Adrian Lamo Surrenders

clafarge writes "Three days after Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail." webmaven adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News. He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

Reasonable damage figures

[JohnGrahamCumming]

more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
his own name to the tune of $300K! I always find it interesting that so little tinkering
can cause so much 'damage' (if you didn't get that wink, read the article about the
nature of the 'damage').

No I don't get the 'wink'.

These damage figures really don't seem very unreasonable, especially given what Kevin
Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
cost of the people of had to evaluate and repair his intrusion into the network). As for
the LexisNexis searches that cost is probably easy to calculate because they charge for
use of the service and he probably used $300,000 worth of the service without paying for it.

If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
that the prosecutor was going overboard, but this seems pretty sane to me.

John.

Re:Reasonable damage figures

[Trigun]

As long as they have to prove the damages, rather than having the judge readily accept them. In fact, who cares about how much damage is done, as long as it's over the $5,000. If he broke the law, he broke the law, he didn't break the law by $320,000. That would be essentially ridiculous, turning law from an ethical measure to a monetary one (well, more so).

Re:Reasonable damage figures

[InsaneGeek]

I never quite got this... would you really trust a hacker to tell you everything he did? Some anonymous person on the internet breaks into your system and you will just take his word for it? A security incident is a security incident you have to do the same work either way:

offline the system
investigate the system to find intrusion
do a complete reload from scratch
identify other systems on the network with same vulnerability accessable by compromised system
make decision to roll dice and guess others were not compromised or rebuild those systems also

number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system

Re:Reasonable damage figures

But if they had discovered this on their own, they would have still had to have gone to the same expense.

Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.

Re:Reasonable damage figures

[Morosoph]

It seems to me that engineers view security breaches very differently from most people; we're used to having to fix all bugs, and it becomes natural to think of someone who's managed to break a system as having done good; the clean-up costs are not the costs of the breach, but the costs of the bug, as yet unforseen.
I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
By contrast, the engineer is almost grateful, at least once the bug's been fixed!
My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.

Re:Reasonable damage figures

[Evil+Adrian]

Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

END OF STORY!

Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!

Re:Reasonable damage figures

[kfg]

One of the first things you learn when you begin working in computer security, especially as an outside contractor, is that your customers don't trust you as far as they could throw the Empire State Building.

In fact, you will be reviled. You will have a hard time convincing many people to hire you because they're scared to death of you in the first place. Once they do hire you you will be assumed at some lizard brain level to be doing something nefarious.

This is one of the reasons why network security is so poor. Companies are loath to allow outside security experts anywhere near the place.

This is one of the reasons white hat hackers like Lamo do what they do. The companies aren't doing what they should, out of fear, thus leaving all the doors wide open. It's a deriliction of duty that the white hats expose to the public.

The companies don't always take kindly to the fact that their customers then know how poorly their personal data is being protected.

Obviously the way to handle the matter is to attack the white hat. Go figure.

Now these same companies don't hesitate a second to call in a locksmith to handle their physical security. They don't worry that when a lock gets changed the locksmith is secretly making a copy of the key so he can break in at night and clean them out, even though this occasionally actually happens.

Why not? Because physical locks aren't black magic beyond their understanding.

Rather than gain that understanding they'd rather fear. Again, go figure.

Computer security experts are like people who treat lepers. We aknowledge that they are needed, but we don't want them around our house.

God forbid they should marry our daughter or something. We'll never sleep at night.

KFG

Re:Reasonable damage figures

[greenhide]

Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."


Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".

These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?

I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.

I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.

Re:Reasonable damage figures

[_bug_]

Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.

That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.

Useful links.

[sekzscripting]

Here's a few extra (useful) links: free lamo - adrian support site [run by kevin mitnick's girlfriend], the screen savers - shot video of adrian moments before his surrender, trigger street - running a documentary on hackers, currently they're following adrian's story..

Quick..

[grub]

Start printing stickers that say "Adrian" which you can apply over the word "Kevin"..

Re:He boasted....

[Mononoke]

How good are the ones who keep their mouths shut and just steal shit?

We are absolutely incredi...

Aw crap.

Lexis/Nexis and NYT

[Speare]

What would you want to bet that Lexis/Nexis just winks and nods at their huge customer, The New York Times, Inc., and waives much of the actual charges that resulted from automated searches on Adrian Lamo. At their prices, there is probably still over $25K worth of manual labor involved... Lexis/Nexis is a premier service with some amazingly in-depth methods.

Plus, the scouring job that's required by NYT's IT department to ensure there aren't any new "easter eggs" in their system will go into significant coin too. I don't agree with the preposterous insurance-claim oriented figures that go into these 'cracking' news stories, but you can't just trust a superficial system cleanup after being cracked.

Leave the poor guy alone...

The man's name is Lamo. Hasn't he suffered enough?

Adrian Lamo Surrenders

[Morosoph]

This story makes me sad. The judge had a "last minute" idea, "Oh yeah, let's ban him from using computers", probably the only thing that really gave purpose to the life of a tramp. Getting a "real" job cannot be a substitute, and as The Register points out, Adrian wasn't exactly writing viruses. Quote:

Following the recommendation of a federal pretrial services officer who interviewed the hacker in custody, Hollows ordered Lamo to obtain full-time employment or enroll in college pending trial. The ban on computer use was the judge's idea.
"This whole business of computer hacking, viruses and so forth is getting very wearisome," said Hollows, explaining his thinking from the bench.

There is something depressing about the whole "join society" ethos, that is, conform to everyday mediocrity.

Personal case

(Anonymous for obvous reasons)

I don't live in the US. In my early days on the university I was involved on a serious case of hacking. Being a nerd for network security I once told a university network administrator, that happened to be a good friend of mine and a student of one of the classes I gave at the time (on network security) on a institution unrelated to the university, that the university network was 'easy hackable', he challenged me for a proof and I responded. About four months later I found myself in deep trouble: my network account was surrendered and all my e-mail was analyzed by the network administrators. For some reason (only known to a 18 years old) I had sent an email to a friend telling him that I had cracked about 2000 passwords on the university network.

It turned out that since my 'friend' spoke with me he went with his superior and 'bought' a promotion for turning me in. The only proof they had was the email and a private conversation recorded without my permission (by a university student, not a government office) where I admitted to have cracked the university super-computer and a cluster to write, compile and run a distributed program that kept running for a little over two months (without anyone noticing it, it stopped running because I decided to stop it).

To get on-topic: They claimed that my actions had caused over US$ 100K. After 6 months of trial (where I has assisted by some great voluntary people) I walked out with a restraint to use any university computer for 4 years, and being unable to create accounts for any ISP in the state for 2 years.

The morale of the story is this: You fight. And fight hard. If you do so the people will support you, because you are fighting from the right side. Take it to the end, at some point justice will be served.

Re:Personal case

Oh yeah? Well I cracked a gajillion passwords in 5 minutes with my Casio calculator watch. And then they made me president of the company.

So there.