[ISN] Feds say Lamo inspired other hackers

InfoSec News isn at c4i.org
Thu Sep 16 06:13:55 EDT 2004


By Kevin Poulsen
16th September 2004

The final act in the saga of Adrian Lamo's hacking adventures ended
with a contrite message from the once brash cyber outlaw, and a grim
denunciation from his prosecutor, who blamed the hacker for inspiring
other computer intruders.

In a hearing in New York last July, Lamo, 23, was sentenced to six
months of house arrest followed by two years probation, and ordered to
pay $65,000 in restitution, for intruding into the New York Times'
internal network and conducting thousands of database searches using
the newspaper's Lexis-Nexis account. The hearing was not publicized in
advance and no reporters attended.

A transcript obtained this month by SecurityFocus shows an apologetic
Lamo professing remorse for the actions that made him famous.

"Since all this started, I have had a great deal of opportunity and
time to see many of the effects of the things that I have done, how
they have harmed the companies that I compromised, how they harmed me,
how they harmed my family, how really they have harmed so many people
around me," Lamo told federal judge Naomi Reice Buchwald.

"I've hidden behind a facade of words in some of the statements that I
have made and some of the things that I have said, and for me really
it's been an alternative between seeming flip or walking around in
constant gloom," Lamo said. "This is a process I want no further part
in. I want to answer for what I have done and do better with my life."

The Homeless Hacker

Lamo began publicly exposing security holes at large corporations in
May, 2001, when he warned the now-defunct broadband provider
ExciteAtHome that its customer list of 2.95 million cable modem
subscribers was accessible to hackers. He worked with the company at
its California office to close the hole before going public with the
hack. He followed that up that with high-profile hacks of Yahoo!,
Microsoft, Worldcom, Blogger, and other companies, usually using
nothing more than an ordinary web browser, and often offering to help
the companies close the holes he exploited. Some of Lamo's victims
have even professed gratitude for his efforts: In December, 2001, he
was praised by communications giant WorldCom after he discovered, then
helped close, security holes in their intranet that threatened to
expose the private networks of Bank of America, CitiCorp, JP Morgan,
and others.

In February, 2002, Lamo penetrated the New York Times, after a
two-minute scan turned up seven misconfigured proxy servers acting as
doorways between the public Internet and the Times private intranet,
making the latter accessible to anyone capable of properly configuring
their web browser. Once inside he hacked passwords to broaden his
access, eventually browsing such disparate information as the names
and Social Security numbers of the paper's employees, logs of home
delivery customers' stop and start orders. He capped off the hack by
adding himself to a database of 3,000 contributors to the Times op-ed

Unemployed and frequently found living out of a backpack and traveling
the country by Greyhound, Lamo was dubbed "the Homeless Hacker" by the
press, and he inspired an online "Free Lamo" movement by his admirers
after he was finally hit with a federal indictment for the Times
intrusion last year. He pleaded guilty in a deal with prosecutors in

"Palpable Fear"

At Lamo's sentencing, assistant US attorney Joseph DeMarco said Lamo
had caused serious financial harm, and was responsible for "a great
deal of psychological injury" to his victims. "Until they got to the
bottom of what Mr. Lamo had done, they were put in real fear, and I
can tell your honor, from speaking to those victims, that it was

The prosecutor then zeroed in on Lamo's Robin Hood image.

"For better or worse, Mr. Lamo has become a source of attention not
only to the public and press at large, but also to members of his
generation and other individuals in the computer community," DeMarco
continued. "Whether or not Mr. Lamo sought to inspire those people or
was neutral on that subject, the fact remains that we really won't
know how many computer hackers Mr. Lamo has inspired by his misdeeds.  
We won't know what damage those hackers will do."

Lamo's attorney, Sean Hecker, told the court that Lamo "has a lot of
growing up to continue to do," but emphasized that the hacker had
stopped talking to the press, was attending counseling sessions, and
was doing well as a journalism student at a local community college.

Lamo could have gotten as much as a year in prison under the terms of
his plea agreement. In passing down the lighter sentence, Buchwald
said it shouldn't be mistaken for slap on the wrist.

"Anyone who thinks that this is a light sentence simply because there
is a harsher alternative I think is sorely mistaken," said Buchwald.  
"Mr. Lamo is now I think 22, 23. He will have a felony conviction on
his record the rest of his life."

More information about the ISN mailing list