in that case all these costs bump up because they're made in a high alert situation. Think about overtime, outside assistance, express delivery of equipment, etc. Security by obscurity is a bad thing, but the corrolary of that is that in the case of a break-in you cannot afford to fix problems at a reasonnable pace, mainly because of the publicity.

      You might say that the victims are responsible for the publicity, but that's not true. Who knows when and where that goof who just broke into your system bragged about it.

      There is a direct consequences between a break-in and the extra costs. The same way if someone breaks into your house. You will immediately replace your locks for better ones even if the nature of your belongings doesn't justify it. Simply because you do not want to live through the same ordeal again.

      If I break into your house, you will have to make a full inventory in order to establish what had been stolen... Then you'll have to change all your credit cards, financial info, etc. etc. Simply because you never know. That takes time, don't you agree?

  3. Useful links. by sekzscripting · · Score: 5, Informative

    Here's a few extra (useful) links: free lamo - adrian support site [run by kevin mitnick's girlfriend], the screen savers - shot video of adrian moments before his surrender, trigger street - running a documentary on hackers, currently they're following adrian's story..

  4. Negotiated? by bobthemuse · · Score: 3, Interesting

    "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

    You have to negotiate for this now? So if they never tell him what he's charged with, can he get a reduced punishment? :-)

    1. Re:Negotiated? by jdunn14 · · Score: 2, Informative

      I believe the issue is whether the charges are publicly disclosed. He would have to know that the charges are in order to defend himself, but the nature of the charges might not see the public light of day without the negotiation.

  5. Quick.. by grub · · Score: 5, Funny


    Start printing stickers that say "Adrian" which you can apply over the word "Kevin"..

    --
    Trolling is a art,
  6. Lexis/Nexis and NYT by Speare · · Score: 5, Interesting

    What would you want to bet that Lexis/Nexis just winks and nods at their huge customer, The New York Times, Inc., and waives much of the actual charges that resulted from automated searches on Adrian Lamo. At their prices, there is probably still over $25K worth of manual labor involved... Lexis/Nexis is a premier service with some amazingly in-depth methods.

    Plus, the scouring job that's required by NYT's IT department to ensure there aren't any new "easter eggs" in their system will go into significant coin too. I don't agree with the preposterous insurance-claim oriented figures that go into these 'cracking' news stories, but you can't just trust a superficial system cleanup after being cracked.

    --
    [ .sig file not found ]
    1. Re:Lexis/Nexis and NYT by exhilaration · · Score: 4, Insightful
      You forgot the costs of retraining new network admins after firing the incompetent fools that left the NY Times network wide open.

      Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".

      Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.

  7. Leave the poor guy alone... by Anonymous Coward · · Score: 5, Funny

    The man's name is Lamo. Hasn't he suffered enough?

  8. Re:Damage is damage by exhilaration · · Score: 2, Informative
    If someone hacks a site, and it goes down for a day


    He never caused a site to go down, troll. RTFA.

  9. you know what to do by SirSlud · · Score: 4, Insightful

    Jail that obviously highly intelligent individual!

    Yes, I'm joking. This kid sounds like a bright fish .. why jail him? Surely he can contribute in a positive way to society? It sure sounds like he doesn't have any malicious intentions other than prove what every engineer knows - you often need to experience failure before you address a weakness in your design. Better to have failure 'encouraged' by a guy who's willing to help you lock down your network after the fact than some dude who gets in the door and heads straight for client lists, credit info, etc ..

    --
    "Old man yells at systemd"
  10. Uh - shouldn't they sue themselves? by teamhasnoi · · Score: 2, Interesting
    They left the site open. Do I get to sue Microsoft for servers that I don't patch? (Please?...)

    Besides, I'm thinking that there was more than 300,000 dollars worth of damage to their reputaion after this.

    They need look no further than their own offices to find fault.

    1. Re:Uh - shouldn't they sue themselves? by greenhide · · Score: 4, Insightful

      Hmmm... I have a feeling they didn't leave the site open. They just didn't make it unhackable.

      It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.

      Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?

      Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.

      If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.

      And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.

      If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.

      Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.

      --
      Karma: Chevy Kavalierma.
  11. Adrian Lamo Surrenders by Morosoph · · Score: 5, Insightful
    This story makes me sad. The judge had a "last minute" idea, "Oh yeah, let's ban him from using computers", probably the only thing that really gave purpose to the life of a tramp. Getting a "real" job cannot be a substitute, and as The Register points out, Adrian wasn't exactly writing viruses. Quote:
    Following the recommendation of a federal pretrial services officer who interviewed the hacker in custody, Hollows ordered Lamo to obtain full-time employment or enroll in college pending trial. The ban on computer use was the judge's idea.
    "This whole business of computer hacking, viruses and so forth is getting very wearisome," said Hollows, explaining his thinking from the bench.
    There is something depressing about the whole "join society" ethos, that is, conform to everyday mediocrity.
    --
    Wikileaks, no DNS
    1. Re:Adrian Lamo Surrenders by cindik · · Score: 4, Insightful

      I wonder how many "real jobs" are left that involve no contact whatsoever with computers.

      --
      Terrycloth Lobster
    2. Re:Adrian Lamo Surrenders by BrynM · · Score: 3, Insightful
      Enrolling in college is out too. Nice of the judge to be so considerate.

      Funny enough, I heard he was in town (I'm in Sacramento) by spotting him being interviewed by a local newscaster last week. I was wondering if he was still around because I recognized the place he was interviewed at. Does anyone know if his parents live in this area?

      --
      US Democracy:The best person for the job (among These pre-selected choices...)
  12. "damage" by TheSHAD0W · · Score: 3, Interesting

    Just because you catch me strolling across your yard doesn't mean I should pay for having it fenced.

    1. Re:"damage" by stratjakt · · Score: 2, Insightful

      Your trespassing fine will wind up paying for increased police patrols of my neighbourhood.

      Now enough with the stupid analogies.

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:"damage" by TheSHAD0W · · Score: 2, Insightful

      It's by no means a perfect analogy, but it's better than the one alluded to by the "hacking" label. If I took a fire axe to your front door, then by all means, I should owe restitution to replace the door, on top of whatever actual damage I did. But if you took that opportunity to demand I pay for an expensive solid-steel door when the one I smashed was cheap, hollow wood, then you would, in my opinion, be taking unfair advantage of the situation.

      In this case, not even a hollow door was "hacked apart". Security was bypassed, not destroyed. No vulnerabilities were induced that weren't already present, and which would have persisted if the attack hadn't taken place. So how is it right to demand he pay for upgrading that security?

  13. Macki's take... by Anonymous Coward · · Score: 2, Informative

    While guest editing BoingBoing's mini-blog, Macki posted his opinion.

    "Marlowe" offers up some Timothy Leary on the message boards.

    What are we really feeding into here?

  14. How old are you? 5? by NDPTAL85 · · Score: 4, Insightful

    Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?

    Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?

    --
    Mac OS X and Windows XP working side by side to fight back the night.
    1. Re:How old are you? 5? by 91degrees · · Score: 3, Interesting

      Why are you comparing it to your home? He hacked corporate servers! It's more like finding an intruder has manged to get past your security and knocked on your office door.

    2. Re:How old are you? 5? by 511pf · · Score: 2, Interesting

      Let's change the scenario, shall we? I drop my keys next to my car in a parking lot. Someone picks them up and tries my lock to see if they have the right car. They do, and they go through the car looking for an address and phone number. They find my business card and call me at work to give my keys back. Do I charge them with breaking and entering? Hell no. I give them a $20 for not allowing anyone else to steal my car.

    3. Re:How old are you? 5? by chazzf · · Score: 2, Insightful

      (although the servers are on the net, which makes it a little sticky, but not much. You can let your buddies use your basketball net in your driveway as a rule, but that doesn't mean they can hang out in your pool. )

      Not sticky at all. My house is located on a public street. Still makes it illegal to break in. Think of a private network at a gated community...

      --
      No statement is true, not even this one.
  15. Re:Damage is damage by sixdotoh · · Score: 3, Insightful
    plus a hit to their reputation

    parent is somehwat a troll, but anyway...

    a hit to their reputation? unless the business is some kind of computer security company, or ISP, i would wager that it does very little to their reputation. come on, any other company (especially outside of any IT related company), which of their customers is even going to *know* the site was hacked. how many of those people are going ever hear that the site was hacked... if they couldn't access they site, they would probably just think their own internet connection was screwy at that time, or just accept the fact that they couldn't access the certain site (happens all the time) and think little of it.

    i'm not trying to defend hackers, i'm just trying to set that misconception straight.

    --

    This post was brought to you by the number 584811 and the characters / and .

  16. Re:Outcome? by Lumpy · · Score: 2, Interesting

    first off you need to remember that Judges are first and foremost lawyers. that's what they were before they were judges.

    and anyone that would expect that an Ex-lawyer is fair or honest in any way is a complete fool.

    This judge knows nothing about what he is passing his "judgement" on and therefore is incapable of hearing such a case.

    The entire judicial process in the United states is based on "who has the most influencial or resourceful lawyer" not who is innocent or guilty.

    it hasn't been about innocence or guilt for 50 years.

    --
    Do not look at laser with remaining good eye.
  17. Guess he understands time-space warping too by mactari · · Score: 3, Interesting

    From The Reg:
    Under the terms of his release, Lamo's future wanderings will be confined to the northeastern half of California, and southern New York state, unless he gets prior approval of the court to travel elsewhere.

    Hrm. Wandering from NE Cali to south NY w/out going anywhere inbetween would seem about as easy a commute as getting from the West Bank to the Gaza Strip.

    Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there. ;^)

    To completely switch gears, did anyone else find it weird that a paper would have SS#'s for people who have written op-ed pieces [for Lamo to find]? I suppose that implies they were *paid* for the pieces, but it still seems a bit strange.

    --

    It's all 0s and 1s. Or it's not.
    1. Re:Guess he understands time-space warping too by stratjakt · · Score: 2, Interesting

      Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there. ;^)

      Yeah, he can get a job waiting tables. Or shovelling shit. Or flipping hamburgers. Tough shit for him.

      Pedophiles are ordered to stay away from children, 'r337 hax0rz' ordered to stay away from computers. Makes perfect sense. You commit a crime, you give up some rights.

      --
      I don't need no instructions to know how to rock!!!!
  18. Don't Reward Burglars, or This Guy by reallocate · · Score: 4, Insightful

    Sounds like a kid with an inflated ego and a bit of a Robin Hood complex.

    I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.

    Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.

    --
    -- Slashdot: When Public Access TV Says "No"
  19. You play with fire... by Rolken · · Score: 2, Insightful

    You get burned. Anyone who breaks the law and flaunts it is going to get caught, regardless of how honorable his intentions. Laws do not only exist to punish "bad guys;" they exist to make society an orderly place, and people who run around hacking others' servers willy-nilly are going to be causing chaos (ie the costs of the IT department figuring out wtf's going on with their network, as someone else mentioned). Awhile back the DoD conducted an authorized hacking of their system (with unpleasant conclusions). That is what needs to happen, because when dealing with gray areas there're shades of black. Remember the "good" anti-Blaster patching worm, and how it shut down systems in Canada because of its overly eager replication? It's foolish to presume that we should trust in the skills of a lone ranger. Get off yer high horse, cowboy.

  20. Re:Disclosure by Monk[Deviant+Form] · · Score: 3, Funny

    maybe hes a terrorist now?

  21. Letting others protect you by tarnin · · Score: 4, Insightful

    This is again along the lines of "We dont really want to make sure were secure so we'll just sue/have arrested anyone who finds anything." These are also the same people who loby the gov to pass laws to do this. It's amazing how little people acutally care about how secure their network or computers are and instead care more about huge fines and sentences so they can keep their networks insecure.

    None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".

    I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.

  22. Next story : AP Under Attack by Zork+the+Almighty · · Score: 4, Funny

    TOP STORY : The Associated Press website is under attack. A flood of connection attempts beginning at 02:52PM Eastern time have rendered the website unavailable. Initial reports suggest that this attack originates from an organization known as "Slashdot", however it is unclear whether this is a terrorist organization or whether terrorism is involved.

    --

    In Soviet America the banks rob you!
    1. Re:Next story : AP Under Attack by FireNIce · · Score: 2, Funny

      This was a bad link

      Here is the correct one:
      http://customwire.ap.org/dynamic/stories/H/H ACKER_ ARREST?SITE=RANDOM&SECTION=HOME&TEMPLATE=DEFAU LT

      For the record there is nothing wrong with AP's site.

  23. Re:An open door is an invitation by Rolken · · Score: 2, Insightful

    "Most, if not all of them, left gaping holes that amounted to revolving doors at the front end of their networks." If I left the door to my apartment open and someone randomly walked in, I wouldn't be asking him if he wanted something to drink. No one said it had to be hard to be illegal.

  24. he should've seen this coming by geeveees · · Score: 2, Insightful


    He accesses somebody his network, tells them about it "oh but hey i didn't do anything bad".

    If YOU were the sysadmin in question, would YOU believe him? No you'd have to check all your systems... And that costs money (=damages).

    --
    I am a viral sig. Please help me spread.
    1. Re:he should've seen this coming by Hatta · · Score: 2, Insightful

      yes they might have to rebuild their machine (or network) from scratch. But they'd have to do that anyway if they got cracked by a malicious hacker which is really just a matter of time. You have two options. If adrian hacks your site, you have an insecure site and you know about it. If adrien doesn't hack your site you have an insecure network and you don't know about it. Which would you choose?

      --
      Give me Classic Slashdot or give me death!
    2. Re:he should've seen this coming by Kwil · · Score: 2, Insightful

      Three options, actually.

      1. The site isn't hacked so remains insecure and I don't know about it. My concern: none. By definition. I don't know about it. I probably think my system is secure. It's not a good situation, but that's the truth.

      2. The site is hacked and the hacker lets only me know about it. My concern: medium. I'll get my IT guys on it, they might have to put in some overtime making sure that not only are all the holes we were told about closed, but that no new ones were inserted. A possible loss of data may occur as we restore to backups from before the hacker's entry date.

      3. The site is hacked by a malicious hacker and we don't find out til later. My concern: high. My IT guys need to drop what they're doing and find the holes and close them. There may be a loss of data as we try to go back to a prehack version and close the holes there. Some damage control may be needed depending on what was done.

      4. The site is hacked and the hacker lets the world know about it. My concern: extreme. My IT guys need to get EVERYTHING fixed RIGHT FRIGGING NOW, because now any malicious hacker is aware that holes exist, so will be banging on the doors to try and find it. This means shitloads of OT for the ITs, possible loss of data because of the need to return to pre-hacked backups before fixing the provided holes, and on top of this means we lose business credibility which costs us untold amounts in future business. Damage control is a necessity. Thanks so much Mr. Supposed White-Hat.. more like asshat, so far as I'm concerned.

      --

      That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze

  25. Personal case by Anonymous Coward · · Score: 5, Interesting

    (Anonymous for obvous reasons)

    I don't live in the US. In my early days on the university I was involved on a serious case of hacking. Being a nerd for network security I once told a university network administrator, that happened to be a good friend of mine and a student of one of the classes I gave at the time (on network security) on a institution unrelated to the university, that the university network was 'easy hackable', he challenged me for a proof and I responded. About four months later I found myself in deep trouble: my network account was surrendered and all my e-mail was analyzed by the network administrators. For some reason (only known to a 18 years old) I had sent an email to a friend telling him that I had cracked about 2000 passwords on the university network.

    It turned out that since my 'friend' spoke with me he went with his superior and 'bought' a promotion for turning me in. The only proof they had was the email and a private conversation recorded without my permission (by a university student, not a government office) where I admitted to have cracked the university super-computer and a cluster to write, compile and run a distributed program that kept running for a little over two months (without anyone noticing it, it stopped running because I decided to stop it).

    To get on-topic: They claimed that my actions had caused over US$ 100K. After 6 months of trial (where I has assisted by some great voluntary people) I walked out with a restraint to use any university computer for 4 years, and being unable to create accounts for any ISP in the state for 2 years.

    The morale of the story is this: You fight. And fight hard. If you do so the people will support you, because you are fighting from the right side. Take it to the end, at some point justice will be served.

    1. Re:Personal case by Anonymous Coward · · Score: 2, Interesting

      I demonstrated the flaw on the system. I did so upon request. I said he challenged me for a proof and I responded, I sent them a anonymous encrypted copy of the 2000 passwords cracked and a set of steps to correct the flwas (basicaly ditch the DES encryption and use SHA-1 or MD5 hashes).

      I (wrongly) talked about having used their own super-computers to write the software to crack the passwords after the whole issue went public. In the end I got away with it, I didn't get expelled, but my action caused some incompetent sys-admins to get fired (including the one who managed to tape me) and the security meassures to be increased. I had acces to all the students grades, but didn't do anything, and in the trial that was used on my favor.

      I did some things wrong (brag about it twice), and certainly illegal, but morally everything I did was correct, and I'm proud of it (and my family is, my friends are and I have gained some new unexpected new friends among the people that prosecuted me, one of them even offered me to become one of his students).

      In the end, the real porpuose that was aimed by my actions was served, but I had to fight hard. I lost one semester in the whole trial, I almost lost my job (it was widely covered by the press), and four semesters later I dropped out of the university to work on network security.

    2. Re:Personal case by Anonymous Coward · · Score: 5, Funny

      Oh yeah? Well I cracked a gajillion passwords in 5 minutes with my Casio calculator watch. And then they made me president of the company.

      So there.

    3. Re:Personal case by CharlesEGrant · · Score: 2, Insightful
      I did so upon request. I said he challenged me for a proof and I responded, I sent them a anonymous encrypted copy of the 2000 passwords cracked and a set of steps to correct the flwas (basicaly ditch the DES encryption and use SHA-1 or MD5 hashes).

      Obviously I wasn't present during this conversation, but unless there is more to it then you include here, I think you have some serious problems in communicating with your fellow humans. I know if I asked somebody for proof that my systems were insecure I would be thinking more along the lines of "please describe in detail the vulnerability" not "please try to crack my system". If you really believed that you had a legitimate invitation to try to crack the system why did you submit the evidence anonymously?

      ....certainly illegal, but morally everything I did was correct

      I think you have a very narrow view of morality then. Greater harm justifications only work if the questionable action was the only way to prevent the greater harm. Why didn't you just document the vulnerability and work your way up the chain of responsibility? (I mean immoral here as reading somebody's diary without permission, not as in assault or extortion.)

      The legal penalties attached to cracking are just as much a part of the security infrastructure as encryption. Heck, if unauthorized network intrusion was a simple infraction punishable by a $10 fine I'd probably be wandering around my neighbor's unsecured wireless network right now.
    4. Re:Personal case by CharlesEGrant · · Score: 2, Insightful
      quite honestly, morals are the only thing keeping most people out of wireless networks.

      True, and I will confess to a rhetorical exaggeration, but I still think there is something to my point. I was just setting up my own wireless LAN last week, and I was blown away by the number of networks I was picking up that were broadcasting their default SSID and were apparently unencrypted. Since I was getting a better signal from some of these networks then my own it was very tempting to connect to them and just nose around a bit. My internal conversation went something like:

      1. "Hmm. I wonder what I'd see if I connected to "linksys".
      2. "That would be rude. You haven't been invited."
      3. "It might also be illegal."
      4. "How in hell would they know?"
      5. "It might be a honeypot and Fry's probably gave your Visa card number and MAC address to Interpol and John Ashcroft."
      6. "Give me a break."
      7. "Never mind all that, it would still be impolite to connect without an explicit invitation."

      As you correctly point out my primary motivation was my personal sence of morality (or at least propriety). However the legal aspect did cross my mind. I didn't want to get in trouble over a matter of idle curiousity.
      ... talking about these omnipotent laws
      I didn't say that laws were omnipotent, I said that enforcement of the laws was one component of the security infrastructure. Legal sanctions don't discourage all, but they discourage some. Encryption doesn't solve all security problems, but it helps solve some. It is my experience that "fear of getting in trouble" is an important regulator of people's behavior. If nothing else it reinforces their own sense of morality when it is undercut by conflicing impulses like curiosity.
  26. Why did he turn himself in? by Alioth · · Score: 3, Insightful

    Wonder why he turned himself in? If I was in his shoes, I'd go on the run because:
    * it seems like anything to do with hacking == terrorism. Justice won't be served, long prison sentence
    * being obviously young, not particularly bad looking and probably not physically strong means almost certain prison rape.
    * already leading a nomadic lifestyle so why not continue.

    However, in his position, I'd probably no longer publicise what I was up to. I think he has made some grave tactical errors in letting his identity being so publically known (and this is why he probably decided not to stay on the run, because his photograph has already been so widely published).

    I hope his punishment is in proportion to the crime though - not some arbitrary "war on terror" sentence.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  27. Re:Disclosure by SunPin · · Score: 2, Insightful

    Indeed. But don't get too ticked off on /. or some jackass is liable to moderate you as a troll.

    The "damage" was irrelevant. He typed his name into Lexis-Nexis. Big stinking deal. The New York Times should be shot for leaving their data unsecured. There were significant people in those lists that were put at risk NOT because of Mr. Lamo. They were unbelievably lucky that some happy-go-lucky dork was nice enough to point out the flaws before a Black Hat got to it.

    --
    Laws are for people with no friends.
  28. Re:Outcome? by stratjakt · · Score: 2, Insightful

    Who cares if you like how people use the word 'hacking'. It's irrelevant. I don't like that people who trade xbox games online call them "isos".

    I agree with the judge. I'm sick of asshat 14 year olds thinking it's open season to screw around with other people's property. It doesnt matter if I have the latest kernel patches or a club and locking boot for my car.

    The point is, it's mine, not yours. Mess with it, and pay the piper.

    --
    I don't need no instructions to know how to rock!!!!
  29. Good Luck Adrian by SunCrushr · · Score: 3, Funny

    Good luck at your FBI job interview... er I mean hearing on Thursday.

  30. Correct AP Link by jh6p · · Score: 2, Informative

    If you see the map of the US on the AP website you need to specify a newspaper.

    Try this link that says you read the headline on New Jersey Online:

    http://customwire.ap.org/dynamic/stories/H/HACKER_ ARREST
  31. Looks like he pissed someone off by TyrranzzX · · Score: 2, Insightful

    The Times called the FBI after Lamo browsed sensitive data on its computers, including Social Security numbers for celebrities and government officials who are among the 3,000 contributors to its op-ed page.

    Sensative data, sounds like he got more than cc numbers. Also sounds like he has a political ageda, which is ok by my book. You can get lotsa info off of the Nyt's internal system; memo's, drafts, omitted papers, letters from people with political agenda's....

    In any case, this is akin to breaking into a musieum to steal stuff, and instead of stealing he took pictures (very exact ones) and left a how-to note. He didn't damage anything, he showed them security holes in exchange for internal data. They don't like the internal data getting out...

    BTW, any good company will resecure their systems after any consultancy and scour it for software; some firms can't be trusted.

    --


    Candy-Coated Knowledge

  32. You got it by DesScorp · · Score: 4, Interesting

    We'll never know who the best are. Because they're SMART ENOUGH NOT TO BRAG ABOUT IT IN PUBLIC.

    All sarcasm aside, I once heard Prof. Gene Spafford of CERIUS say that some of his best students had simply dissapeared from the face of the Earth. He suspected that they were either recruited by Government organizations, or major corporations; and he was afraid that some even went to work for organized crime.

    THESE people are the real pros. They get the job done, get paid, and quietly move on. They could live next door to you, and you'd have no clue that they crack heavily guarded systems for a living. For every Adrian Lamo or Kevin Mitnick, or even Peter Shipley for that matter, there are a half dozen guys way better that you'll never hear about.

    --
    Life is hard, and the world is cruel
    1. Re:You got it by dasmegabyte · · Score: 3, Insightful

      Not necessarily. It is just as likely that there are no really great hackers. For one thing, there's no proof that there are anythin other than the self important run-of-the-mill kind of hacker other than creepy speculative statements made by self important members of the "security" community. I know a lot of smart people who disappeared off the face of the earth too. Once in a while I rediscover them, working in coffee shops or as security guards at the zoo. They dropped contact when they gave up on intellectualism for a life of hedonistic pleasures like having friends and making a little money.

      You know, it's funny...as much as people here hate on Microsoft for using FUD tactics, they seem to okay the computer security industry using the same tactics to scare people into buying expensive security audits. Better buy a new firewall...Bigfoot broke the cisco backdoor and the Loch Ness Monster could be SSH'd into your daughter's underwear drawer right now and we'd never know because they're using special Voodoo IP addresses that cannot be logged!

      See, hackers work by writing code to exploit bugs. It is impossible to write code that is bug free. It is just as impossible to write exploits that are bug free (see: that blaster "fix" that did as much "damage" as the worm did). As such, it is impossible to write code that is completely indetectable. There are bound to be bugs in the indetectability. So this whole idea that stealthy ninja superhackers are sliding in and out of our nation's mainframes without anybody knowing is something I tend to place in the same realm of fiction as bible code.

      And if you were "good enough" to write invincible code, it seems to me you could lead a much better life without this stupid Swordfish subterfuge, teaching your methods to senior programmers across the country for big bank. Shit, I'm sure MS has an opening somewhere. The New York Times definitely does.

      --
      Hey freaks: now you're ju
  33. LexisNexis services for $300,000? Yeah, right. by azaris · · Score: 2, Interesting

    Private individuals using LexisNexis for viewing court doduments will be charged $9 per document (not by search). I'm sure the NYT gets some kind of volume discount. This means Lamo would have had to fetch over 30,000 documents to rack up such a sum. Now assuming your average legal document is ten pages long (many are shorter, some are way longer) that makes 300,000 pages worth of legal documents. A full bookshelf of legal reference material. Why am I not buying this?

    How much are you willing to bet the NYT took their monthly (yearly?) bill from LN and claimed that since Lamo had illegally benefitted from access to that material, he should pick up the whole tab?

  34. Aacch! by gfxguy · · Score: 2, Insightful

    You know, there is NO excuse for this criminal activity. There is a great expense to keep computers/networks/homes/cars/people secure. The reason for this expense is the criminal, the criminal should be made to pay.

    I know it's a non-existent utopia to think that criminals should pay for security systems, but think of all the waste that goes into security because of people doing illegal things. Stop blaming the victems, they were NOT "asking for it" anymore than anyone "asks" to get raped or robbed.

    Are you going to blame rape victems for not wearing chasity belts? Where does it end? If you absolutely want to prevent yourself from being raped, you'd have to wear one, wouldn't you? But that's a pretty rediculous extreme, isn't it? And you'd probably get beaten anyway.

    Do not tell me they didn't have ANY protection on their website - someone went looking for specific exploits, they didn't stumble upon them randomly, it was a conscious choice to do something illegal. Where does it end? The fact of the matter is people should just respect other people and their property.

    Do not stand up for this guy just because he's a hacker like us against a big stupid company. What he did was wrong! The blame goes to the criminal, not the victem.

    --
    Stupid sexy Flanders.
  35. Do you know who was the most successful hacker ? by ChaoticLimbs · · Score: 2, Funny

    And neither does the F.B.I..

  36. Re:Get a full time job, or enroll in college by Cederic · · Score: 2, Insightful


    Sentencing someone intelligent to mind-numbingly boring manual labour is pretty close to cruel and unusual punishment.

    I'm currently unemployed. I could go out and get a job at close on a hundred different places within a week, if I decided to do labouring, shelf-stacking, bar-work or similar levels of work. In practice I'd rather watch my savings deplete, because then I can engage in intellectually stimulating activities instead while looking for a job that I can enjoy and commit to.

    Being banned from using computers is harsh too - he can't work at McDonalds, they have computerised cash registers. He can't go to college, it's effectively impossible to get through college without a degree so far.

    And as the original poster indicated - he has to apply for work/college with the possibility of an indeterminate period of absence happening.

    On another issue, just what on earth is it to do with this judge if this guy isn't working? Is being unemployed and not in education a crime these days? If so I better not go to the US, because that's me..

    ~Cederic

  37. Explaining the LexisNexis figure by psxndc · · Score: 4, Informative
    A lawyer friend of mine told me once that services like LexisNexis and Westlaw charge their clients something like $500 per search. Not per session. Per search. Think about that the next time you search on google, don't like what you get, and search again. Pretty easy to see how he got up to $300k that way.

    psxndc

    --

    The emacs religion: to be saved, control excess.

    1. Re:Explaining the LexisNexis figure by Anonymous Coward · · Score: 3, Informative

      Not only that... the "scope" of the search can have a value as well... a single "mega search" that goes into the same records that the NSA, FBI, Homeland Security, TSA use [lexisnexis is one of the companies that houses some of the data that those orgs use] costs the law enforcement only $~50 a search as part of a reciprical contract, but is sold to lawyers/general public at $7000-$12000 a SINGLE SEARCH.....

  38. I say again by BortQ · · Score: 3, Insightful

    Get a slashdot interview with this guy.

    --

    A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
  39. "Harsh Example" = Poor Example by Idou · · Score: 2, Interesting

    "If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?"

    No, let's say you have cancer, but you don't know it, and you are not getting proper check-ups so you aren't going to find out. Some self-proclaimed doctor rigs the urinal you are about to use so that he can get a sample of your urine. He then takes the sample to his lab in the basement (without your knowledge) and performs a urinalysis. When he discovers you have cancer, he fully discloses to the world (without your permission 'cause he knows doctor-phobes, like yourself, would never give him permission) that you have cancer saying, "See how screwed up it is not to get regular check-ups at the doctor's office. This guy had CANCER, and he was going to DIE just because he refused to get check-ups." In other words, the social issue takes priority to the individual's rights.

    Now, regardless of whether you agree with this or not, you have to admit that this is more accurate than the "sex" analogy. If you can come up with a more accurate analogy to what actually happened, by all means post it, but arguments supported by poor ananologies are poor arguments, regardless of the core ideas behind them.

    --
    Sdelat' Ameriku velikoy Snova!
  40. Anyone even see interview with Lamo? by barks · · Score: 2, Interesting

    I remember a classic episode of The Screen Savers in which Mitnick and Woz were hosting the show. One part Mitnick interviews Lamo...and he asked rather simple questions like "Now I use to hacker b/c I was curious why do you do it?"

    All of Lamo's responses were rather "crackhead" like...I'm not trying to knock the guy, but it didn't really seem he had an answer for why he hacks...not because he's curious or because he's trying to help companies...he just kept saying that he considered himself "at the right place at the right time".

    It's possible he was just camera shy.

    --

    Some aim to please, I aim to tease.
  41. what a moron by iamhassi · · Score: 2, Funny
    "The New York Times contacted the authorities after we learned of the breach and addressed the [security] holes internally,"

    Moron! You're just suppose to break in and steal stuff, not unlock the door, announce yourself to the occupants, then offer to buy them much better locks!

    --
    my karma will be here long after I'm gone
  42. Video of Lamo by acedtect · · Score: 2, Informative

    TechTV has video of Lamo before his arrest

    http://www.techtv.com/chkpt/240hp091003/http://www .techtv.com/screensavers/story/0,24330,3520394,00. html

    He did an interview in the hotel room beforehand and talks about his attitude towards the charges and what he did. Then there's some video of him with the fed at Starbuck's that doesn't have any inofrmational value but is interesting from a documentary standpoint.

    Seems like Lamo's willig to pay for his crime as long as he agrees that he's being accused of something he consciously did.

  43. Re:Ah, the old boogeyman argument. by DesScorp · · Score: 2, Insightful

    He wasn't refering to graduates at the time. He was refering to very gifted students, ones that were establishing reputations for themselves, suddenly dropping out of school, or just dissapearing altogether. He wasn't talking about the normal cycle of graduates moving on somewhere else.

    --
    Life is hard, and the world is cruel
  44. Re:Ah, the old boogeyman argument. by Macrat · · Score: 2, Funny

    No. Purdue spends a LOT of money keeping track of students after graduation.

    For the past ten years no matter how many times I move and DON'T forward my mail, those bastards keep finding me and keep asking for donations.