Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government Security News

Adrian Lamo Charged With Hacking 527

retro128 writes "Drifting around the US from state-to-state, Adrian Lamo has been making news for some time with his 'White Hat' hacking exploits. His highest-profile hacking has included Excite@Home and Yahoo. After he would break into a network, he would call up those in charge of it and help them fix the holes. So far, it has earned him praise from the administrators of those systems, but now SecurityFocus is carrying the story that the FBI has filed charges against him, and currently has his parents' house staked out. The records are sealed, so nobody knows who is responsible, but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got."
This discussion has been archived. No new comments can be posted.

Adrian Lamo Charged With Hacking

Comments Filter:
  • by Anonymous Coward
    Adrian : Rule #1 : If you seek credible, first hack your own personal details to requisition a new surname.
    • by Anonymous Coward
      Yep, how do you think the New York Times felt when they'd heard that their site had been hacked by some Lamo? Of course they're going to take it personally! Now if they'd heard that Max Power had hacked into their site... that could have been another matter.
  • by Goo.cc ( 687626 ) * on Saturday September 06, 2003 @09:43AM (#6887104)
    Maybe the real problem that the New York Times has with Lamo is that he was able to read stories without having to register for a free account. (Hell, that stupid registration requirement make me want to hack them too.)
  • And good riddance. (Score:3, Insightful)

    by JeffTL ( 667728 ) on Saturday September 06, 2003 @09:46AM (#6887122)
    Who needs more greyhats running around testing security without so much as permission?
    • by SerpentDrago ( 703376 ) * on Saturday September 06, 2003 @09:52AM (#6887138)
      If you ask and tell theam your going to try to hack. Then they will tighten security. Thats exactly why you can't tell theam. You have to just do it. at a random time without theam knowing , then see if they catch it. Thats the only true way to "test" Do it Blind or it is not real. A BlackHat will never ask or tell you when.
      • by Shoten ( 260439 ) on Saturday September 06, 2003 @10:46AM (#6887427)
        I think you're confusing what Lamo did with something that the NYT actually gave permission for. I agree with you, that a penetration test should be performed in such a way as to be unexpected, so paranoid admins can't do stupid things to improve the results (like turn off all inbound access for a day). But this wasn't a penetration test, it was nothing more than an uninvited and deeply illegal intrusion plus some spin control for the media.

        I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about? I wouldn't, and the resulting cleanup to make sure that nothing more was done is an expensive and disruptive process. This is part of why the damages for relatively minor hacks end up being so enormous in many cases.

        We're always pushing ourselves to question what we're being told by the media, by our leaders, by our educators, by big business...we should really question anyone who might have an ulterior motive.
      • by rblancarte ( 213492 ) on Saturday September 06, 2003 @10:50AM (#6887448) Homepage
        Drago - you are a fool. If you are hacking people's systems without their permission, YOU ARE BREAKING THE LAW. PERIOD. END OF STORY. If people were allowed to say "Well, I was doing it so I could help their security", then you would have all sorts of Blackhats hacking systems, and then claiming, "I was going to help, but you arrested me first." No.

        Look, there are ways to do security checks like this, without the security teams knowing that you are doing it. Get permission, make sure that no one is tipped off, and then test the systems.

        If there is one thing I can't stand it is people doing illegal actions and then claiming they are doing it for the greater good. This type of action cannot be condoned. Sure, you might be doing help, but you also might not.
        • by Izago909 ( 637084 ) <tauisgodNO@SPAMgmail.com> on Saturday September 06, 2003 @01:59PM (#6888530)
          So let's throw the (relatively) most desirable type of hacker in jail so he gets out of the way of the black hats. This is some bullshit logic. Regardless of what his 'true' intentions were, his track record speaks volumes: He's always come clean with people.
          While network admins are busy giving themselves kudos for integrating Microsoft's latest and greatest secure systems, he is busy looking for holes. Without these types of white hats, all the world would have is insecure networks remaining open to black hats until they discovered the holes the really hard way.
          Screw all the evil, sinister things you think his 'true' intentions are. He and his counterparts have potentially saved your company millions in expenses when some black hat could have made off with gigabytes of confidential data. Think these white hats are bad? Wait until you have class actions out the wazoo because many of your customers are now facing the business end of your over confidence.
          Screw modern hacking laws because they are stale and outdated. People always like to tack on new laws without even considering removing or revising obsolete sections. All it's going to do is alienate any potential allies. The bad guys won't get caught because they hide, the good guys don't hide because they think they don't have a reason to.
          White hats are thrown in jail because they get bad attention and can cause a PR mess. Many times, the work of black hats can be covered up by the company or government. How many stories have we heard of hackers holding sensitive data ransom or extorting businesses in some way? You really don't think EVERY incident gets publicized, do you? These people want to make it look like they are tough on hackers, so they go after the easiest and most public targets.
          You will be giving a powerful message to upcoming generations of hackers. If the end result is the same, what the hell do I need this white hat for?
          Someone will come knocking at your door, it's inevitable. What color hat do you want him to be wearing?
      • If you ask and tell theam your going to try to hack. Then they will tighten security. Thats exactly why you can't tell theam. You have to just do it. at a random time without theam knowing , then see if they catch it. Thats the only true way to "test" Do it Blind or it is not real. A BlackHat will never ask or tell you when.

        Let's try a little analogy and see how you like tha argument.

        If I ask you and tell you that I'm going to access your bank account, then you will just tighten security. This is exact

      • by xplenumx ( 703804 ) on Saturday September 06, 2003 @04:27PM (#6889410)
        The University of Washington had a "student run" program where returning students could volunteer to help freshmen move into their dorm room. In return for their help, the UW would supply the volunteers with free food (Usually through SubWay, Dominos, etc, with a student leader ordering the food using UW budget codes). After everyone moved in, the group would disband and everyone would forget about it until the following fall. Approximately six years ago, the student leader who was in charge of ordering food decided in Winter quarter that he would use the budget codes and try to order up some food for him and his friends (http://tinyurl.com/mhck) . What was Eric's excuse when he was eventually caught? "I was just trying to show how insecure the system was" and "I was really doing Res. Life a favor". Sound familiar? Eric Feigenbaum then wrote a series of articles to the student newspaper, The Daily, regarding his experience and how the university didn't appreciate his 'generous act'. Personally I become extremely nervous when someone decides to conduct some unannounced public service, especially through illegal means. Usually the "I'm just misunderstood. I was really trying to help out" excuse comes out after the individual gets caught, but some individuals will come forward first, hoping that it'll cover their tracks. For example, I had one employee to came up to me and said that they learned how to use the copier without first putting in their copy code. Turns out the employee decided to "test" his method by making over 5000 copies over a period of three days (all after hours). Another employee within the firm reported that some equipment was missing (it would have been discovered later that week). It was eventually discovered that the very same employee had stolen the equipment the night before. I don't know the first thing about Adrian Lamo besides what's written in the referenced article. He may be the most honest, altruistic, and generally nice guy in the world. Good for him. The problem is that the next Adrian Lamo may not be.
  • Great Excuse (Score:3, Interesting)

    by Pave Low ( 566880 ) on Saturday September 06, 2003 @09:48AM (#6887126) Journal
    So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

    Maybe I didn't install a deadbolt and an alarm system, but who made this guy the "helper" of my problems?

    There are no white-hat, gray-hats or black-hats. Only criminals and law-abiding citizens.

    • Re:Great Excuse (Score:5, Interesting)

      by hattig ( 47930 ) on Saturday September 06, 2003 @09:53AM (#6887147) Journal
      Agreed. If he wanted to perform white hat hacking, he should have approached the companies involved and asked for a job to test their security. Hell, he'd have earned money that way as well.

      But he did commit a crime - he broke into and entered their systems without permission. Sure, he did it for a good reason in his own head, and wasn't going to be malicious ... but it isn't as if he was doing the internet equivalent of rescuing the baby in a house fire.
      • Re:Great Excuse (Score:5, Insightful)

        by nearlygod ( 641860 ) on Saturday September 06, 2003 @10:01AM (#6887191) Homepage
        How different is this from the investigative reporters on your local news broadcast. In many cases a white hat my find that customer's CC numbers or SS numbers are accessable via an exploit or weak security. In a way, he/she would be helping the public by giving the company and opportunity to correct the situation or at least take it public. An investigating reporter may find that a company or governemnt office is throwing out sensitive info without shredding it or taking the proper preventative measures. If I am giving a company like Amazon my CC#, I want to oknow that they are going to protect that info. Who is going to watch/audit the company if they get lazy?
    • There's no question that he's broken a law or two in the process here, the question now is more of whether he'll be doing 100 hours of community service of 100 years to life in jail. This has the potential of turning into the Kevin Mitnick case all over again, where the government starts spewing false charges and forgets basic things like telling the accused what they're accused of.

      Lamo did the electronic version of breaking and entering, he certainly should get less of a sentance than a bank robber, rapis
    • Re:Great Excuse (Score:5, Interesting)

      by moonbender ( 547943 ) <moonbender AT gmail DOT com> on Saturday September 06, 2003 @10:02AM (#6887197)
      So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?
      That analogy doesn't have a lot of merit. You're a private person, he didn't break into private computers. If a bank has a door to their vault which they don't know of and which is never locked, then yeah, they should be grateful for being told about it. Obviously, there's no bank so stupid, but that just goes to show that banks have a lot more experience dealing with real-world break-ins - another reason why this guy should be acknowledged for his deeds, he's making people aware of problems which they are not experienced in dealing with.
    • Re:Great Excuse (Score:5, Insightful)

      by qtp ( 461286 ) on Saturday September 06, 2003 @10:07AM (#6887230) Journal
      So if someone had broken into my house without permission, then told me about it afterwards, am I supposed to feel better about it?

      But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?

      The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.

      OTOH, your mention of the deadbolt and alarm does apply, but only in the sense that if I did buy/install a deadbolt and alarm, I'd be royally pissed if they didn't work.
      • Re:Great Excuse (Score:4, Insightful)

        by maggard ( 5579 ) <michael@michaelmaggard.com> on Saturday September 06, 2003 @10:17AM (#6887280) Homepage Journal
        But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?
        But he didn't just "look in", he went and altered files. And the curtians were down, the door closed, he didn't just happen to glance in but broke in.
        The guy's not threatening anyone, nor is he stealing or endangering anyone's life. The "Housebreaking" metaphor doesn't realy apply.
        Breaking & Entering doesn't mean anyone has to be home or their life directly threatened.
        • altered files

          Where'd you read that? Must've been a different article.

          Breaking & Entering doesn't mean anyone has to be home or their life directly threatened.

          Yeah, but using a remote to erase the programs on your neighbor's VCR does not = "Breaking and Entering" as long as you stay out of the house when you do it.

      • Re:Great Excuse (Score:4, Insightful)

        by dirk ( 87083 ) <dirk@one.net> on Saturday September 06, 2003 @10:19AM (#6887294) Homepage
        Except we was in the systems and could have done anything while in there. Maybe he is a true "white hat" and didn't do anything bad and told them everything. But it is just as likely that he left a trojan or backdoor in the system. They can't tell what he did or didn't do, so they now have to not only secure their systems against whatever hacks he used to get in, but they have to scour everything on the system to make sure he didn't change any data or leave anything behind (and there is no way to tell whether he copied anything from the system).
      • by Have Blue ( 616 ) on Saturday September 06, 2003 @10:19AM (#6887296) Homepage
        But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?
        No, but if he calls me up and says "I was watching you through your bedroom window last night" I would.
      • "But if someone noticed that you can see into your bathroom and bedroom from the street, do you get them busted for being a peeping tom?"

        In order for your analogy to be complete, you have to remember that he entered and altered things.

        So, it is not a peeping tom you can compare it to. It is someone who busts in, pees on the floor in the bathroom, and drops pizza slices on the bedspread in the bedroom.

        "The guy's not threatening anyone, nor is he stealing or endangering anyone's life."

        The same can be s
    • Re:Great Excuse (Score:2, Insightful)

      As I have pointed out elsewhere, the open door analogy is basically lame because the problem here is not the crime but, society's response to the crime. A trespasser remains a trespasser. In computer crime, a trespasser can suddenly become an armed robber if the person whose property was invaded has enough political muscle.

      Also there is a third party issue here too. One of the files he gained access to contained personal information of another person. Where is the New York Times' legal responsibility t

    • Re:Great Excuse (Score:5, Interesting)

      by MrHanky ( 141717 ) on Saturday September 06, 2003 @11:01AM (#6887533) Homepage Journal
      An interesting analogy.

      After drinking heavily in a bar, a friend of mine and I bought some slices of pizza at a shop, and went outside to eat. Since we were too drunk to stand up, we sat down on the steps outside another shop, which was closed for the night. That is, it should have been. My friend was leaning his back on the door, which was open. He fell right in.

      Now, the right thing to do, according to you, would be to go away, minding his own business. And what the hell was he doing, trespassing on the steps outside the shop and all. If this was in Texas, he would be rightfully shot. However, my friend, being both an imbecile and a crook with neither morals, nor respect for private property, went inside to look for a telephone and hopefully the phone number to the owner (we were both too tired to do any serious looting). And so the owner was noticed and the door was closed, and my friend got a serious hangover.

      The moral of this story is: if you drink, you get a hangover, so alchohol is bad, 'mkay?
    • Re:Great Excuse (Score:5, Insightful)

      by morissm ( 22885 ) <morissmNO@SPAMlexum.umontreal.ca> on Saturday September 06, 2003 @11:48AM (#6887775) Homepage
      The home invasion analogy is a very bad one. A home is by its very nature badly protected (you don't spend millions securing it, do you?) but it is also a sanctuary, a place where a break-in results in a certain emotional stigma.

      A better analogy would be this one: Suppose that somebody is waiting in an airport's lobby. He has not gone through the security checks yet. While waiting, he notices airport personnel going through what seems to be an unlocked employee-only door. A thought flashes in his mind: "This doesn't seem very secure. I thought airports were supposed to be secure." So he goes to the door and lo and behold, it is unlocked! He goes through it and find a bunch or corridors and doors.

      Naturally curious and a little adventurous, our guy wonders how far he can go. He goes forward and manages to get to the departure area WITHOUT going through security. He feels a little proud of having easily broken a system on which governements and airlines has spent millions.

      Being a good citizen, our guy then goes to the security counter and shows his finding to the cop. But suddenly, the cop puts cuffs on him and charges him with trespassing and attempting to bypass security in an airport. Of course, the proper action would have been for the guy to go to security as soon as the unlocked door was found. Adrian Lamo should have stopped his investigation at the misconfigured proxy.

      However, is it reasonable to charge somebody with a federal crime for having gone a little further in testing the security of a system? Whether is was an airport or NYT's intranet.

      I don't think so. The FBI can claim that they don't know whether the guy smuggled dope during his attempt and the NYT can claim that they'll have to check every system for backdoors but I believe it's mostly bad faith from people lashing out because they felt humiliated. Get a grip... fix your stuff and move on. Destroying the life of somebody who tried to help you is just stupid and cruel.
  • by Servo ( 9177 ) <dstringf.tutanota@com> on Saturday September 06, 2003 @09:50AM (#6887133) Journal
    He was violating the law. He did not have prior authorization when he hacked into these systems. While some companies may have been happy to be warned of the vulnerabilities they had, and were glad to have them fixed, what he did was still illegal. He should deserve to be arrested, but given his motives will hopefully be given some leniency when it comes to sentencing.
    • Yes, he did something illegal.
      He did something wrong.
      He might be able to prove or suggest no criminal intent, which would give the lenient sentence.

      But really why was he doing this? it was dumb.
  • by Larkfellow ( 265776 ) on Saturday September 06, 2003 @09:51AM (#6887134) Homepage
    Here's a link to The Screen Savers (on Tech TV) that has some information about what Adrian had to say [techtv.com] when he called in live to speak with Leo.
  • hacking... (Score:4, Insightful)

    by softspokenrevolution ( 644206 ) on Saturday September 06, 2003 @09:52AM (#6887135) Journal
    Well, zero tolerance. The thing here is that to an awful lot of people, and especially those who make the laws, hacking is hacking is hacking, who cares what someone says they were doing it for.

    I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."

    I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.
    • by globalar ( 669767 ) on Saturday September 06, 2003 @10:08AM (#6887233) Homepage
      From the article:
      "'I hope there will be a time when Adrian can do positive things that everyone agrees are positive,'"

      This service analogy, or the positive light of the grey hacker's actions, does have some weight, as the hacker can inform the admins about the specific flaws of their system security.

      But then again, any service should be prompted or invited. And a larger problem is this isn't just washing windows, these are problem areas, flaws, and security flaws at that. These might even give access to a company's dirty laundry. So not only is this service uninvited and not approved, it gives access to private company resources and information, and uses the security holes to get in.

      Yes, I assume if security is the only dimension that your job entails, then this is all worth it. But to most people in charge, and arguably the general populace at large, this is an intrusion by illegal means.

      I personally value my private virtual space. If you get on my computer and get into my root account, it's an intrusion. Yeah, I will listen to how you did it, but for your troubles you'll never use my computer again.
    • To sent this one to the top. I agree entirely. For the past year I have turned the tables and gone from creating overly complicated web applications for other people to running my own business. When I was working for an ISP, I would have probably appreciated a call like that--but now that it's my sensitive data at stake, it's a big no no. I mean, admitted his motive was good, but he still gained access to sensitive data. It's like breaking into a bank vault to prove the money isn't safe--somebody is total
    • Re:hacking... (Score:5, Insightful)

      by El Cubano ( 631386 ) on Saturday September 06, 2003 @10:35AM (#6887387)

      I can realy understand how someone could consider that they're doing a service for admins and all of that, but the point is that you are still breaking into a system and then turning around and saying, "hey, this is a security hole, you should fix it" is kind of like G. Guido coming down to your house, breaking in through a window with a golf-club and then saying, "Hey, I can break into your house, better listen to me or I'll do it again."

      I'm sure that Adrian has some noble goals, but fundamentally when a company decides that they don't like people creeping into their system and then presses charages against those who do, it's their right to feel that their security was violated. Good luck to him really, but there are other ways you can help people protect their network security than by breaking into them.

      I can see your point, but what he was doing was exposing flaws in the security of "public" places on the net. How is this any different than when the local news where I live broke into the nearby international airport's restricted area and did a report from there (this was about a year after 9/11) to show how lax security had become again.

      When the journalists do it, it is a public service. When a private citizen does it, it is a crime. WTF? Personally, if I am going to be utilizing the services of these sites, I want to know that they have good security (and not just because they say so).

      There is no way anyone can convince me that what he was doing was wrong. He was providing a public service, and if the public is too ungrateful to realize that, then it is really sad.

      It's not like he extorted money from the comapnies, or demanded some compensation, heck he even helped them fix the holes. It is just sickening that you can't even be a good Samaritan without someone wanting to take your head off.

  • Go Mom! (Score:5, Insightful)

    by The Tyro ( 247333 ) on Saturday September 06, 2003 @09:53AM (#6887140)
    Heheh... when the agents wanted to come into her home, she told them to get stuffed and come back with a warrant...

    That's love, folks.

    It would be ironic if this was set up by the NYtimes. I thought investigative/secret camera/sting operation reporting was supposed to be agressive journalism... couldn't his "hack" be considered the same sort of thing? "Unsporting" doesn't begin to describe it, particularly if he was up-front and honest about helping them out. If the NYtimes can investigate, blow the whistle on others, and embarass them into action, I'd say the same card can be played against the Times. "Sour Grapes" anyone?

    Yes, he was likely technically in the wrong, no doubt about it, particularly if you adhere to the letter of the rule, rather than the spirit of the rule... even so, this seems a bit heavy-handed.
    • Re:Go Mom! (Score:3, Interesting)

      by LostCluster ( 625375 )
      Yeah, there are many reporters through the years who have broken laws in the course of reporting, and I'm sure some archive searchers can come up with NY Times examples, where the investigative reporter escapes punishment because they broke the law in the name of journalism.

      Lamo didn't down the company, or commit credit card fraud with Rush Limbaugh's SSN. There are much worse hackers out there, but the FBI's just looking for somebody to make an example of because they can't quite figure out where the firs
      • by The Tyro ( 247333 ) on Saturday September 06, 2003 @10:54AM (#6887487)
        and that's ethical vs not, whether it's hacking, or journalism.

        Journalists are supposed to operate by an ethical code, and the vast majority do so. Journalistic ethics would say that you cannot break the law in order to get a story... though that's not say it hasn't been done. Check out this link. [state.gov] It would seem that ethical standards in journalism are quite flexible, and that there is no set rulebook. Instead, as in ethical dilemmas in many disciplines, one must weigh competing evils. The evil of impersonating someone, or operating under a false identity, veruse letting a politician go on with corrupt, harmful actions... which weighs more, and who decides?

        By the same token, one might make the same argument for Adrian's actions. He intended no harm (as an investigative reporter might intend no harm in impersonating someone else to get a story), so the Mens Rea AKA "guilty mind" did not exist. Reporters often argue, when investigating and digging into the lives of public figures and officials, that those officials have less of an expectation of privacy than regular citizens... and to some extent they're right. Yet, how does the watchdog presume to waive the privacy of others in the pursuit of a story, while immediately running to the FBI? The media also argue that they have the right to dig, based on the fact that they are defending the public's "right to know." (how many times have we heard that?) The media assumes that power as society's watchdog... but who's watching them? Apparently, Adrian was, and they are NOT happy about it.

        It's doubly ironic that an organization dedicated to exposing the truth (ostensibly in a transparent, above-board, and for-the-greater-good fashion), is getting their panties in a bunch over someone showing them some truth in a like manner. Apparently the old grey lady doesn't have a problem airing the dirty laundry of others, but is awfully sensitive about her own problems... and from an ethical standpoint, Adrian's actions are probably arguable either way.

        I'm sorry, but I find this whole thing incredibly funny.
    • Re:Go Mom! (Score:3, Interesting)

      by SunPin ( 596554 )
      Yes, you are correct but he should have covered his ass by setting up a security magazine online so he could enjoy the Freedom of the Press.

      Freedom of the Press belongs only to those that own a press. Everyone else will be raped when the system feels like doing so.
  • Seems fair (Score:3, Insightful)

    by TheFairElf ( 669537 ) on Saturday September 06, 2003 @09:55AM (#6887156)
    If he's going to hack websites, even with the best intentions he's still breaking the law. It seems it would be better for him to work at a security firm (or open his own) and at least get paid for all his troubles. Then he'll be rich and he'll be praised for basically doing the same thing.
  • This seems unfair (Score:5, Insightful)

    by practicalista ( 686436 ) on Saturday September 06, 2003 @09:57AM (#6887166)

    I am not sure what he did at the New York Times can even be considered hacking.

    So far as I can tell he set his web proxy to the address of the company infranet, surfed around that, downloaded some documents and used the information contained in these to get some more.

    Whilst I don't approve of hacking per-se, I'd have to say that here, this is very little more than exposing a badly designed web site.

    Imagine that you go to you Gas company's online web site, look at the URL and see your account number in it. You think to yourself, I wonder what would happen if I changed one of the digits. You do and lo and behold up pops all the information to another customer.

    Now you can go for your 15 minutes of fame and ring up SecurityFocus or you can have a quiet word with the Webmaster of the Gas company - either way, you are not a hacker.

    • that he knew he did not have permission to access, by his own admission.

      Any way you slice it, that breaks the letter of the law.

      If you want to test the secrurity of my network without getting charged if you break in, then I suggest you obtain myh persmission to do so in the first place.

      Analogy: You find a guy walked in your front door cause it was open, snooped around your house, your bedroom, your closet... then told you "You shouldn't leave that box of money in your closet, and you should leave your do
      • by practicalista ( 686436 ) on Saturday September 06, 2003 @10:16AM (#6887277)

        The law make distinctions between trespass, breaking and entry, armed robbery and so on.

        The guy who wanders around your house is a trespasser not an armed robber. It seems here that a better analogy would be :

        A guy walks in to your unlocked house, boasts about it and you insist that he prosecuted for the worst possible crime he *may* have committed, not the crime he did commit (to walk through an unlocked door).

        • not the crime he did commit (to walk through an unlocked door).

          Excuse my ignorance, but is this really a crime in the USA? AFAIK local laws, in Germany anyone can walk into any open (as in "not closed", not "not locked") area as it pleases him/her, until and only until, you say him he is not welcome. Then you can call the police if he stays or reenters.

          That's probably why most estates have garden fences. Most of them don't stop anyone, but they declare the garden a "closed" area (presumed that the fence
  • This lame weasel has been publicly boasting about his escapades for over a year now. It's about time the authorities caught up with him. I suppose that they will use this as another reason why Andy Griffith and Barney Fife need the Patriot Act.
  • Sheesh! (Score:3, Insightful)

    by joto ( 134244 ) on Saturday September 06, 2003 @09:58AM (#6887172)
    What did he expect really? That everybody should love him because he snooped around in their systems without permission?

    He must have been living under a very large big rock for a long time, if he thought this kind of behaviour has ever been accepted by the authorities and most sysadmins.

    And by the way, hacking systems without permission have never been white-hat. At best, I would call it grey-hat, although black-hat is certainly also fitting.

    If we start judging people on intentions instead of what they do, I think most people will start complaining. "No, I was only trying to help the sysadmin, so I haven't done anything illegal", is about as stupid as "You thought about stealing that car, so you should go to jail for that".

  • How lame... (Score:4, Funny)

    by Equuleus42 ( 723 ) on Saturday September 06, 2003 @09:58AM (#6887174) Homepage
    ...the FBI has filed charges against [Lamo], and currently has his parents' house staked out.
    Well that's just... lame-o! [ducks for cover]

  • Wow so I'm not alone in this world. (for those who know me) Anyway, I wrote up an article about the Blaster scapegoat [politrix.org], guess I'll do another one. The ONE THING TO NOTE (I will not rant on about this too much) is how supposedly he accessed information on federal agents. Not to start a conspiracy theory thread or flame war, but shouldn't this be the obvious reason why they are going after this guy. Think about that for a bit. Sure he accessed their site, but they should also go after the vendor if they're sin
  • Information wants to be free! [sic]
  • by tarranp ( 676762 ) on Saturday September 06, 2003 @10:04AM (#6887208)
    If you break into someone's house, telling him after the fact how yo got in does not automatically pardon you from the crime...

    Had Adrian simply notified the New York Times in a timely manner about the open proxy servers, he would have been fine and probably accomplished his mission.

    Instead, he took his time cracking the system, widening the holes so to speak, and then went to a reporter(!), of all people.

    There is nothing inherently wrong with his desire to improve security. There is nothing wrong with him looking around the public spaces on the internet for chinks. What was wrong was that he failed to tell the people maintaining the chinks directly about them, widened them until he got at valuable data, didn't tell the affected people about the data he had received, but then went to a third party and told them about the wanging big hole he had made. I'm sure he views himself as a knight in shining armor, but in this matter he behaved like a publicity-seeking self-promoter.

    Yes, shame on the NYT for misconfiguring their systems, but even more shame on Adrian for doing something so illegal and counterproductive.

    It does not matter if a person thinks he's a good guy, he still does not have carte blanche to do whatever he wishes.
  • from the techtv site...

    "Lamo hacked into the website of The New York Times in February 2002 and took the Social Security numbers of several people. He then added his name to the list of contributors to The New York Times and notified the paper of what he'd done."

    kind of like this....

    middle-aged man #1 (Lamo) - "hey, i screwed your 16 year old daughter. i took her virginity, but i have to tell you she wasn't very good."

    Lamo expected this...
    middle-aged man #2 (NYT) - "oh hey thanks! i'll get her some li
  • Um, what?? (Score:5, Interesting)

    by GrouchoMarx ( 153170 ) on Saturday September 06, 2003 @10:12AM (#6887257) Homepage
    OK, white hat cracking someone is still cracking their system, no matter how benevolent the intent. But this part just makes my blood boil:

    French did not know what the specific allegations were, because the charging document is sealed.

    Especially in light of this part of another article that people need to spend more time reading:

    In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

    Excuse me, what part of cracking the NY Times is a threat to national security? Why are so many court documents sealed these days? There is NO legitimate reason for securing this sort of charge. Even if the prosecutors were to go as far as claiming he were a terrorist, there's still no nuclear weapons secrets (which we all know by now anyway, despite being classified) in the NY Times payroll database.

    He should use that in his defense; because the case was sealed, it's unconstitutional and therefore he can't be found guilty.

    I don't support this sort of vigilante white hat hacking, but I oppose ignoring the constitution even more.

    • Excuse me, what part of cracking the NY Times is a threat to national security?
      Well, if the New York Times is compromised by hackers, how can we ever trust the accuracy of the stories published by this hallowed national treasure...oh wait...never mind....
  • by Orion Blastar ( 457579 ) <orionblastar.gmail@com> on Saturday September 06, 2003 @10:12AM (#6887262) Homepage Journal
    If he was hired to test security it would be a different matter. But he allegedly broke into those systems without permission. That puts him in violation of Cybercrime laws.

    I feel sorry for him, because he did allegedly report the weaknesses to the admins and he could have just read the data and not told anyone and used the information for his on purposes. So his intentions were good, to plug security holes by finding them and telling the admins about it. But he is doing it the wrong way, without permission.

    He may want to think about pleading guilty and making a deal to get reduced charges. This will make him famous and when he gets out of jail and ends probation, he can become a security consultant. Otherwise they may try to make an example out of him and charge him with a full pentalty and any other charges they can think of.

    But then the places he broke into didn't use good security practices and didn't apply the latest updates. Personally, I wouldn't put a machine on the Internet that contains sensitive data on it that only my company should have access to like contact information, credit card numbers, etc.
  • by AtariAmarok ( 451306 ) on Saturday September 06, 2003 @10:12AM (#6887265)
    "but Lamo suspects the New York Times initiated the investigation when they found out how deep into their system he got.""

    Ah. This will lead to the perfect explanation of the Jayson Blair problem and other NYT prattfalls:

    "It wasn't us. Lamo hacked our personnel files to make sure Blair was hired and employed. He also altered our articles so they were not longer factually pristine."
  • Lamo broke into the NY Times computer and found out that all their news stories are ghost written by the CEOs of Haliburton, Bechtel and Enron.
    • Lamo broke into the NY Times computer and found out that all their news stories are ghost written by the CEOs of Haliburton, Bechtel and Enron.

      It would be more likely that Lamo found evidence that the NYT really is run by former Soviet "useful idiots". We are talking about a paper that has its own Pulitzer prizewinning apologist for Stalin [guardian.co.uk].

      Though in all fairness the NYT is likely just another bunch of leftist hypocrits. They complain about high prision populations, police "brutality", the Patriot Act,
  • Why do they do it? (Score:5, Insightful)

    by Knunov ( 158076 ) <eat@my.ass> on Saturday September 06, 2003 @10:14AM (#6887271) Homepage
    I know what many of you are thinking. Why not tell these companies BEFORE you break in?

    Because IT'S NOT FUN, that's why. Or perhaps more accurately, it's not stimulating.

    Hacking these sites takes time, and the payoff is getting inside and saying, "WOO-HOO! I DID IT!" The fact that he does nothing malicious afterwards and even calls and helps the sysadmins unfuck their systems is a testament to his character.

    For those who would compare his antics to breaking into your home, but not stealing anything, it's a poor analogy. Why? Because your house is your personal meatspace. And if he went inside, he would see many things personal to you, such as family pictures, your kid's toys, or if he was REALLY unlucky, your fat, naked ass sitting in a Lazy Boy with a bowl of chips balanced on your ponderous belly, flipping through the channels.

    "Uhhh... hey dude. Your lock is vulnerable."

    See? Just not the same.

    Getting past a computer's defenses is not the same as physically entering a home or bank vault, though I would find the latter far less intrusive than home invasion, especially if he never even touched the money.

    Now, if he LOOKED at personal/confidential files once inside, that is a different story. But beating a system's defenses, with the only ambition of proving you can do it, then calling the responsible party and helping them fix the security flaw SHOULD NOT be punished.

    Misdemeanor, at most.

    It doesn't matter what he could have done while inside, it matters what he did, or more specifically did not do while inside the system.

    "That bastard! He saw my FILE NAMING SCHEME!"

    Yeah, he should fry for that...

    Knunov
  • If NYT wanted a security audit of their system, they would have paid someone to do it. Since they did not, they obviously didn't want one. Good intentions or not, Lamo broke the law and deserves to face the consequences of his actions.

    I realize that it's "chic to be geek" here with the whole "white hat" hacking stuff, but be realistic. After all, you don't see people doing the physical analogue of white hat hacking. That's B&E.
  • by AppHack ( 622902 ) on Saturday September 06, 2003 @10:18AM (#6887289)
    So he's a gray hat hacker who has fallen into shadow. Will he come back as a white hat hacker, more powerful than before?
  • Dialectic (Score:5, Insightful)

    by Henry V .009 ( 518000 ) on Saturday September 06, 2003 @10:22AM (#6887313) Journal
    Everyone enjoys comparing hacking to breaking into someone's house or trespassing on private property. It is not. You cannot be 'inside' someone else's server. (It is doubly impossible given the girth of most hackers.) The physical definitions fall apart. And the metaphorical analogies do not mesh physical property and Turing machines so well.

    We can begin with what we do know for sure about hacking. A hacking incident is when someone sends packets of information (in some form and by some medium) from a computer or computers to someone else's computer or computers. Which packets are illegal and which are not? Any exact definition raises problems. You can say that any packets that change the functioning of the target system in an unintended way is hacking. So the ignorance of the owner becomes the limit of what is or is not hacking. Faking an email address on a badly designed sign up page (or using mailinator) might be hacking under that definition. Other definitions are similarly problematic. Currently our legal system tends to default (once it actually gets to jury trial) to the above definition, but (in effect) adds that the act must be highly technical and use specialized tools. (Other definitions exist, and I am of course willing to bust holes in any particular one you care to suggest--so go ahead and suggest them.)

    But there is such a thing as computer hacking. Everyone knows that. Even if we cannot have an exact legal definition, we know that some things are clearly computer hacking. What is the best way of creating law (which is now inexact) to deal with this behavior? I would suggest making the motive of the hacker one of the main considerations of law. It is always hard to for legal systems to judge guilt based on motive--and they should not if they can avoid it--but in this case, they must either judge the motive of the victim or the perpetrator. If the motive is vandalism or theft, then the act should be punished. Adrian Lamo's motive appears to have been an act that should not have been punished--though it is highly important to state that we do not yet know the facts.
  • by Kurt Russell ( 627436 ) on Saturday September 06, 2003 @10:30AM (#6887353)
    you [spr.org]
  • If what the cracker did is actually what this post says, I think he didn't do anything wrong ethically. There is really few alternatives if you do want to get the system fixed and the admin isn't that friendly.

    But anyway he clearly violated the law, so it is mostly fair (albeit pathetic) that he gets prosecuted. He must be either very brave or stupid (or both) to do such things knowingly. Once I want to blame the law, but anyway there is already plenty of ethical ways to break the law badly.

    Maybe the

  • What a joke (Score:2, Interesting)

    by Vellocet ( 678574 )
    Come on. This guy has been breaking computer laws for years. Entering a system without prior authorization is against the law, period. Two things amuse me about Adrian Lamo: 1) He has never demonstrated significant or diverse knowledge of computer networks. The methods he uses to enter systems are trivial and repetitive. His ego is the only thing that can't be replaced by a simple script. 2) He brags about not accepting or extorting money. It's just as sickening that Adrian Lamo is all about fame. As the
    • Re:What a joke (Score:3, Insightful)

      by Entrope ( 68843 )
      Your argument falls flat on a number of points.

      Reportedly, his access to the NYT systems was by using publically accessible proxy servers. Saying he needs prior authorization to do that is naive -- do you need prior authorization to access arbitrary mail or web servers on the Internet? Leaving the systems open is prima facie authorization. There would have to be some indication that only NYT employees (or whomever) were authorized to use the system.

      You are amused that he uses the same tactics to access
  • by Cyno ( 85911 ) on Saturday September 06, 2003 @10:37AM (#6887391) Journal
    Here in the US we do not tolerate these activities. He knows too much which makes him a potential terrorist. Using his skills without a license, without the authorization of the government, without legal protection, will land his ass in prison.
  • That a homeless guy is a better hacker than you.
  • I realize this will be an unpopular point of view with 98% of Slashdotters, but...

    If you can't do the time, don't do the crime. Its that simple.

    Regardless of if you agree with it or not, the law is the law, and it is currently illegal to hack in to a system without permission. If you don't like it, then work to get the law changed. And in the meantime, don't expect sympathy if you get busted for breaking it while knowing full well you could be prosecuted. Any man with brains enough to hack in to a sys
  • by the-banker ( 169258 ) on Saturday September 06, 2003 @11:06AM (#6887571)
    I understand most of the arguments against what Lamo did, but there are a few points I want to get off my chest:

    1. To all those saying, 'Its like he broke in your house': No it isn't. The machines were connected to the internet, which is a public medium. A house is a physically closed space where courts have rules one can have an expectation of privacy. Nobody can claim that the internet should provide an expectation of privacy - by its very nature of using shared resources it flies in the face of such an argument.

    2. I don't know how it needs to be done, but truthfully do you (the collective Slashdot you) trust companies to secure their networks, perform audits and be upfront and honest about their failures? If I were a NYT partner I would be furious that my information may have been publicly accessible, yet I would never have known about its vulnerability without Lamo. How many companies have been hacked, had credit card or other info stolen, and just not said anything about it? When Acxiom was hacked, personal information on individuals was stolen over 8 months before they "discovered" the hack - and the hack was found by Hamilton County, Ohio Prosecutor's office when investigating another case that had come forward. What are the chances that Acxiom KNEW they had been hacked, compromised personal information, and said nothing? I am guessing with the current climate of corporate ethics, a pretty high chance exists that a lot of information is being disseminated by people who stole it and consumers have no idea because the company in question is sweeping it under the rug.

    Hacking into someone else's system is bad. Nobody can disagree there, but the bottom line is a tradeoff of negative impacts - for what Lamo did I see a lot fewer negative consequences than today's corporate irresponsibility with personal information and computer security.

  • Interview him (Score:3, Insightful)

    by BortQ ( 468164 ) on Saturday September 06, 2003 @11:46AM (#6887772) Homepage Journal
    I would really like to see a slashdot interview with this guy.
  • Its a sad world (Score:3, Interesting)

    by madstork2000 ( 143169 ) on Saturday September 06, 2003 @11:58AM (#6887844) Homepage
    Consider this:
    You see an open door at your neighbors house. You know the guy is on vacation.

    Do you call the cops? Probably not, you just go over and check out the place for him. Most of the time the door was not securely latched, or the kids watering the plants forgot to close it.

    But what if you discover that the place has been trashed and stuff presumably stolen. I would call the cops, and my neighbor. Would they be suspicious of me? Yes probably at first, but in the long run they'll more likely be grateful.

    Obvisously, there are good reason for laws, tresspassing is one of the fundemental laws throughout history. But, I'm willing to give up a little privacy if and when someone goes out of their way to HELP me protect my property. I'd much rather a neighbor walk through my house in my absence if they think something is wrong.

    I also happen to own a tiny hosting company, and I would definately rather have a white hat let me in on specific exploits my system is vulnerable to rather than leave it alone and let the script kiddies do their thing, if I have screwed up.

    Unfortunately for Mr. Lamo a law is a law, and with the overzealous (at least on high profile cases) FBI on the case, they'll probably try to make him into another Mitnick.

    It is a sad world, everywhere we go policies, principles, and even laws try to dissuade people from working together and co-operating. Capitalism, democracy are great in principle, and can be in practice, but even the best ideals can be bastardized by people in power.

    Free software is said to be communism by its critics, sharing code in a CS course is bound to get you expelled, make a backup copy of a CD and face the rather of the RIAA, the world will probably end if the same DVD Can be played in europe, japan and the USA.

    This is in my opinion another example of moral decay. We have all these rules and laws that do not promote morals, but rather promote some arbitrary standard of "rightness".

    It is the principles of openess, and co-operation that have drawn me to Linux, and free speech software. I'm trying to raise my children right, to teach them to help others for the sake of helping. When something needs to be done, if you can do it, do it. I try to instill them with team values, that together they can accomplish more than they can by themselves.

    Its just ashame that the way things are going I'll likely end up looking like a bad parent...

  • by cluge ( 114877 ) on Saturday September 06, 2003 @12:25PM (#6887988) Homepage
    The NYT is one of the most hypocritical organizations today. They sue to get 9/11 tapes of people dieing - all in the name of "openess" and "public information", yet they have a network connected to the public network - which is open and transparent through their own doing - and thats bad/illegal? PLEASE - The NYT's proxy servers were so misconfigured that it was akin to them posting information in the window of the downtown offices and then getting pissed if people read what they posted.

    You can bet your rear quarters that if our hacker had been a reporter on a story for the NYT that they would be vigorously defending his actions. Like most large corporate entities the NYT has no moral basis for anything it does, in the end it's about money, not honesty, truth or enlightenment. It sure as hell isn't about the times mission statement which is "The Company's core purpose is to enhance society by creating, collecting and distributing high-quality news, information and entertainment."

    Perhaps our hacker should have "enhanced society" by distrubiting the inromation he found to the world. It would have been high quality news to see how one of the most influtential papers is really run.
  • NYT? (Score:4, Funny)

    by wolf- ( 54587 ) on Saturday September 06, 2003 @12:46PM (#6888105) Homepage
    They were worried he knew just how much of their news was faked.
  • by podperson ( 592944 ) on Saturday September 06, 2003 @12:54PM (#6888143) Homepage
    If you leave your front door open and I take a look inside your house, what crime have I committed? At most, I am told, trespass. If you left the keys under the mat and I opened the door, it's breaking and entering.

    Similarly, if I take your car with the clearly stated intention to return it when I am done (e.g. if I desperately needed to drive someone to the hospital), I haven't stolen it, I've borrowed it -- with or without your permission.

    Theft, burglary, etc. are crimes defined in part by the intention of the alleged perpetrator and the damages suffered by the alleged victim.

    OTOH we live in a world where one of the first "terrorist" groups targeted by the government after 9/11 were Environmental Activists who destroy machinery but have been careful never to hurt anyone.

    But I'm no lawyer.

I'd rather just believe that it's done by little elves running around.

Working...