Feeds

Lamo pleads guilty to NY Times hack

Faces jail

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Hacker Adrian Lamo plead guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April.

In a plea deal with prosecutors, Lamo, 22, admitted to cracking the Times network and recklessly causing damage exceeding $5,000. Both sides agreed on the six to twelve month sentencing range which, under federal guidelines, could permit Lamo to serve his sentence under house arrest or confined to a halfway house, at the court's discretion. The judge is not bound by the sentencing recommendation, and could technically sentence Lamo to as much as five years in custody-- though it's unlikely. The hacker also potentially faces $15,000 to $20,000 in fines, and could be ordered to pay financial restitution.

Clad, uncharacteristically, in a sports coat and loafers, Lamo answered federal judge Naomi Buchwald in a calm and clear voice Thursday as she meticulously reviewed his rights as a defendant, and asked if he wished to waive his right to a jury trial. Lamo told Buchwald that he regretted causing the Times financial harm. "I knew that I crossed the line," said Lamo. "I am genuinely remorseful."

"He has always indicated that he's willing to accept responsibility for what he did," said Lamo's defense attorney, federal public defender Sean Hecker, after the appearance.

In a statement, Times spokesperson Christine Mohan said Lamo's intrusion "was a serious offense, and we appreciate that it was treated as such by the authorities."

The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the New York Times hack on SecurityFocus, which first reported on the incident. Lamo said at the time that he penetrated the Times after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.

He also added his real name, phone number and e-mail address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence."

Financial losses disputed

Prosecutors charged Lamo with the intrusion last September, and in an affidavit Mohan accused the hacker of racking up $300,000 in charges by conducting 3000 searches on the Lexis-Nexis news and legal databases service under the Times' corporate account. Lamo said at the time that the figure had "no basis in fact", and Thursday's plea suggests that it was at least exaggerated: both sides stipulated that the hacker caused between $30,000 and $70,000 in losses through a combination of his unauthorized Lexis-Nexis use, and his access to an unprotected Microsoft customer service database. (The Microsoft incident, which took place in 2001, was unrelated to the Times intrusion, but was included in the plea as "relevant conduct" for sentencing purposes)

Thursday's guilty plea caps an aggressive FBI investigation that generated controversy last September when the Bureau notified a dozen journalists who had covered the hacker's antics that it intended to subpoena reporters' notes-- a threat that was later withdrawn as inconsistent with Justice Department policy.

In the months that followed, the probe saw FBI agents contacting a Who's Who of figures in the computer security and hacking community, some with no obvious connection to Lamo, like @stake's Chris Wysopal, and Tsutomu Shimomura, the researcher who helped the FBI track then-fugitive hacker Kevin Mitnick in 1995. Field agents also interviewed the nomadic hacker's friends and associates around the country, toting a list of questions that covered everything from Lamo's motives as a hacker, to queries about his social life. "They kind of tried to make me feel like I did something," said Lamo friend Matt Griffiths. "They asked if I was a hacker, if I ever hacked anything, what kind of programs I used."

The FBI didn't return a phone call on the case.

Lamo has become something a tech-media darling for his rootless, wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" -- combined with his habit of publicly exposing security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited, sometimes visiting their offices or signing non-disclosure agreements in the process.

Until the Times hack, Lamo's cooperation and transparency kept him from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered then helped close security holes in their intranet.

Lamo said after the court appearance Thursday that his plea agreement does not preclude the government charging him for some of his other intrusions, but, "there's sort of an understanding, which may or may not hold."

The hacker also says he's through committing computer crimes. He remains free on bail, obliged by court order to live with his parents and either work or attend school. He's now a student at a community college in Sacramento, California, where he's studying journalism.

Copyright © 2004, SecurityFocus logo

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.