Feeds

Lamo bumped from NBC after hacking them

'Helpful hacker' demonstrates techniques on camera

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

How did a mediagenic hacker like Adrian Lamo get himself bumped last week from a scheduled appearance on the NBC Nightly News with Tom Brokaw? Perhaps with his impromptu on-camera intrusion into the peacock network's own computers.

The vagabond hacker known for his drifter lifestyle and his public forays into large and poorly-secured corporate intranets sat down at a Washington D.C. Kinko's laptop station earlier this month with a freelance NBC news producer to show-off his particular style of hacking -- the 21-year-old typically uses little more than an ordinary browser, possessing an eerie knack for finding undocumented Web servers and open proxies at large organizations.

That method has gotten Lamo deep into the electronic infrastructures of such companies as troubled telecom giant Worldcom, Internet portal Yahoo, and most recently the New York Times, where last February he exploited lax security to tap a database of 3,000 Times op-ed contributors, culling such tidbits of information as Robert Redford's social-security number, and former president Jimmy Carter's home phone number. But unlike most intruders, Lamo eventually goes public with his discoveries, and offers to help those he's hacked tighten their security pro bono -- an offer that's been accepted by several of his corporate targets. So far Lamo's managed to avoid prosecution, though federal officials in New York are believed to be investigating him for the Times hack.

Lamo says NBC was taping him at Kinko's while he demonstrated security holes in a telecommunications company's systems, when the interviewer asked him if he'd be successful hacking NBC.

Five minutes and one guessed password later and Lamo was surfing the television network's private messaging system and an affiliate scheduling application that included internal memos and information on advertising rates. Screen shots of the hack provided by Lamo and reviewed by SecurityFocus Online include a page from an NBC vendor database with the network's trademark "living color" peacock and the warning, "All information contained on this Web site is to be held in the strictest confidence," in all capital letters. "It was a very full service system," recalls Lamo.

The videotaped intrusion was rushed onto the NBC Nightly News schedule, where it was slated to run last Thursday. But it was abruptly yanked off the schedule at the last minute. NBC News' spokesperson didn't return repeated phone calls on the segment, but a source close to the production, speaking on condition of anonymity, says network lawyers pulled the plug on the Lamo package out of concern that NBC might have acted improperly in filming the hacker committing computer crimes for the sake of the camera.

Legal Pitfalls?
The hacker says he wasn't coerced into doing anything illegal, and that he'd have likely wound up at the same Kinko's cracking corporate networks even without the camera crew -- an assertion that few who've met Lamo would dispute. But former federal computer crime prosecutor Matt Yarbrough, now an attorney with Fish & Richardson, says NBC's barristers did the right thing anyway, given broad federal conspiracy and computer crime laws. "If I was their lawyer, I'd be concerned if they were sitting there filming it," says Yarbrough. But the attorney adds that spiking the story may not entirely solve the problem. "Arguably, the crime has already taken place whether they air it or not."

It's not entirely clear what that crime would be. Other journalists (including this reporter) have observed lawbreaking for the purpose of reporting on it, and Lamo's intrusion into NBC's systems may not have been illegal to begin with, since the producer arguably gave Lamo permission to proceed. As for the telecom company, "It's not aiding and abetting a crime just because you had an appointment to get together and be shown," says Jennifer Granick, director of the Center for Internet and Society at Stanford Law School. "Apparently, he already has access to these systems, so it was something he was able to do, and was inclined to do, and the reporter was just watching... Being witness to somebody else breaking the law is not itself a violation."

But Kelly McBride, an ethics instructor at the Poynter Institute, a journalism research center, calls the taping "borderline lawbreaking," and says NBC News should have checked with their legal department before shooting, and found another way to tell the story if necessary.

"If the journalistic motivation is to show the public how easy it is or how vulnerable we all are... it's a good story and it's one of holding powerful people accountable," says McBride. "Maybe they should have just talked to the lawyers first. It's not like this is so urgent that they have to get it on the air, it's not the Pentagon Papers. ... A little front end work to identify the pitfalls would have made it a good story."

For his part, Lamo, who's not known for shrinking from controversy, charges the network with a failure of courage. "I can understand where they're coming from," says Lamo, in a telephone interview from somewhere on the East Coast. "But I like to think that in their place I'd take more of a risk."

© 2002 SecurityFocus.com, all rights reserved.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.