Feds say Lamo inspired other hackers

'Palpable fear'

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders.

In a hearing in New York last July, Lamo, 23, was sentenced to six months of house arrest followed by two years probation, and ordered to pay $65,000 in restitution, for intruding into the New York Times' internal network and conducting thousands of database searches using the newspaper's Lexis-Nexis account. The hearing was not publicized in advance and no reporters attended.

A transcript obtained this month by SecurityFocus shows an apologetic Lamo professing remorse for the actions that made him famous.

"Since all this started, I have had a great deal of opportunity and time to see many of the effects of the things that I have done, how they have harmed the companies that I compromised, how they harmed me, how they harmed my family, how really they have harmed so many people around me," Lamo told federal judge Naomi Reice Buchwald.

"I've hidden behind a facade of words in some of the statements that I have made and some of the things that I have said, and for me really it's been an alternative between seeming flip or walking around in constant gloom," Lamo said. "This is a process I want no further part in. I want to answer for what I have done and do better with my life."

The Homeless Hacker

Lamo began publicly exposing security holes at large corporations in May, 2001, when he warned the now-defunct broadband provider ExciteAtHome that its customer list of 2.95 million cable modem subscribers was accessible to hackers. He worked with the company at its California office to close the hole before going public with the hack. He followed that up that with high-profile hacks of Yahoo!, Microsoft, Worldcom, Blogger, and other companies, usually using nothing more than an ordinary web browser, and often offering to help the companies close the holes he exploited. Some of Lamo's victims have even professed gratitude for his efforts: In December, 2001, he was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

In February, 2002, Lamo penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their web browser. Once inside he hacked passwords to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders. He capped off the hack by adding himself to a database of 3,000 contributors to the Times op-ed page.

Unemployed and frequently found living out of a backpack and traveling the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the press, and he inspired an online "Free Lamo" movement by his admirers after he was finally hit with a federal indictment for the Times intrusion last year. He pleaded guilty in a deal with prosecutors in January.

"Palpable Fear"

At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo had caused serious financial harm, and was responsible for "a great deal of psychological injury" to his victims. "Until they got to the bottom of what Mr. Lamo had done, they were put in real fear, and I can tell your honor, from speaking to those victims, that it was palpable."

The prosecutor then zeroed in on Lamo's Robin Hood image.

"For better or worse, Mr. Lamo has become a source of attention not only to the public and press at large, but also to members of his generation and other individuals in the computer community," DeMarco continued. "Whether or not Mr. Lamo sought to inspire those people or was neutral on that subject, the fact remains that we really won't know how many computer hackers Mr. Lamo has inspired by his misdeeds. We won't know what damage those hackers will do."

Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of growing up to continue to do," but emphasized that the hacker had stopped talking to the press, was attending counseling sessions, and was doing well as a journalism student at a local community college.

Lamo could have gotten as much as a year in prison under the terms of his plea agreement. In passing down the lighter sentence, Buchwald said it shouldn't be mistaken for slap on the wrist.

"Anyone who thinks that this is a light sentence simply because there is a harsher alternative I think is sorely mistaken," said Buchwald. "Mr. Lamo is now I think 22, 23. He will have a felony conviction on his record the rest of his life."

Copyright © 2004, 0

Related stories

NY Times hacker sentencing delayed
Lamo pleads guilty to NY Times hack
Fame, Infame, All the Same
FBI bypasses First Amendment to nail a hacker
Lamo denies $300,000 database hack
NY Times hacker surrenders, is released
NY Times hacker set to surrender
FBI reportedly hunting Adrian Lamo
Point! click! get! root! on! Yahoo!
Google closes Blogger security holes
Lamo bumped from NBC after hacking them
NY Times sicks FBI on MSNBC journo
Panel debates Samaritan-hack amnesty
New York Times internal network hacked
Lamo strikes again: WorldCom

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.