Feeds

Feds say Lamo inspired other hackers

'Palpable fear'

  • alert
  • submit to reddit

High performance access to file storage

The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders.

In a hearing in New York last July, Lamo, 23, was sentenced to six months of house arrest followed by two years probation, and ordered to pay $65,000 in restitution, for intruding into the New York Times' internal network and conducting thousands of database searches using the newspaper's Lexis-Nexis account. The hearing was not publicized in advance and no reporters attended.

A transcript obtained this month by SecurityFocus shows an apologetic Lamo professing remorse for the actions that made him famous.

"Since all this started, I have had a great deal of opportunity and time to see many of the effects of the things that I have done, how they have harmed the companies that I compromised, how they harmed me, how they harmed my family, how really they have harmed so many people around me," Lamo told federal judge Naomi Reice Buchwald.

"I've hidden behind a facade of words in some of the statements that I have made and some of the things that I have said, and for me really it's been an alternative between seeming flip or walking around in constant gloom," Lamo said. "This is a process I want no further part in. I want to answer for what I have done and do better with my life."

The Homeless Hacker

Lamo began publicly exposing security holes at large corporations in May, 2001, when he warned the now-defunct broadband provider ExciteAtHome that its customer list of 2.95 million cable modem subscribers was accessible to hackers. He worked with the company at its California office to close the hole before going public with the hack. He followed that up that with high-profile hacks of Yahoo!, Microsoft, Worldcom, Blogger, and other companies, usually using nothing more than an ordinary web browser, and often offering to help the companies close the holes he exploited. Some of Lamo's victims have even professed gratitude for his efforts: In December, 2001, he was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

In February, 2002, Lamo penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their web browser. Once inside he hacked passwords to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders. He capped off the hack by adding himself to a database of 3,000 contributors to the Times op-ed page.

Unemployed and frequently found living out of a backpack and traveling the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the press, and he inspired an online "Free Lamo" movement by his admirers after he was finally hit with a federal indictment for the Times intrusion last year. He pleaded guilty in a deal with prosecutors in January.

"Palpable Fear"

At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo had caused serious financial harm, and was responsible for "a great deal of psychological injury" to his victims. "Until they got to the bottom of what Mr. Lamo had done, they were put in real fear, and I can tell your honor, from speaking to those victims, that it was palpable."

The prosecutor then zeroed in on Lamo's Robin Hood image.

"For better or worse, Mr. Lamo has become a source of attention not only to the public and press at large, but also to members of his generation and other individuals in the computer community," DeMarco continued. "Whether or not Mr. Lamo sought to inspire those people or was neutral on that subject, the fact remains that we really won't know how many computer hackers Mr. Lamo has inspired by his misdeeds. We won't know what damage those hackers will do."

Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of growing up to continue to do," but emphasized that the hacker had stopped talking to the press, was attending counseling sessions, and was doing well as a journalism student at a local community college.

Lamo could have gotten as much as a year in prison under the terms of his plea agreement. In passing down the lighter sentence, Buchwald said it shouldn't be mistaken for slap on the wrist.

"Anyone who thinks that this is a light sentence simply because there is a harsher alternative I think is sorely mistaken," said Buchwald. "Mr. Lamo is now I think 22, 23. He will have a felony conviction on his record the rest of his life."

Copyright © 2004, 0

Related stories

NY Times hacker sentencing delayed
Lamo pleads guilty to NY Times hack
Fame, Infame, All the Same
FBI bypasses First Amendment to nail a hacker
Lamo denies $300,000 database hack
NY Times hacker surrenders, is released
NY Times hacker set to surrender
FBI reportedly hunting Adrian Lamo
Point! click! get! root! on! Yahoo!
Google closes Blogger security holes
Lamo bumped from NBC after hacking them
NY Times sicks FBI on MSNBC journo
Panel debates Samaritan-hack amnesty
New York Times internal network hacked
Lamo strikes again: WorldCom

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.