Feeds

Lamo pleads guilty to NY Times hack

Faces jail

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Hacker Adrian Lamo plead guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April.

In a plea deal with prosecutors, Lamo, 22, admitted to cracking the Times network and recklessly causing damage exceeding $5,000. Both sides agreed on the six to twelve month sentencing range which, under federal guidelines, could permit Lamo to serve his sentence under house arrest or confined to a halfway house, at the court's discretion. The judge is not bound by the sentencing recommendation, and could technically sentence Lamo to as much as five years in custody-- though it's unlikely. The hacker also potentially faces $15,000 to $20,000 in fines, and could be ordered to pay financial restitution.

Clad, uncharacteristically, in a sports coat and loafers, Lamo answered federal judge Naomi Buchwald in a calm and clear voice Thursday as she meticulously reviewed his rights as a defendant, and asked if he wished to waive his right to a jury trial. Lamo told Buchwald that he regretted causing the Times financial harm. "I knew that I crossed the line," said Lamo. "I am genuinely remorseful."

"He has always indicated that he's willing to accept responsibility for what he did," said Lamo's defense attorney, federal public defender Sean Hecker, after the appearance.

In a statement, Times spokesperson Christine Mohan said Lamo's intrusion "was a serious offense, and we appreciate that it was treated as such by the authorities."

The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the New York Times hack on SecurityFocus, which first reported on the incident. Lamo said at the time that he penetrated the Times after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.

He also added his real name, phone number and e-mail address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence."

Financial losses disputed

Prosecutors charged Lamo with the intrusion last September, and in an affidavit Mohan accused the hacker of racking up $300,000 in charges by conducting 3000 searches on the Lexis-Nexis news and legal databases service under the Times' corporate account. Lamo said at the time that the figure had "no basis in fact", and Thursday's plea suggests that it was at least exaggerated: both sides stipulated that the hacker caused between $30,000 and $70,000 in losses through a combination of his unauthorized Lexis-Nexis use, and his access to an unprotected Microsoft customer service database. (The Microsoft incident, which took place in 2001, was unrelated to the Times intrusion, but was included in the plea as "relevant conduct" for sentencing purposes)

Thursday's guilty plea caps an aggressive FBI investigation that generated controversy last September when the Bureau notified a dozen journalists who had covered the hacker's antics that it intended to subpoena reporters' notes-- a threat that was later withdrawn as inconsistent with Justice Department policy.

In the months that followed, the probe saw FBI agents contacting a Who's Who of figures in the computer security and hacking community, some with no obvious connection to Lamo, like @stake's Chris Wysopal, and Tsutomu Shimomura, the researcher who helped the FBI track then-fugitive hacker Kevin Mitnick in 1995. Field agents also interviewed the nomadic hacker's friends and associates around the country, toting a list of questions that covered everything from Lamo's motives as a hacker, to queries about his social life. "They kind of tried to make me feel like I did something," said Lamo friend Matt Griffiths. "They asked if I was a hacker, if I ever hacked anything, what kind of programs I used."

The FBI didn't return a phone call on the case.

Lamo has become something a tech-media darling for his rootless, wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" -- combined with his habit of publicly exposing security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited, sometimes visiting their offices or signing non-disclosure agreements in the process.

Until the Times hack, Lamo's cooperation and transparency kept him from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered then helped close security holes in their intranet.

Lamo said after the court appearance Thursday that his plea agreement does not preclude the government charging him for some of his other intrusions, but, "there's sort of an understanding, which may or may not hold."

The hacker also says he's through committing computer crimes. He remains free on bail, obliged by court order to live with his parents and either work or attend school. He's now a student at a community college in Sacramento, California, where he's studying journalism.

Copyright © 2004, SecurityFocus logo

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.