Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government The Courts United States News

Adrian Lamo Surrenders 639

clafarge writes "Three days after Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail." webmaven adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News. He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."
This discussion has been archived. No new comments can be posted.

Adrian Lamo Surrenders

Comments Filter:
  • He boasted.... (Score:3, Interesting)

    by ellem ( 147712 ) * <ellem52@gmai l . c om> on Wednesday September 10, 2003 @09:53AM (#6921243) Homepage Journal
    How good are the ones who keep their mouths shut and just steal shit?
    • by Mononoke ( 88668 ) on Wednesday September 10, 2003 @09:56AM (#6921282) Homepage Journal
      How good are the ones who keep their mouths shut and just steal shit?
      We are absolutely incredi...

      Aw crap.

    • You got it (Score:5, Interesting)

      by DesScorp ( 410532 ) on Wednesday September 10, 2003 @10:38AM (#6921723) Journal
      We'll never know who the best are. Because they're SMART ENOUGH NOT TO BRAG ABOUT IT IN PUBLIC.

      All sarcasm aside, I once heard Prof. Gene Spafford [purdue.edu] of CERIUS [purdue.edu] say that some of his best students had simply dissapeared from the face of the Earth. He suspected that they were either recruited by Government organizations, or major corporations; and he was afraid that some even went to work for organized crime.

      THESE people are the real pros. They get the job done, get paid, and quietly move on. They could live next door to you, and you'd have no clue that they crack heavily guarded systems for a living. For every Adrian Lamo or Kevin Mitnick, or even Peter Shipley for that matter, there are a half dozen guys way better that you'll never hear about.
      • Re:You got it (Score:4, Insightful)

        by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Wednesday September 10, 2003 @01:14PM (#6923217) Homepage Journal
        Not necessarily. It is just as likely that there are no really great hackers. For one thing, there's no proof that there are anythin other than the self important run-of-the-mill kind of hacker other than creepy speculative statements made by self important members of the "security" community. I know a lot of smart people who disappeared off the face of the earth too. Once in a while I rediscover them, working in coffee shops or as security guards at the zoo. They dropped contact when they gave up on intellectualism for a life of hedonistic pleasures like having friends and making a little money.

        You know, it's funny...as much as people here hate on Microsoft for using FUD tactics, they seem to okay the computer security industry using the same tactics to scare people into buying expensive security audits. Better buy a new firewall...Bigfoot broke the cisco backdoor and the Loch Ness Monster could be SSH'd into your daughter's underwear drawer right now and we'd never know because they're using special Voodoo IP addresses that cannot be logged!

        See, hackers work by writing code to exploit bugs. It is impossible to write code that is bug free. It is just as impossible to write exploits that are bug free (see: that blaster "fix" that did as much "damage" as the worm did). As such, it is impossible to write code that is completely indetectable. There are bound to be bugs in the indetectability. So this whole idea that stealthy ninja superhackers are sliding in and out of our nation's mainframes without anybody knowing is something I tend to place in the same realm of fiction as bible code.

        And if you were "good enough" to write invincible code, it seems to me you could lead a much better life without this stupid Swordfish subterfuge, teaching your methods to senior programmers across the country for big bank. Shit, I'm sure MS has an opening somewhere. The New York Times definitely does.
    • by CrashPanic ( 704263 ) on Wednesday September 10, 2003 @11:00AM (#6922016) Homepage
      He blew his cover and then surrendered?!

      Boy what a Lamo
  • by JohnGrahamCumming ( 684871 ) * <slashdot.jgc@org> on Wednesday September 10, 2003 @09:54AM (#6921261) Homepage Journal
    more than $25K damage to New York Times Co.,' and performing LexisNexis searches on
    his own name to the tune of $300K! I always find it interesting that so little tinkering
    can cause so much 'damage' (if you didn't get that wink, read the article about the
    nature of the 'damage').


    No I don't get the 'wink'.

    These damage figures really don't seem very unreasonable, especially given what Kevin
    Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
    cost of the people of had to evaluate and repair his intrusion into the network). As for
    the LexisNexis searches that cost is probably easy to calculate because they charge for
    use of the service and he probably used $300,000 worth of the service without paying for it.

    If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
    that the prosecutor was going overboard, but this seems pretty sane to me.

    John.
    • Well, he apparently told them how to fix it (or did he not with the New York Times?) - so if he did it I wouldn't think it would cost anywhere near $25,000.
      • by InsaneGeek ( 175763 ) <slashdot@@@insanegeeks...com> on Wednesday September 10, 2003 @10:11AM (#6921400) Homepage
        I never quite got this... would you really trust a hacker to tell you everything he did? Some anonymous person on the internet breaks into your system and you will just take his word for it? A security incident is a security incident you have to do the same work either way:

        offline the system
        investigate the system to find intrusion
        do a complete reload from scratch
        identify other systems on the network with same vulnerability accessable by compromised system
        make decision to roll dice and guess others were not compromised or rebuild those systems also

        number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system
        • by Anonymous Coward on Wednesday September 10, 2003 @10:22AM (#6921540)
          But if they had discovered this on their own, they would have still had to have gone to the same expense.

          Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.
        • Personal case (Score:5, Interesting)

          by Anonymous Coward on Wednesday September 10, 2003 @10:24AM (#6921556)
          (Anonymous for obvous reasons)

          I don't live in the US. In my early days on the university I was involved on a serious case of hacking. Being a nerd for network security I once told a university network administrator, that happened to be a good friend of mine and a student of one of the classes I gave at the time (on network security) on a institution unrelated to the university, that the university network was 'easy hackable', he challenged me for a proof and I responded. About four months later I found myself in deep trouble: my network account was surrendered and all my e-mail was analyzed by the network administrators. For some reason (only known to a 18 years old) I had sent an email to a friend telling him that I had cracked about 2000 passwords on the university network.

          It turned out that since my 'friend' spoke with me he went with his superior and 'bought' a promotion for turning me in. The only proof they had was the email and a private conversation recorded without my permission (by a university student, not a government office) where I admitted to have cracked the university super-computer and a cluster to write, compile and run a distributed program that kept running for a little over two months (without anyone noticing it, it stopped running because I decided to stop it).

          To get on-topic: They claimed that my actions had caused over US$ 100K. After 6 months of trial (where I has assisted by some great voluntary people) I walked out with a restraint to use any university computer for 4 years, and being unable to create accounts for any ISP in the state for 2 years.

          The morale of the story is this: You fight. And fight hard. If you do so the people will support you, because you are fighting from the right side. Take it to the end, at some point justice will be served.
        • by kfg ( 145172 ) on Wednesday September 10, 2003 @10:30AM (#6921618)
          One of the first things you learn when you begin working in computer security, especially as an outside contractor, is that your customers don't trust you as far as they could throw the Empire State Building.

          In fact, you will be reviled. You will have a hard time convincing many people to hire you because they're scared to death of you in the first place. Once they do hire you you will be assumed at some lizard brain level to be doing something nefarious.

          This is one of the reasons why network security is so poor. Companies are loath to allow outside security experts anywhere near the place.

          This is one of the reasons white hat hackers like Lamo do what they do. The companies aren't doing what they should, out of fear, thus leaving all the doors wide open. It's a deriliction of duty that the white hats expose to the public.

          The companies don't always take kindly to the fact that their customers then know how poorly their personal data is being protected.

          Obviously the way to handle the matter is to attack the white hat. Go figure.

          Now these same companies don't hesitate a second to call in a locksmith to handle their physical security. They don't worry that when a lock gets changed the locksmith is secretly making a copy of the key so he can break in at night and clean them out, even though this occasionally actually happens.

          Why not? Because physical locks aren't black magic beyond their understanding.

          Rather than gain that understanding they'd rather fear. Again, go figure.

          Computer security experts are like people who treat lepers. We aknowledge that they are needed, but we don't want them around our house.

          God forbid they should marry our daughter or something. We'll never sleep at night.

          KFG
          • Because physical locks aren't black magic beyond their understanding.

            No, but to most people they're certainly gray magic at best. Generally speaking, people don't know how a lock operates anymore than they can explain how a password works -- it just does. The difference is that there is a tactile mechanism for it. I've found that some people trust keypads less than they trust combination locks; some have good reaons, and some have not-so-good reasons.

            Something that is usually far beyond the understand
        • I bought a car alarm for my car. If I find someone trying to break into my car, can I charge the burgler for the cost of the alarm?

          outragous? yes.

          I bought a car alarm for my car. If I find someone trying to break into my car and need to update my car alarm, can I charge the burgler for the cost of the NEW alarm?

          outragous? HELL YES.

          but.. whatever, its a computer crime, i'll strangle the terrorist myself.
      • Hey may have told them how to fix it, but that does not meen that they didn't spend a lot of time double checking *EVERYTHING*. Just becaue he tells you exactly what he did, does not mean you trust him. After all he just broke into your computers and messed them up.
      • Considering what some people make and the number of people involved with a corporate security breach, this isn't unreasonable. I bet the labor costs for everyone involved is easily more than $25K.

        Although he had good intentions, I can't agree with his methods. He may have just been having fun, but even he has to realize the legal implications for everything he has done.
        • by Morosoph ( 693565 ) on Wednesday September 10, 2003 @10:25AM (#6921566) Homepage Journal
          It seems to me that engineers view security breaches very differently from most people; we're used to having to fix all bugs, and it becomes natural to think of someone who's managed to break a system as having done good; the clean-up costs are not the costs of the breach, but the costs of the bug, as yet unforseen.
          I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
          By contrast, the engineer is almost grateful, at least once the bug's been fixed!
          My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.
      • The problem is, how do you trust someone who's just broken into your systems to tell the truth about how they did it? Or to tell you everything they did? You can't, so you must look over everything, and probably reinstall your systems.
        • That's why you employ two or three of them remotely, without telling them about eachother. Any back doors that one of them puts in, the other will find, and vice versa. As long as they don't know about the other(s), you should be in the clear.

      • That is good for a first pass. But just trusting him is malfeasance, pure and simple.
      • Well, he apparently told them how to fix it

        If somebody hacked into one of my machines and then told me how to fix it, I'm afraid I'd be just the *teeniest* bit reluctant to take what they said at face value.

        As a result, at the very least you've got to expect the NY Times had to pay for a forensic analysis of the network and a total rebuild of any compromised systems.

        Would that cost $25,000? I dunno. It doesn't sound completely outlandish to me but I don't know anything about the NY times's systems.
    • by Trigun ( 685027 ) <evil.evilempire@ath@cx> on Wednesday September 10, 2003 @10:00AM (#6921322)
      As long as they have to prove the damages, rather than having the judge readily accept them. In fact, who cares about how much damage is done, as long as it's over the $5,000. If he broke the law, he broke the law, he didn't break the law by $320,000. That would be essentially ridiculous, turning law from an ethical measure to a monetary one (well, more so).
    • by kfg ( 145172 ) on Wednesday September 10, 2003 @10:15AM (#6921445)
      I do get the wink.

      Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

      Or is that maybe a capital expense that's my responsibility in the first place? Especially if I've taken on the responsibility for protecting the safty of other people's property and papers as part of a commercial operation.

      Also, is this expense an actual additional one, or did I maybe already have a handyman on salary who simply did it as part of his normal duties?

      For $25K the NYT could have hired me for a full quarter to go over their security systems. Did they really do something like that, or did a couple of guys on staff have to spend some of the time they normally would have spent goofing off actually doing their jobs?

      Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

      ( The answer, of course, is that Lamo made his audit public. Still, it's not the simple B&W issue you might think)

      The Lexis-Nexis thing is clear theft of services. Given the white hat Lamo was wearing I can understand that he had to do that just to demonstrate that he ( and thus anyone else) could, but it might not have been the smartest thing to do. I'd sure as hell want to see the actual bill though before I'd assent to the fact that he actually used $300k worth of the service.

      KFG
      • by Evil Adrian ( 253301 ) on Wednesday September 10, 2003 @10:29AM (#6921608) Homepage
        Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?

        Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."

        Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

        END OF STORY!

        Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!
        • by _bug_ ( 112702 ) on Wednesday September 10, 2003 @11:10AM (#6922171) Journal
          Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.

          Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.

          That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.

          • Does that mean that unless i put a "no trespassing" sign on my door you can come into my house uninvited? Even though the street from which you entered is public property?

            I think not.
            • Does that mean that unless i put a "no trespassing" sign on my door you can come into my house uninvited? Even though the street from which you entered is public property?

              Bad analogy - but this is /. after all.

              If you own a private piece of land, but make it into a park and invite people to use it (perhaps charging a small fee for access to some parks of the park, or maybe getting revenue from advertising on park benches), then unless you put a no trespassing sign on that special flower bed over there, I
          • This guy left a memo to notify the security holes. That proves he was aware that he was intruding.
        • by Merk ( 25521 ) on Wednesday September 10, 2003 @11:52AM (#6922465) Homepage

          Who defines "breaking into"?

          If someone misconfigures their web server so it points at "C:\My Finances" and you surf to their site, are you breaking into their system? What if they configure it so it points to "C:\" and you click on the "My Finances" link? What if they have a default "Welcome to XXX" page but you type in the url: "http://www.icantconfigureiis.com/My%20Finances/"? What if you do a portscan on them and try to connect to a nonstandard port? What if you run a rootkit on them?

          Obviously the latter examples are reasonably defined as "breaking in", and the former ones are not, but where do you draw the line? Is it a judgement call about what someone reasonably expects you to be able to see?

          From what I have read, it is pretty obvious that this guy saw some things that he reasonably couldn't believe he was supposed to see. On the other hand, he did it all through a web browser. It's not like he was running rootkits. He was simply poking around and being nosy. The onus should be on the NY Times to have some reasonable standard of security in place that can't be compromised by Mozilla.

        • by Lightwarrior ( 73124 ) on Wednesday September 10, 2003 @12:30PM (#6922793) Journal
          > ...IT'S ILLEGAL TO DO SO.
          > END OF STORY!
          It's not that simple.

          One of the founding principles of the USA is that "right" and "wrong" can change over time - hence the ability to modify our set of laws. As another poster pointed out, slavery was legal for quite some time - that didn't make it right, and people were forced to take action to make it illegal.

          Free speech is one of the methods given to US Citizens to let the government know how we think they're doing. However, as has been shown innumerable times over, sometimes doing something "illegal" is necessary in part of the protest. There are times when people won't see how silly a law or rule is until it is broken repeatedly in front of their noses.

          We're living in a time when more and more of our information is becoming more and more accessible. There are people out there whose intentions (good or ill) are not being backed by reasonable security. Accessible personal information and light or no security do not mix well.

          I'd greatly prefer it if we could live in a world where everyone could be trusted "to behave". If we could trust people not to break into each other's homes, we wouldn't need door locks. Sure, it's illegal to break into another person's home - but does that mean that you don't need to lock your door?

          Or that you should never check your door to be sure it's locked?

          Most importantly, are you willing to take the risk of leaving personal, private, or otherwise valuable information or things laying around, in plain view, behind an unlocked glass case (alarmed though it may be)?

          Every time a case like this gets into the newspapers, it is a bold reminder to corporations that they are at risk. Without a threat of loss, security grows lax. Be greatful this person did not act with a significant malicious intent, and learn from it.

          -lw
      • by greenhide ( 597777 ) <jordanslashdotNO@SPAMcvilleweekly.com> on Wednesday September 10, 2003 @10:30AM (#6921631)

        Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."


        Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

        As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

        The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".

        These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?

        I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.

        I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.
        • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday September 10, 2003 @10:50AM (#6921875) Journal
          No one, least of all Lamo himself, suggest that Adrian Lamo is a really good hacker. He goes after low hanging fruit. He finds b2b systems with default passwords. He finds unpatched systems.

          The only reason he's famous is... wait... I can't think of any good reason why he's famous.

          IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."
          • by dipipanone ( 570849 ) on Wednesday September 10, 2003 @11:15AM (#6922239)
            IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."

            No, his crime was the break in. Exposing the Times's idiocy was what provided the motive to ensure that that crime was prosecuted to the fullest extent of the law.

            To return to the house with the flawed lock analogy, what Lamo did was equivalent of opening your front door, and then announcing to everyone in the street that you have a taste for erotica featuring barnyard animals.
        • by gregbaker ( 22648 ) * on Wednesday September 10, 2003 @11:02AM (#6922051) Homepage
          As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.

          Ummm... you should probably be worrying about that anyway.

          I'd like to see how *your* computers handle a hacking attack from this guy.

          So would I. It's hard to know about the flaws in your system--you pretty much keep things patched, watch the logs and hope. An email from a benevolent hacker that says "You really need to change..." would be appreciated.

        • by ziriyab ( 549710 ) on Wednesday September 10, 2003 @11:33AM (#6922386)
          If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?

          Very good point. Just one problem: If you look and weigh anything like the rest of us slashdotters, you may be setting your price a bit high. I've found that 10 cents (Canadian) is the most any one of us here can expect for our sexual services (we have to pay for the condom and flowers ourselves). The worse part is when they try to haggle and get more for the 10 cents. I once had to throw in a week of tech support for free.

        • "If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?"

          No, let's say you have cancer, but you don't know it, and you are not getting proper check-ups so you aren't going to find out. Some self-proclaimed doctor rigs the urinal you are about to use so that he can get a sample of your urine. He then takes the sample to his lab in the basement (without your knowledge) and performs a urinalysis. When he discovers you have cancer, he fully disclos
    • by Proaxiom ( 544639 ) on Wednesday September 10, 2003 @10:16AM (#6921455)
      To start with, the damage figures in the Kevin Mitnick case were entirely unreasonable.

      And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).

      LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.

      • by Jerf ( 17166 ) on Wednesday September 10, 2003 @11:16AM (#6922256) Journal
        If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data).

        I disagree. One of the problem is that when a hacker attacks, you can't necessarily trust the logs. In fact there's a lot of people of the opinion (and I'm one of them) that unless you really know exactly which vulnerability was exploited and how it was exploited (like a common worm comes in that doesn't install a shell and there's no evidence that there was any other person actively involved in the hack), the only proper thing to do is completely re-install the system from either known-good backups (and labelling backups "known good" is itself an interesting challenge), or even from the original CDs.

        Things like "tripwire" are just that... tripwires. They really shouldn't be used to help repair the system because once the system is compromised you can no longer trust the output.

        For a business-critical machine, and well-paid admins (which you should have!), and counting downtime, $25,000 is entirely reasonable.

        Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact).

        Since fixing a vulnerability is typically a matter of applying a patch, odds are it does not account for more then $100 or $200 of the damage if it was computed rationally. Evaluation, analysis (which even if you re-install from scratch MUST be done, to see if any customer or private data was compromised), re-install, and lost business swamps that expense. Trying to talk the damage value of this down isn't really useful since it's such a small part of the value, in all likelihood.

        $25,000 is quite reasonable.

        Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money.

        Yes, this is most likely absurdly inflated.

        1 for 2 is actually a significant improvement for our system, and this is a good sign, IMHO.
    • by badasscat ( 563442 ) <basscadet75@@@yahoo...com> on Wednesday September 10, 2003 @10:19AM (#6921496)
      No I don't get the 'wink'.

      Nor do I. I don't know what's up with Slashdot lately; this is a tech news site, not a script kiddie site. We're not here to learn from famous crackers or to congratulate each other for taking big sites down. Crackers are criminals and they need to be punished. They do cause damage. The implication in the comments at the head of this are that this guy didn't really do anything wrong and so should get off... just like the 18 year old "kid" who got busted for the MSBlaster virus variant a couple weeks ago, at which time I read similarly ignorant and even stupid comments here.

      The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.

      But then I shouldn't need to explain why crackers should go to jail. This is Slashdot, we should all understand this stuff already. There's no reason why a tech news site should favor crackers over commercial internet interests; it's all tech, it's just that one side of the issue here happens to be criminal.

      My company's web sites have been the victim of numerous DoS attacks (no, I do not work for SCO - I work for a company you guys like, though I don't really want to say which), which while using different methods amount to the same thing this guy did - it's all denial of service, and it does cost companies money. I have absolutely no sympathy for this guy and hope he gets the book thrown at him.
      • by jkauzlar ( 596349 ) * on Wednesday September 10, 2003 @10:57AM (#6921976) Homepage
        I have absolutely no sympathy for this guy and hope he gets the book thrown at him

        Is it because he has embarrassed you by lessening your company's technical credibility? I'm not trying to troll, but I wonder if $300k really is a realistic fine to apply to someone who essentially is just spraying graffiti, breaking and entering and having a look around.

        Slashdot is not supporting this behavior, only trying to keep the possible wild misuse of government and corporate power in check. Most 'script-kiddies', at worst, are just nerds who perhaps need a public playground for their talents. Let's keep some perspective. That's what slashdot is about.

      • Read the subject. The problem is the damage figures.

        I haven't been following the story closely, but nothing I've seen has suggested that he attacked them in any way, DoS or other.

        How did it cost the NY Times to have someone find a security flaw in their system? How much did it save them that the guy who found it didn't exploit it?

        If someone tells me my shoe is untied, I can't sue them for the time it takes me to tie the shoe. Whether I was told or not, the shoe would have been untied. At least

  • Useful links. (Score:5, Informative)

    by sekzscripting ( 687192 ) * on Wednesday September 10, 2003 @09:54AM (#6921263) Homepage
    Here's a few extra (useful) links: free lamo [freelamo.com] - adrian support site [run by kevin mitnick's girlfriend], the screen savers [techtv.com] - shot video [techtv.com] of adrian moments before his surrender, trigger street [triggerstreet.com] - running a documentary on hackers, currently they're following adrian's story..
  • Negotiated? (Score:4, Interesting)

    by bobthemuse ( 574400 ) on Wednesday September 10, 2003 @09:55AM (#6921267)
    "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."

    You have to negotiate for this now? So if they never tell him what he's charged with, can he get a reduced punishment? :-)
    • Re:Negotiated? (Score:2, Informative)

      by jdunn14 ( 455930 )
      I believe the issue is whether the charges are publicly disclosed. He would have to know that the charges are in order to defend himself, but the nature of the charges might not see the public light of day without the negotiation.
  • Quick.. (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Wednesday September 10, 2003 @09:56AM (#6921279) Homepage Journal

    Start printing stickers that say "Adrian" which you can apply over the word "Kevin"..
  • Lexis/Nexis and NYT (Score:5, Interesting)

    by Speare ( 84249 ) on Wednesday September 10, 2003 @09:56AM (#6921288) Homepage Journal

    What would you want to bet that Lexis/Nexis just winks and nods at their huge customer, The New York Times, Inc., and waives much of the actual charges that resulted from automated searches on Adrian Lamo. At their prices, there is probably still over $25K worth of manual labor involved... Lexis/Nexis is a premier service with some amazingly in-depth methods.

    Plus, the scouring job that's required by NYT's IT department to ensure there aren't any new "easter eggs" in their system will go into significant coin too. I don't agree with the preposterous insurance-claim oriented figures that go into these 'cracking' news stories, but you can't just trust a superficial system cleanup after being cracked.

    • by exhilaration ( 587191 ) on Wednesday September 10, 2003 @10:05AM (#6921356)
      You forgot the costs of retraining new network admins after firing the incompetent fools that left the NY Times network wide open.

      Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".

      Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.

      • Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.

        In most cases, that would not solve the problem. Now if they were to go after the management who ordered holes in the security or refused to allow the admins to apply patches and implement good security practices, then you would be talking.

  • by Anonymous Coward on Wednesday September 10, 2003 @10:01AM (#6921325)
    The man's name is Lamo. Hasn't he suffered enough?
  • by SirSlud ( 67381 ) on Wednesday September 10, 2003 @10:01AM (#6921331) Homepage
    Jail that obviously highly intelligent individual!

    Yes, I'm joking. This kid sounds like a bright fish .. why jail him? Surely he can contribute in a positive way to society? It sure sounds like he doesn't have any malicious intentions other than prove what every engineer knows - you often need to experience failure before you address a weakness in your design. Better to have failure 'encouraged' by a guy who's willing to help you lock down your network after the fact than some dude who gets in the door and heads straight for client lists, credit info, etc ..
    • by NDPTAL85 ( 260093 ) on Wednesday September 10, 2003 @10:07AM (#6921374)
      Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?

      Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?
      • Why are you comparing it to your home? He hacked corporate servers! It's more like finding an intruder has manged to get past your security and knocked on your office door.
      • If this annoymous invader then offers to help replace the locks with ones that are harder to pick, sure. I mean, what's the big f-cking deal? He didn't cause damage, plain and simple. All he did was embarass their security people. I wish I could get $300K every time I got embarassed.
      • Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?

        Actually, yes, if the guy offers to fix the problem. It would be wildly better than not fixing the security problems and coming home to find my TV, computers, stereo, etc gone and "J00 Sux0r!" spraypaint

  • by teamhasnoi ( 554944 ) * <teamhasnoi@yahoo.cLIONom minus cat> on Wednesday September 10, 2003 @10:02AM (#6921334) Journal
    They left the site open. Do I get to sue Microsoft for servers that I don't patch? (Please?...)

    Besides, I'm thinking that there was more than 300,000 dollars worth of damage to their reputaion after this [jeffooi.com].

    They need look no further than their own offices to find fault.

    • Analogy:

      I come home from work to find my front door open and some teenager in my living room. He proceeds to tell me how poor the lock was in my front door, how to install a better lock, and by the way, he racked up $100 of calls while I was away.

      You who's at fault, and you know I'd kick his ass.

    • by greenhide ( 597777 ) <jordanslashdotNO@SPAMcvilleweekly.com> on Wednesday September 10, 2003 @10:21AM (#6921518)
      Hmmm... I have a feeling they didn't leave the site open. They just didn't make it unhackable.

      It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.

      Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?

      Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.

      If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.

      And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.

      If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.

      Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.
  • by Morosoph ( 693565 ) on Wednesday September 10, 2003 @10:02AM (#6921338) Homepage Journal
    This story makes me sad. The judge had a "last minute" idea, "Oh yeah, let's ban him from using computers", probably the only thing that really gave purpose to the life of a tramp. Getting a "real" job cannot be a substitute, and as The Register points out, Adrian wasn't exactly writing viruses. Quote:
    Following the recommendation of a federal pretrial services officer who interviewed the hacker in custody, Hollows ordered Lamo to obtain full-time employment or enroll in college pending trial. The ban on computer use was the judge's idea.

    "This whole business of computer hacking, viruses and so forth is getting very wearisome," said Hollows, explaining his thinking from the bench.
    There is something depressing about the whole "join society" ethos, that is, conform to everyday mediocrity.
  • "damage" (Score:3, Interesting)

    by TheSHAD0W ( 258774 ) on Wednesday September 10, 2003 @10:03AM (#6921344) Homepage
    Just because you catch me strolling across your yard doesn't mean I should pay for having it fenced.
    • Re:"damage" (Score:2, Insightful)

      by stratjakt ( 596332 )
      Your trespassing fine will wind up paying for increased police patrols of my neighbourhood.

      Now enough with the stupid analogies.
  • Macki's take... (Score:2, Informative)

    by Anonymous Coward
    While guest editing BoingBoing's mini-blog, Macki posted his opinion. [boingboing.net]

    "Marlowe" offers up some Timothy Leary on the message boards [quicktopic.com].

    What are we really feeding into here?
  • ... on when nytimes.com gets defaced. How many times did it have "Free Kevin" plastered on it again?
  • by mactari ( 220786 ) <`moc.liamg' `ta' `krowfur'> on Wednesday September 10, 2003 @10:14AM (#6921431) Homepage
    From The Reg [theregister.co.uk]:
    Under the terms of his release, Lamo's future wanderings will be confined to the northeastern half of California, and southern New York state, unless he gets prior approval of the court to travel elsewhere.

    Hrm. Wandering from NE Cali to south NY w/out going anywhere inbetween would seem about as easy a commute as getting from the West Bank to the Gaza Strip.

    Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there. ;^)

    To completely switch gears, did anyone else find it weird that a paper would have SS#'s for people who have written op-ed pieces [for Lamo to find]? I suppose that implies they were *paid* for the pieces, but it still seems a bit strange.
    • Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there. ;^)

      Yeah, he can get a job waiting tables. Or shovelling shit. Or flipping hamburgers. Tough shit for him.

      Pedophiles are ordered to stay away from children, 'r337 hax0rz' ordered to stay away from computers. Makes perfect sense. You commit a crime, you give up some rights.
  • by reallocate ( 142797 ) on Wednesday September 10, 2003 @10:14AM (#6921438)
    Sounds like a kid with an inflated ego and a bit of a Robin Hood complex.

    I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.

    Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.
  • by Rolken ( 703064 )
    You get burned. Anyone who breaks the law and flaunts it is going to get caught, regardless of how honorable his intentions. Laws do not only exist to punish "bad guys;" they exist to make society an orderly place, and people who run around hacking others' servers willy-nilly are going to be causing chaos (ie the costs of the IT department figuring out wtf's going on with their network, as someone else mentioned). Awhile back the DoD conducted an authorized hacking of their system (with unpleasant conclusio
  • by tarnin ( 639523 ) on Wednesday September 10, 2003 @10:16AM (#6921456)
    This is again along the lines of "We dont really want to make sure were secure so we'll just sue/have arrested anyone who finds anything." These are also the same people who loby the gov to pass laws to do this. It's amazing how little people acutally care about how secure their network or computers are and instead care more about huge fines and sentences so they can keep their networks insecure.

    None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".

    I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.
  • by Zork the Almighty ( 599344 ) on Wednesday September 10, 2003 @10:18AM (#6921482) Journal
    TOP STORY : The Associated Press website is under attack. A flood of connection attempts beginning at 02:52PM Eastern time have rendered the website unavailable. Initial reports suggest that this attack originates from an organization known as "Slashdot", however it is unclear whether this is a terrorist organization or whether terrorism is involved.

  • He accesses somebody his network, tells them about it "oh but hey i didn't do anything bad".

    If YOU were the sysadmin in question, would YOU believe him? No you'd have to check all your systems... And that costs money (=damages).

    • but if he really didn't "do anything bad" and you spent some time fixing your "systems", wouldn't your overall security be enhanced ultimatley protecting you from future attacks therefore saving money?
    • yes they might have to rebuild their machine (or network) from scratch. But they'd have to do that anyway if they got cracked by a malicious hacker which is really just a matter of time. You have two options. If adrian hacks your site, you have an insecure site and you know about it. If adrien doesn't hack your site you have an insecure network and you don't know about it. Which would you choose?
  • by Alioth ( 221270 ) <no@spam> on Wednesday September 10, 2003 @10:25AM (#6921561) Journal
    Wonder why he turned himself in? If I was in his shoes, I'd go on the run because:
    * it seems like anything to do with hacking == terrorism. Justice won't be served, long prison sentence
    * being obviously young, not particularly bad looking and probably not physically strong means almost certain prison rape.
    * already leading a nomadic lifestyle so why not continue.

    However, in his position, I'd probably no longer publicise what I was up to. I think he has made some grave tactical errors in letting his identity being so publically known (and this is why he probably decided not to stay on the run, because his photograph has already been so widely published).

    I hope his punishment is in proportion to the crime though - not some arbitrary "war on terror" sentence.
  • What I don't get is which planet the judge lives on. I hope he'll provide Adrian a reference.

    Get a job - "I'm very interested in joining your company, as long as my court case goes well" - don't call us.

    Go to college - parents house is up as bail, and I doubt he'll get state/federal assistance while the court case is pending.
  • by SunCrushr ( 153472 ) on Wednesday September 10, 2003 @10:33AM (#6921660) Homepage
    Good luck at your FBI job interview... er I mean hearing on Thursday.
  • by TyrranzzX ( 617713 ) on Wednesday September 10, 2003 @10:37AM (#6921698) Journal
    The Times called the FBI after Lamo browsed sensitive data on its computers, including Social Security numbers for celebrities and government officials who are among the 3,000 contributors to its op-ed page.

    Sensative data, sounds like he got more than cc numbers. Also sounds like he has a political ageda, which is ok by my book. You can get lotsa info off of the Nyt's internal system; memo's, drafts, omitted papers, letters from people with political agenda's....

    In any case, this is akin to breaking into a musieum to steal stuff, and instead of stealing he took pictures (very exact ones) and left a how-to note. He didn't damage anything, he showed them security holes in exchange for internal data. They don't like the internal data getting out...

    BTW, any good company will resecure their systems after any consultancy and scour it for software; some firms can't be trusted.
  • by psxndc ( 105904 ) on Wednesday September 10, 2003 @11:20AM (#6922303) Journal
    A lawyer friend of mine told me once that services like LexisNexis and Westlaw charge their clients something like $500 per search. Not per session. Per search. Think about that the next time you search on google, don't like what you get, and search again. Pretty easy to see how he got up to $300k that way.

    psxndc

    • by Anonymous Coward
      Not only that... the "scope" of the search can have a value as well... a single "mega search" that goes into the same records that the NSA, FBI, Homeland Security, TSA use [lexisnexis is one of the companies that houses some of the data that those orgs use] costs the law enforcement only $~50 a search as part of a reciprical contract, but is sold to lawyers/general public at $7000-$12000 a SINGLE SEARCH.....
  • I say again (Score:4, Insightful)

    by BortQ ( 468164 ) on Wednesday September 10, 2003 @12:04PM (#6922574) Homepage Journal
    Get a slashdot interview with this guy.

"I am, therefore I am." -- Akira

Working...