The companies he broke into reads like a Forbes ranking list. Yahoo! Excite@Home. MCI WorldCom. Microsoft. SBC Ameritech. Cingular.
He got away with it by notifying those companies of the weaknesses, and in some cases helped fix them, for free.
Then he set his sights on the New York Times. They were less forgiving. Today, April 8th, Adrian Lamo will be sentenced - having plead guilty.
I first worked to get an interview with Adrian Lamo in July, 2003. Having compromised the networks of some of the most influential companies in the world was not incredibly unusual, but the manner in which it was done was intriguing. Adrian Lamo has been termed the "homeless hacker," the "helpful hacker" and numerous other nicknames - because instead of disappearing into the ether, he would make the company aware of the flaw he had exploited, and in some cases would advise them on how to resolve it. Based on that approach, Lamo was fortunate to have dealt with companies that didn't choose to press charges.
Then, during an interview with SecurityFocus (not affiliated with Techfocus), he admitted to having broken into the NY Times network. The interviewer contacted the New York Times in a request for comment. Shortly thereafter, the FBI started an investigation. He was ultimately arrested in September for the penetration of the New York Times network, and for using their resources. Today he has pleaded guilty to breaking into their network, and for conducting unauthorized searches on Lexis/Nexis - all on the Grey Lady's tab. You can read the original criminal complaint here.
Lamo had another distinction from many hackers - he did so while homeless. While his family was willing to house him, he set off on his own, traveling from place to place via Greyhound. Occasionally he slept on the couches of people he knew in different cities, at other times he would sleep in abandoned buildings or anywhere feasible. All the while, he traversed networks using a battered laptop with a wireless network card.
Adrian Lamo is most assuredly unique. A month after his arrest, I received an email from him asking how the weather was. A bit puzzled, I contacted a mutual acquaintance to verify that it was Adrian. Indeed it was, so we met the next weekend near his home to discuss his background, and the serious charges he faced.
This was no ordinary interview. Not only had Lamo not given any interviews since the arrest, but the FBI had been exerting tremendous pressure on journalists that had spoken with Lamo, demanding that they turn over all notes and correspondence with him. It was only after a strong outcry from the journalistic community and their attorneys that the FBI grudgingly relaxed their demands, but there was little solace in that. As such, there was nothing written down - just a digital voice recorder with a limited battery. Upon the conclusion of the interview, the recording was transcribed to the PC, then sent to an offshore server outside of my control, in the event that an order was made to surrender it. The digital recording was destroyed.
We hope you enjoy the interview.
Update: Sentencing has been delayed until June.
When did you get started getting interested in security online?
"That'd depend on how you define started, I guess. My first exposure to computers was my Dad's Commodore 64 when I was six or seven, and as you may have read somewhere, I was interested in making things work differently than the way they were intended - loading, then inputting it and using the list command to see all of the code contained within it to see what the hell I was supposed to do with this blind corner that didn't seem to go anywhere."
What kind of games?
"Text-based adventure, like Zork-style."
What moved you to move from disk-based security to a larger scale type of interest?
"To me there's never been that much of a differentiation, in the sense that what I do is less ab
Good call. I sent him a list of the questions several months ago and he just returned them the other day.
When I saw the direction he took it at the beginning, I considered adding/editing/rewording my original list of questions to fall under that umbrella. For better or worse (perhaps worse) I went ahead and published what I had.
There's a funny Phil Hendrie show in which one of Phil's "guests" argue that women can't tell the difference between diamonds and cubic zirconium rings.
I'm certified on CheckPoint's NG. I used to work for a rather well-known security integrator in San Diego that sold CheckPoint solutions.
When I'd peddle CheckPoint, several of our clients would just laugh and say, "For that price, I'll buy hardware and load OpenBSD's pf." Can't say I blamed them.
There are times, however, in which CheckPoint can really make your life easier. For example, youc can easily (for better or worse) push a policy to multiple endpoints. The graphical logs are cool also.
Sales reps (may) try to sell you on the seemless failover crap. Bottom line: lots of hoops, and I don't know that it's any easier than PIX's failover solution.
DoSnets have three components. A binary, either a trojan or worm (if it's self-spreading) infects machines which are called drones. These drones then connect to a DDoS server, which is generally an IRC server which has been stripped down to make detecting and cleaning the drones more difficult.
There are operators on [major IRC network] who dedicate a large part of their time to finding and deleting these drones and drone servers, along with contacting providers whose machines are putting out the binaries. It should be noted however that this activity is ILLEGAL and viewed by the authorities as a violation of computer crimes laws. As a rule of thumb, unless you have paperwork from a judge saying you can touch a compromised machine, or you own the machine in question, don't touch it.
Picking up and putting your fingerprints on a gun found in the street is unwise. So vigilantism or "policing your network" or server is illegal. If you touch those compromised boxes, you go to jail; if you don't, the kiddie, seeing you, might very well turn around and packet you. It's not a good situation.
Anyone have an example of someone doing this and getting busted?
Agreed, Seth. This is, IMO, a good example how the media obsesses over those who destroy, rather than create.
I would have enjoyed the story more had the author explored such things as how virus makers justified wrecking such havoc on innocent people. If it's really *just* about "fucking Microsoft" or (insert favorite justification here), then why include innocent people in your crossfire?
At least the script kiddies weren't referred to as "hackers"
From my experience, here are some of the things NT 4.0 MCSEs have not known how to do:
--open up a UDP port on a firewall (because he didn't even know what UDP was) --how to ftp ("Where do I find a program that lets me ftp?" he asked)
In fact, just yesterday an MCSE I worked with didn't even know what an MD5 hash was (much less how to check it for a file). A coworker told me an MCSE he once worked with didn't even know how to telnet.
NT 4.0 MCSE certs are hardly worth the paper they're written on, IMO. 2000 track MCSEs are better. The verdict is still out on the 2003 track.
Slashdot Mirror
(Imagine if Saddam hired OJ's dream team.)
(seriously)
The companies he broke into reads like a Forbes ranking list. Yahoo! Excite@Home. MCI WorldCom. Microsoft. SBC Ameritech. Cingular.
He got away with it by notifying those companies of the weaknesses, and in some cases helped fix them, for free.
Then he set his sights on the New York Times. They were less forgiving. Today, April 8th, Adrian Lamo will be sentenced - having plead guilty.
I first worked to get an interview with Adrian Lamo in July, 2003. Having compromised the networks of some of the most influential companies in the world was not incredibly unusual, but the manner in which it was done was intriguing. Adrian Lamo has been termed the "homeless hacker," the "helpful hacker" and numerous other nicknames - because instead of disappearing into the ether, he would make the company aware of the flaw he had exploited, and in some cases would advise them on how to resolve it. Based on that approach, Lamo was fortunate to have dealt with companies that didn't choose to press charges.
Then, during an interview with SecurityFocus (not affiliated with Techfocus), he admitted to having broken into the NY Times network. The interviewer contacted the New York Times in a request for comment. Shortly thereafter, the FBI started an investigation. He was ultimately arrested in September for the penetration of the New York Times network, and for using their resources. Today he has pleaded guilty to breaking into their network, and for conducting unauthorized searches on Lexis/Nexis - all on the Grey Lady's tab. You can read the original criminal complaint here.
Lamo had another distinction from many hackers - he did so while homeless. While his family was willing to house him, he set off on his own, traveling from place to place via Greyhound. Occasionally he slept on the couches of people he knew in different cities, at other times he would sleep in abandoned buildings or anywhere feasible. All the while, he traversed networks using a battered laptop with a wireless network card.
Adrian Lamo is most assuredly unique. A month after his arrest, I received an email from him asking how the weather was. A bit puzzled, I contacted a mutual acquaintance to verify that it was Adrian. Indeed it was, so we met the next weekend near his home to discuss his background, and the serious charges he faced.
This was no ordinary interview. Not only had Lamo not given any interviews since the arrest, but the FBI had been exerting tremendous pressure on journalists that had spoken with Lamo, demanding that they turn over all notes and correspondence with him. It was only after a strong outcry from the journalistic community and their attorneys that the FBI grudgingly relaxed their demands, but there was little solace in that. As such, there was nothing written down - just a digital voice recorder with a limited battery. Upon the conclusion of the interview, the recording was transcribed to the PC, then sent to an offshore server outside of my control, in the event that an order was made to surrender it. The digital recording was destroyed.
We hope you enjoy the interview.
Update: Sentencing has been delayed until June.
When did you get started getting interested in security online?
"That'd depend on how you define started, I guess. My first exposure to computers was my Dad's Commodore 64 when I was six or seven, and as you may have read somewhere, I was interested in making things work differently than the way they were intended - loading, then inputting it and using the list command to see all of the code contained within it to see what the hell I was supposed to do with this blind corner that didn't seem to go anywhere."
What kind of games?
"Text-based adventure, like Zork-style."
What moved you to move from disk-based security to a larger scale type of interest?
"To me there's never been that much of a differentiation, in the sense that what I do is less ab
Good job. Keep up the good work.
Too much Art Bell, I guess....
Good call. I sent him a list of the questions several months ago and he just returned them the other day.
When I saw the direction he took it at the beginning, I considered adding/editing/rewording my original list of questions to fall under that umbrella. For better or worse (perhaps worse) I went ahead and published what I had.
It's only a matter of time before someone plugs AI into the chatroom application and fucks with them.
http://www.buymystupidshit.com/unsubscribe.asp?
Not if you use this
When I'd peddle CheckPoint, several of our clients would just laugh and say, "For that price, I'll buy hardware and load OpenBSD's pf." Can't say I blamed them.
There are times, however, in which CheckPoint can really make your life easier. For example, youc can easily (for better or worse) push a policy to multiple endpoints. The graphical logs are cool also.
Sales reps (may) try to sell you on the seemless failover crap. Bottom line: lots of hoops, and I don't know that it's any easier than PIX's failover solution.
It's fairly simple to enable security so strangers don't have access to your television signal or recordings.
Oh dear, we mustn't let others have access to free media.
There are operators on [major IRC network] who dedicate a large part of their time to finding and deleting these drones and drone servers, along with contacting providers whose machines are putting out the binaries. It should be noted however that this activity is ILLEGAL and viewed by the authorities as a violation of computer crimes laws. As a rule of thumb, unless you have paperwork from a judge saying you can touch a compromised machine, or you own the machine in question, don't touch it.
Picking up and putting your fingerprints on a gun found in the street is unwise. So vigilantism or "policing your network" or server is illegal. If you touch those compromised boxes, you go to jail; if you don't, the kiddie, seeing you, might very well turn around and packet you. It's not a good situation.
Anyone have an example of someone doing this and getting busted?
(I'm just too lazy to pick one)
I would have enjoyed the story more had the author explored such things as how virus makers justified wrecking such havoc on innocent people. If it's really *just* about "fucking Microsoft" or (insert favorite justification here), then why include innocent people in your crossfire?
At least the script kiddies weren't referred to as "hackers"
--open up a UDP port on a firewall (because he didn't even know what UDP was)
--how to ftp ("Where do I find a program that lets me ftp?" he asked)
In fact, just yesterday an MCSE I worked with didn't even know what an MD5 hash was (much less how to check it for a file). A coworker told me an MCSE he once worked with didn't even know how to telnet.
NT 4.0 MCSE certs are hardly worth the paper they're written on, IMO. 2000 track MCSEs are better. The verdict is still out on the 2003 track.