Adrian Lamo Surrenders 639
clafarge writes "Three days after
Adrian Lamo was charged with hacking, he surrendered himself to marshals at the federal courthouse in Sacramento. This according to a story on the AP's LiveWire. He's accused of causing 'more than $25K damage to New York Times Co.,' and performing LexisNexis searches on his own name to the tune of $300K! I always find it interesting that so little tinkering can cause so much 'damage' (if you didn't get that wink, read the article about the nature of the 'damage'). He's in his parents' custody on $250K bail."
webmaven
adds links to the same AP article carried by Wired, InfoWorld, and C|Net, and points out that more coverage can be found via Google News.
He writes: "Adrian negotiated the terms of his surrender, which included the charges in the warrant issued against him being disclosed."
He boasted.... (Score:3, Interesting)
Re:He boasted.... (Score:5, Funny)
Aw crap.
You got it (Score:5, Interesting)
All sarcasm aside, I once heard Prof. Gene Spafford [purdue.edu] of CERIUS [purdue.edu] say that some of his best students had simply dissapeared from the face of the Earth. He suspected that they were either recruited by Government organizations, or major corporations; and he was afraid that some even went to work for organized crime.
THESE people are the real pros. They get the job done, get paid, and quietly move on. They could live next door to you, and you'd have no clue that they crack heavily guarded systems for a living. For every Adrian Lamo or Kevin Mitnick, or even Peter Shipley for that matter, there are a half dozen guys way better that you'll never hear about.
Re:You got it (Score:4, Insightful)
You know, it's funny...as much as people here hate on Microsoft for using FUD tactics, they seem to okay the computer security industry using the same tactics to scare people into buying expensive security audits. Better buy a new firewall...Bigfoot broke the cisco backdoor and the Loch Ness Monster could be SSH'd into your daughter's underwear drawer right now and we'd never know because they're using special Voodoo IP addresses that cannot be logged!
See, hackers work by writing code to exploit bugs. It is impossible to write code that is bug free. It is just as impossible to write exploits that are bug free (see: that blaster "fix" that did as much "damage" as the worm did). As such, it is impossible to write code that is completely indetectable. There are bound to be bugs in the indetectability. So this whole idea that stealthy ninja superhackers are sliding in and out of our nation's mainframes without anybody knowing is something I tend to place in the same realm of fiction as bible code.
And if you were "good enough" to write invincible code, it seems to me you could lead a much better life without this stupid Swordfish subterfuge, teaching your methods to senior programmers across the country for big bank. Shit, I'm sure MS has an opening somewhere. The New York Times definitely does.
Re:Ah, the old boogeyman argument. (Score:3, Insightful)
Re:He boasted.... (Score:4, Funny)
Boy what a Lamo
Reasonable damage figures (Score:5, Insightful)
his own name to the tune of $300K! I always find it interesting that so little tinkering
can cause so much 'damage' (if you didn't get that wink, read the article about the
nature of the 'damage').
No I don't get the 'wink'.
These damage figures really don't seem very unreasonable, especially given what Kevin
Mitnick was accused of. It's pretty easy to rack up $25,000 in damage (i.e. in the
cost of the people of had to evaluate and repair his intrusion into the network). As for
the LexisNexis searches that cost is probably easy to calculate because they charge for
use of the service and he probably used $300,000 worth of the service without paying for it.
If he'd been accussed of millions of dollars of damage for these intrusions then I might be concerned
that the prosecutor was going overboard, but this seems pretty sane to me.
John.
Re:Reasonable damage figures (Score:2, Interesting)
Re:Reasonable damage figures (Score:5, Insightful)
offline the system
investigate the system to find intrusion
do a complete reload from scratch
identify other systems on the network with same vulnerability accessable by compromised system
make decision to roll dice and guess others were not compromised or rebuild those systems also
number of steps left out but you get the drift, the entire network is compromised and I don't trust my job let alone hundreds of fellow employees jobs, on a completely unknown person telling me they really didn't leave any back doors and didn't do anything at all after they intentionally broke into a system
Re:Reasonable damage figures (Score:5, Insightful)
Just because he's the only one that ever told them that he was able to do it doesn't mean that others weren't.
Personal case (Score:5, Interesting)
I don't live in the US. In my early days on the university I was involved on a serious case of hacking. Being a nerd for network security I once told a university network administrator, that happened to be a good friend of mine and a student of one of the classes I gave at the time (on network security) on a institution unrelated to the university, that the university network was 'easy hackable', he challenged me for a proof and I responded. About four months later I found myself in deep trouble: my network account was surrendered and all my e-mail was analyzed by the network administrators. For some reason (only known to a 18 years old) I had sent an email to a friend telling him that I had cracked about 2000 passwords on the university network.
It turned out that since my 'friend' spoke with me he went with his superior and 'bought' a promotion for turning me in. The only proof they had was the email and a private conversation recorded without my permission (by a university student, not a government office) where I admitted to have cracked the university super-computer and a cluster to write, compile and run a distributed program that kept running for a little over two months (without anyone noticing it, it stopped running because I decided to stop it).
To get on-topic: They claimed that my actions had caused over US$ 100K. After 6 months of trial (where I has assisted by some great voluntary people) I walked out with a restraint to use any university computer for 4 years, and being unable to create accounts for any ISP in the state for 2 years.
The morale of the story is this: You fight. And fight hard. If you do so the people will support you, because you are fighting from the right side. Take it to the end, at some point justice will be served.
Re:Personal case (Score:5, Funny)
So there.
Re:Reasonable damage figures (Score:5, Interesting)
In fact, you will be reviled. You will have a hard time convincing many people to hire you because they're scared to death of you in the first place. Once they do hire you you will be assumed at some lizard brain level to be doing something nefarious.
This is one of the reasons why network security is so poor. Companies are loath to allow outside security experts anywhere near the place.
This is one of the reasons white hat hackers like Lamo do what they do. The companies aren't doing what they should, out of fear, thus leaving all the doors wide open. It's a deriliction of duty that the white hats expose to the public.
The companies don't always take kindly to the fact that their customers then know how poorly their personal data is being protected.
Obviously the way to handle the matter is to attack the white hat. Go figure.
Now these same companies don't hesitate a second to call in a locksmith to handle their physical security. They don't worry that when a lock gets changed the locksmith is secretly making a copy of the key so he can break in at night and clean them out, even though this occasionally actually happens.
Why not? Because physical locks aren't black magic beyond their understanding.
Rather than gain that understanding they'd rather fear. Again, go figure.
Computer security experts are like people who treat lepers. We aknowledge that they are needed, but we don't want them around our house.
God forbid they should marry our daughter or something. We'll never sleep at night.
KFG
Re:Reasonable damage figures (Score:3, Insightful)
No, but to most people they're certainly gray magic at best. Generally speaking, people don't know how a lock operates anymore than they can explain how a password works -- it just does. The difference is that there is a tactile mechanism for it. I've found that some people trust keypads less than they trust combination locks; some have good reaons, and some have not-so-good reasons.
Something that is usually far beyond the understand
Re:Reasonable damage figures (Score:3, Insightful)
But remember, there are already tons of government agencies that do inspections of all sorts of things. Aren't you happy there are health inspectors? And the SEC, the FDA, the EPA, and so on? Aren't you glad that governments test the water regularly and investigate corporate polutants and such?
And remember the focus: not private individuals in their homes, but large corporations who should be protecting your
Re:Reasonable damage figures (Score:3, Interesting)
outragous? yes.
I bought a car alarm for my car. If I find someone trying to break into my car and need to update my car alarm, can I charge the burgler for the cost of the NEW alarm?
outragous? HELL YES.
but.. whatever, its a computer crime, i'll strangle the terrorist myself.
Re:Reasonable damage figures (Score:5, Insightful)
Yes, a total rebuild is required after any intrusion.
BUT they have *NEEDED* to do a rebuild for a long time; Lamo simply proved that fact. If your system could have been compromised, you must assume that it has been.
To be honest, I don't think Lamo added one cent to what NYT has to pay to fix its systems. If they were running an exploitable system, they need to rebuild and secure it. Lamo cracked them and admitted it, they STILL need to rebuild and secure it. How has he added any extra cost to their operation?
Re:Reasonable damage figures (Score:2)
Re:Reasonable damage figures (Score:3, Informative)
Only on Yahoo has it been shown that he changed Data.
Re:Reasonable damage figures (Score:2)
Although he had good intentions, I can't agree with his methods. He may have just been having fun, but even he has to realize the legal implications for everything he has done.
Re:Reasonable damage figures (Score:5, Insightful)
I get the impression that this is not how the average person thinks at all. When something fails, the most obvious culprit is the person that broke the system. There might be secondary concerns, but the first thing to do is to find blame.
By contrast, the engineer is almost grateful, at least once the bug's been fixed!
My thoughts are that people who break things without malice, although they might be in some sense "trespassing", deserve some protection, as egos do not deserve the protection of the law. The law should instead be structured so as to make secure systems more probably, ie. intelligent cost/benefit analysis is the order of the day, not ideological moaning about property and tresspass.
Re:Reasonable damage figures (Score:3, Interesting)
Re:Reasonable damage figures (Score:3, Interesting)
That's why you employ two or three of them remotely, without telling them about eachother. Any back doors that one of them puts in, the other will find, and vice versa. As long as they don't know about the other(s), you should be in the clear.
Re:Reasonable damage figures (Score:2)
Re:Reasonable damage figures (Score:2, Redundant)
If somebody hacked into one of my machines and then told me how to fix it, I'm afraid I'd be just the *teeniest* bit reluctant to take what they said at face value.
As a result, at the very least you've got to expect the NY Times had to pay for a forensic analysis of the network and a total rebuild of any compromised systems.
Would that cost $25,000? I dunno. It doesn't sound completely outlandish to me but I don't know anything about the NY times's systems.
Re:Reasonable damage figures (Score:5, Insightful)
Re:Reasonable damage figures (Score:5, Insightful)
Look at it this way, if the lock on my house is faulty did someone who demonstrates this fact to me "damage" my property by "causing" me to have to buy a new lock?
Or is that maybe a capital expense that's my responsibility in the first place? Especially if I've taken on the responsibility for protecting the safty of other people's property and papers as part of a commercial operation.
Also, is this expense an actual additional one, or did I maybe already have a handyman on salary who simply did it as part of his normal duties?
For $25K the NYT could have hired me for a full quarter to go over their security systems. Did they really do something like that, or did a couple of guys on staff have to spend some of the time they normally would have spent goofing off actually doing their jobs?
Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."
( The answer, of course, is that Lamo made his audit public. Still, it's not the simple B&W issue you might think)
The Lexis-Nexis thing is clear theft of services. Given the white hat Lamo was wearing I can understand that he had to do that just to demonstrate that he ( and thus anyone else) could, but it might not have been the smartest thing to do. I'd sure as hell want to see the actual bill though before I'd assent to the fact that he actually used $300k worth of the service.
KFG
Re:Reasonable damage figures (Score:5, Insightful)
Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."
Unless someone gives you PERMISSION to break into something of theirs, IT'S ILLEGAL TO DO SO.
END OF STORY!
Hacking is illegal, everyone knows it, why are you getting pissed about it? Leave other people's shit alone unless they specifically ask you to fuck with it, or you will get in trouble! That is NOT a difficult concept to grasp!
Re:Reasonable damage figures (Score:5, Insightful)
Actually it may not be a clear cut illegal intrusion. If Llamo never encountered an "authorized use only" or "for NYT staff only" message then it can (as has been in the past) argued that Llamo had no reason to believe he was accessing an area of the NYT network he was not suppose to. Given that he was accessing it via the Internet which is a PUBLIC network.
That may be why the NYT is trying to put a dollar figure to the "damage" Llamo caused. Then they can argue property damage.
Re:Reasonable damage figures (Score:3, Insightful)
I think not.
Re:Reasonable damage figures (Score:3, Insightful)
Bad analogy - but this is
If you own a private piece of land, but make it into a park and invite people to use it (perhaps charging a small fee for access to some parks of the park, or maybe getting revenue from advertising on park benches), then unless you put a no trespassing sign on that special flower bed over there, I
Re:Reasonable damage figures (Score:3, Insightful)
Re:Reasonable damage figures (Score:4, Insightful)
Arguably, leaving port 80 open constitutes implied permission. Nobody expects me to get a signed note from CmdrTaco every time I visit slashdot.org. On what basis can a prosecutor make the claim that leaving port 23 open does not constitute the same kind of implicit permission?
Re:Reasonable damage figures (Score:4, Interesting)
Who defines "breaking into"?
If someone misconfigures their web server so it points at "C:\My Finances" and you surf to their site, are you breaking into their system? What if they configure it so it points to "C:\" and you click on the "My Finances" link? What if they have a default "Welcome to XXX" page but you type in the url: "http://www.icantconfigureiis.com/My%20Finances/"? What if you do a portscan on them and try to connect to a nonstandard port? What if you run a rootkit on them?
Obviously the latter examples are reasonably defined as "breaking in", and the former ones are not, but where do you draw the line? Is it a judgement call about what someone reasonably expects you to be able to see?
From what I have read, it is pretty obvious that this guy saw some things that he reasonably couldn't believe he was supposed to see. On the other hand, he did it all through a web browser. It's not like he was running rootkits. He was simply poking around and being nosy. The onus should be on the NY Times to have some reasonable standard of security in place that can't be compromised by Mozilla.
Re:Reasonable damage figures (Score:4, Insightful)
> END OF STORY!
It's not that simple.
One of the founding principles of the USA is that "right" and "wrong" can change over time - hence the ability to modify our set of laws. As another poster pointed out, slavery was legal for quite some time - that didn't make it right, and people were forced to take action to make it illegal.
Free speech is one of the methods given to US Citizens to let the government know how we think they're doing. However, as has been shown innumerable times over, sometimes doing something "illegal" is necessary in part of the protest. There are times when people won't see how silly a law or rule is until it is broken repeatedly in front of their noses.
We're living in a time when more and more of our information is becoming more and more accessible. There are people out there whose intentions (good or ill) are not being backed by reasonable security. Accessible personal information and light or no security do not mix well.
I'd greatly prefer it if we could live in a world where everyone could be trusted "to behave". If we could trust people not to break into each other's homes, we wouldn't need door locks. Sure, it's illegal to break into another person's home - but does that mean that you don't need to lock your door?
Or that you should never check your door to be sure it's locked?
Most importantly, are you willing to take the risk of leaving personal, private, or otherwise valuable information or things laying around, in plain view, behind an unlocked glass case (alarmed though it may be)?
Every time a case like this gets into the newspapers, it is a bold reminder to corporations that they are at risk. Without a threat of loss, security grows lax. Be greatful this person did not act with a significant malicious intent, and learn from it.
-lw
Re:Reasonable damage figures (Score:5, Insightful)
Now paying someone $25k to audit security is a perfectly legitimate business undertaking. So, how is providing that service for free necessarily "damage."
Here's a harsh example: If I charged you for sex, I could easily get $100/hour. How about I have sex with you, without your consent, for free?
As someone who oversees a few websites, I can tell you that there is plenty to do already without having to worry about some hacker breaking in to my system.
The faulty lock isn't a good analogy. A better analogy is that you have a normal working lock, and the person is an extremely adept locksmith who also knows how to circumvent security systems. Don't think "This Old House", think "Mission Impossible".
These servers weren't left totally out in the open, otherwise people would be hacking into the NY Times *all the time*. I mean, wouldn't it be tempting to be able to put any message you wanted, up for viewing to many millions of people?
I'm sure the NY Times spends a whole lot on security, and does a pretty good job at it. This Adrian fellow is a really good hacker; that's all there is to it. Any system that must connect to the Internet is inherently insecure. The people at the NY Times have probably made a very careful balance between making their servers secure, and making it possible for employees to access it from the thousands of locations across the globe where they have staff, reporters, subscription offices, and distribution and printing centers.
I think anyone who blames the NY Times in this case is expecting too much. I'd like to see how *your* computers handle a hacking attach from this guy.
Re:Reasonable damage figures (Score:4, Insightful)
The only reason he's famous is... wait... I can't think of any good reason why he's famous.
IMHO, the analogy should be that his crime was saying, "The NYT keeps your credit card information on their kitchen table, and they don't even have a lock on their back door."
Re:Reasonable damage figures (Score:5, Funny)
No, his crime was the break in. Exposing the Times's idiocy was what provided the motive to ensure that that crime was prosecuted to the fullest extent of the law.
To return to the house with the flawed lock analogy, what Lamo did was equivalent of opening your front door, and then announcing to everyone in the street that you have a taste for erotica featuring barnyard animals.
Re:Reasonable damage figures (Score:5, Funny)
Ummm... you should probably be worrying about that anyway.
I'd like to see how *your* computers handle a hacking attack from this guy.
So would I. It's hard to know about the flaws in your system--you pretty much keep things patched, watch the logs and hope. An email from a benevolent hacker that says "You really need to change..." would be appreciated.
Re:Reasonable damage figures (Score:4, Funny)
Very good point. Just one problem: If you look and weigh anything like the rest of us slashdotters, you may be setting your price a bit high. I've found that 10 cents (Canadian) is the most any one of us here can expect for our sexual services (we have to pay for the condom and flowers ourselves). The worse part is when they try to haggle and get more for the 10 cents. I once had to throw in a week of tech support for free.
"Harsh Example" = Poor Example (Score:3, Interesting)
No, let's say you have cancer, but you don't know it, and you are not getting proper check-ups so you aren't going to find out. Some self-proclaimed doctor rigs the urinal you are about to use so that he can get a sample of your urine. He then takes the sample to his lab in the basement (without your knowledge) and performs a urinalysis. When he discovers you have cancer, he fully disclos
Re:Reasonable damage figures (Score:5, Insightful)
And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).
LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.
Re:Reasonable damage figures (Score:5, Insightful)
I disagree. One of the problem is that when a hacker attacks, you can't necessarily trust the logs. In fact there's a lot of people of the opinion (and I'm one of them) that unless you really know exactly which vulnerability was exploited and how it was exploited (like a common worm comes in that doesn't install a shell and there's no evidence that there was any other person actively involved in the hack), the only proper thing to do is completely re-install the system from either known-good backups (and labelling backups "known good" is itself an interesting challenge), or even from the original CDs.
Things like "tripwire" are just that... tripwires. They really shouldn't be used to help repair the system because once the system is compromised you can no longer trust the output.
For a business-critical machine, and well-paid admins (which you should have!), and counting downtime, $25,000 is entirely reasonable.
Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact).
Since fixing a vulnerability is typically a matter of applying a patch, odds are it does not account for more then $100 or $200 of the damage if it was computed rationally. Evaluation, analysis (which even if you re-install from scratch MUST be done, to see if any customer or private data was compromised), re-install, and lost business swamps that expense. Trying to talk the damage value of this down isn't really useful since it's such a small part of the value, in all likelihood.
$25,000 is quite reasonable.
Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money.
Yes, this is most likely absurdly inflated.
1 for 2 is actually a significant improvement for our system, and this is a good sign, IMHO.
Re:Reasonable damage figures (Score:4, Insightful)
Nor do I. I don't know what's up with Slashdot lately; this is a tech news site, not a script kiddie site. We're not here to learn from famous crackers or to congratulate each other for taking big sites down. Crackers are criminals and they need to be punished. They do cause damage. The implication in the comments at the head of this are that this guy didn't really do anything wrong and so should get off... just like the 18 year old "kid" who got busted for the MSBlaster virus variant a couple weeks ago, at which time I read similarly ignorant and even stupid comments here.
The NY Times is 2 products; an offline and an online newspaper. You knock the online version out and you've killed half the products the company offers. Advertisers need to be repaid, workers have to be paid even though they can't do any work, etc. And you're going to lose a certain number of readers to other sites, some temporarily, others permanently. I agree that the numbers here do not seem unreasonable at all.
But then I shouldn't need to explain why crackers should go to jail. This is Slashdot, we should all understand this stuff already. There's no reason why a tech news site should favor crackers over commercial internet interests; it's all tech, it's just that one side of the issue here happens to be criminal.
My company's web sites have been the victim of numerous DoS attacks (no, I do not work for SCO - I work for a company you guys like, though I don't really want to say which), which while using different methods amount to the same thing this guy did - it's all denial of service, and it does cost companies money. I have absolutely no sympathy for this guy and hope he gets the book thrown at him.
Re:Reasonable damage figures (Score:4, Insightful)
Is it because he has embarrassed you by lessening your company's technical credibility? I'm not trying to troll, but I wonder if $300k really is a realistic fine to apply to someone who essentially is just spraying graffiti, breaking and entering and having a look around.
Slashdot is not supporting this behavior, only trying to keep the possible wild misuse of government and corporate power in check. Most 'script-kiddies', at worst, are just nerds who perhaps need a public playground for their talents. Let's keep some perspective. That's what slashdot is about.
Re:Reasonable damage figures (Score:3, Interesting)
Read the subject. The problem is the damage figures.
I haven't been following the story closely, but nothing I've seen has suggested that he attacked them in any way, DoS or other.
How did it cost the NY Times to have someone find a security flaw in their system? How much did it save them that the guy who found it didn't exploit it?
If someone tells me my shoe is untied, I can't sue them for the time it takes me to tie the shoe. Whether I was told or not, the shoe would have been untied. At least
Useful links. (Score:5, Informative)
Negotiated? (Score:4, Interesting)
You have to negotiate for this now? So if they never tell him what he's charged with, can he get a reduced punishment?
Re:Negotiated? (Score:2, Informative)
Quick.. (Score:5, Funny)
Start printing stickers that say "Adrian" which you can apply over the word "Kevin"..
Lexis/Nexis and NYT (Score:5, Interesting)
What would you want to bet that Lexis/Nexis just winks and nods at their huge customer, The New York Times, Inc., and waives much of the actual charges that resulted from automated searches on Adrian Lamo. At their prices, there is probably still over $25K worth of manual labor involved... Lexis/Nexis is a premier service with some amazingly in-depth methods.
Plus, the scouring job that's required by NYT's IT department to ensure there aren't any new "easter eggs" in their system will go into significant coin too. I don't agree with the preposterous insurance-claim oriented figures that go into these 'cracking' news stories, but you can't just trust a superficial system cleanup after being cracked.
Re:Lexis/Nexis and NYT (Score:5, Insightful)
Oh wait, those fools are probably still employed, and they're probably the ones doing the "scouring".
Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.
Re:Lexis/Nexis and NYT (Score:2)
Perhaps if the FBI started going after network admins for doing such a crappy job we might start seeing less of these incidents.
In most cases, that would not solve the problem. Now if they were to go after the management who ordered holes in the security or refused to allow the admins to apply patches and implement good security practices, then you would be talking.
Leave the poor guy alone... (Score:5, Funny)
you know what to do (Score:5, Insightful)
Yes, I'm joking. This kid sounds like a bright fish
How old are you? 5? (Score:4, Insightful)
Now imagine word spreads about this type of behaviour with no consequences (jail time). Now you'll come home every week or 2 or 3 times a week to some unauthorized person sitting in your living room? Is this what you want? Its just fine and dandy because the intent is good right? What? Road to hell? What? Paved with good intentions?
Re:How old are you? 5? (Score:3, Interesting)
Re:How old are you? 5? (Score:2)
Re:How old are you? 5? (Score:2)
Do you want to come home to your house, turn on the lights only to find someone sitting on your sofa waiting to explain to you how insecure your house is because he was easily able to pick the locks? Even if he does no damage to your house and steals nothing is that something you'd like to come home to?
Actually, yes, if the guy offers to fix the problem. It would be wildly better than not fixing the security problems and coming home to find my TV, computers, stereo, etc gone and "J00 Sux0r!" spraypaint
Re:How old are you? 5? (Score:3, Insightful)
Not sticky at all. My house is located on a public street. Still makes it illegal to break in. Think of a private network at a gated community...
Uh - shouldn't they sue themselves? (Score:3, Interesting)
Besides, I'm thinking that there was more than 300,000 dollars worth of damage to their reputaion after this [jeffooi.com].
They need look no further than their own offices to find fault.
Re:Uh - shouldn't they sue themselves? (Score:2)
I come home from work to find my front door open and some teenager in my living room. He proceeds to tell me how poor the lock was in my front door, how to install a better lock, and by the way, he racked up $100 of calls while I was away.
You who's at fault, and you know I'd kick his ass.
Re:Uh - shouldn't they sue themselves? (Score:5, Insightful)
It seems like this Adrian fellow is a pretty adept hacker. It's probably not easy to break into Yahoo and similar sites.
Here's a good analogy: Say someone is a great locksmith, and he breaks into your house, snoops around, reads private information that you have locked up in your cabinets, and then uses your phone to make a bunch of long distance phone calls. Should this person be held liable, even if they are willing to give you, for free, a "Brand New Burglar Detection System"?
Hell, yeah, they should. I personally have a hard time believing that Lexis Nexus really would have charged NY Times $300,000 for the searches that Adrian did -- surely they can't be that expensive -- but otherwise I believe that yes, he should pay for his actions.
If someone breaks into my car and crashes it into someone's house, I shouldn't be held liable, he should. Just because I left it unlocked (or locked it, but didn't use the Club) does not make me culpable.
And yeah, the New York Times had a real image problem when one of their reporters turned out to be a real idiot. It's possible that a few of their advertisers jumped ship. But it seems like they're doing fine now, especially since they were so open about their mistake and showed a willingness and intent to improve.
If Adrian is such a great damn hacker, why doesn't he just go straight to the corporations and say, "Look, I know that I can hack into your system. How about you pay me to make it more secure." Rather than hacking in, and then saying, "Hey, let me make it up to you by showing how to secure it for free." See, that way, he gets money instead of going to jail.
Now that the NY TImes has pressed charges, I don't see anything that will get him out of this situation. He probably won't get a lot of time in jail, and hopefully he will be able to work out some kind of agreement where he offers his technical expertise and knowledge to offset some of the costs he incurred.
Adrian Lamo Surrenders (Score:5, Insightful)
Re:Adrian Lamo Surrenders (Score:5, Insightful)
Re:Adrian Lamo Surrenders (Score:4, Insightful)
Funny enough, I heard he was in town (I'm in Sacramento) by spotting him being interviewed by a local newscaster last week. I was wondering if he was still around because I recognized the place he was interviewed at. Does anyone know if his parents live in this area?
Re:Adrian Lamo Surrenders (Score:2)
Re:Adrian Lamo Surrenders (Score:2)
Then tell him he's not allowed to use his one marketable skillset.
Re:Adrian Lamo Surrenders (Score:2)
As for full-time employment...well, it looks like he's probably quite well qualified for some kind of IT type position...too bad
"damage" (Score:3, Interesting)
Re:"damage" (Score:2, Insightful)
Now enough with the stupid analogies.
Re:"damage" (Score:3, Insightful)
In this case, not even a hollow door was "hacked apart".
Macki's take... (Score:2, Informative)
"Marlowe" offers up some Timothy Leary on the message boards [quicktopic.com].
What are we really feeding into here?
taking bets ... (Score:2)
Guess he understands time-space warping too (Score:4, Interesting)
Under the terms of his release, Lamo's future wanderings will be confined to the northeastern half of California, and southern New York state, unless he gets prior approval of the court to travel elsewhere.
Hrm. Wandering from NE Cali to south NY w/out going anywhere inbetween would seem about as easy a commute as getting from the West Bank to the Gaza Strip.
Then they tell the fellow he can't use a computer but has to get full-time employment! I imagine anyone savvy enough to Slashdot can see the irony there.
To completely switch gears, did anyone else find it weird that a paper would have SS#'s for people who have written op-ed pieces [for Lamo to find]? I suppose that implies they were *paid* for the pieces, but it still seems a bit strange.
Re:Guess he understands time-space warping too (Score:2, Interesting)
Yeah, he can get a job waiting tables. Or shovelling shit. Or flipping hamburgers. Tough shit for him.
Pedophiles are ordered to stay away from children, 'r337 hax0rz' ordered to stay away from computers. Makes perfect sense. You commit a crime, you give up some rights.
Don't Reward Burglars, or This Guy (Score:5, Insightful)
I wouldn't feel like thanking someone who broke into my house while I was on vacation, nosed around in my papers, and then told me about my "security problem" when I returned home. Why would I, or any business, reward the same kind of behavior inside someone else's network? Both examples are, at minimum, illegal invasions of another's property.
Businesses that didn't press charges against this guy were negligent and only encourage the phony notion that crime on a network isn't serious.
You play with fire... (Score:2, Insightful)
Letting others protect you (Score:4, Insightful)
None of this has ever made any sense to me. Why is it that leaving a network insecure is fine and dandy but someone comming along and finding out its insecure then entering it a bitter no no then breaking and entering into a house? Didn't we learn long ago to close and lock our doors at night and when we where away? Some of these security holes are equvilant to a wide open window with no screen in it while were on vacation for a month. Yes, its still illegal for someone to enter the house and steal someting but doenst common sense tell us "Hey dummy, close and lock the doors and windows!".
I'm also wondering if they have any case on this. Didn't the NY Times take his help originaly to secure the network? I know the statue of limitations hasnt paned out on this but at some point someone kinda has to say "Ahh well why are you taking him to court now after he helped out originally?". Just another "See what we do to these bad bad men!" cases.
Next story : AP Under Attack (Score:5, Funny)
he should've seen this coming (Score:2, Insightful)
He accesses somebody his network, tells them about it "oh but hey i didn't do anything bad".
If YOU were the sysadmin in question, would YOU believe him? No you'd have to check all your systems... And that costs money (=damages).
Re:he should've seen this coming (Score:2)
Re:he should've seen this coming (Score:3, Insightful)
Why did he turn himself in? (Score:4, Insightful)
* it seems like anything to do with hacking == terrorism. Justice won't be served, long prison sentence
* being obviously young, not particularly bad looking and probably not physically strong means almost certain prison rape.
* already leading a nomadic lifestyle so why not continue.
However, in his position, I'd probably no longer publicise what I was up to. I think he has made some grave tactical errors in letting his identity being so publically known (and this is why he probably decided not to stay on the run, because his photograph has already been so widely published).
I hope his punishment is in proportion to the crime though - not some arbitrary "war on terror" sentence.
Get a full time job, or enroll in college (Score:2)
Get a job - "I'm very interested in joining your company, as long as my court case goes well" - don't call us.
Go to college - parents house is up as bail, and I doubt he'll get state/federal assistance while the court case is pending.
Re:Get a full time job, or enroll in college (Score:3, Insightful)
Sentencing someone intelligent to mind-numbingly boring manual labour is pretty close to cruel and unusual punishment.
I'm currently unemployed. I could go out and get a job at close on a hundred different places within a week, if I decided to do labouring, shelf-stacking, bar-work or similar levels of work. In practice I'd rather watch my savings deplete, because then I can engage in intellectually stimulating activities instead while looking for a job that I can enjoy and commit to.
Being banned from usin
Good Luck Adrian (Score:3, Funny)
Looks like he pissed someone off (Score:3, Insightful)
Sensative data, sounds like he got more than cc numbers. Also sounds like he has a political ageda, which is ok by my book. You can get lotsa info off of the Nyt's internal system; memo's, drafts, omitted papers, letters from people with political agenda's....
In any case, this is akin to breaking into a musieum to steal stuff, and instead of stealing he took pictures (very exact ones) and left a how-to note. He didn't damage anything, he showed them security holes in exchange for internal data. They don't like the internal data getting out...
BTW, any good company will resecure their systems after any consultancy and scour it for software; some firms can't be trusted.
Explaining the LexisNexis figure (Score:5, Informative)
psxndc
Re:Explaining the LexisNexis figure (Score:3, Informative)
I say again (Score:4, Insightful)
Re:Damage is damage (Score:2, Informative)
He never caused a site to go down, troll. RTFA.
Re:Damage is damage (Score:2)
(Emphasis mine)
RTFC, troll.
Re:Damage is damage (Score:4, Insightful)
parent is somehwat a troll, but anyway...
a hit to their reputation? unless the business is some kind of computer security company, or ISP, i would wager that it does very little to their reputation. come on, any other company (especially outside of any IT related company), which of their customers is even going to *know* the site was hacked. how many of those people are going ever hear that the site was hacked... if they couldn't access they site, they would probably just think their own internet connection was screwy at that time, or just accept the fact that they couldn't access the certain site (happens all the time) and think little of it.
i'm not trying to defend hackers, i'm just trying to set that misconception straight.
Re:Disclosure (Score:2)
Last time I checked, there were rights to know your accuser and the right to a speedy and public trial.
True. I think the authors point is that, under normal circumstances, that takes place after the arrest.
Re:Disclosure (Score:2)
It's unfortunate that my post was marked troll. The New York Times IS a discredited, dishonored, ethically bankrupt, plagiarist organization. That's not a troll, that's a fact.
Re:Disclosure (Score:3, Funny)
Re:Disclosure (Score:3, Insightful)
The "damage" was irrelevant. He typed his name into Lexis-Nexis. Big stinking deal. The New York Times should be shot for leaving their data unsecured. There were significant people in those lists that were put at risk NOT because of Mr. Lamo. They were unbelievably lucky that some happy-go-lucky dork was nice enough to point out the flaws before a Black Hat got to it.
Re:Outcome? (Score:2, Interesting)
and anyone that would expect that an Ex-lawyer is fair or honest in any way is a complete fool.
This judge knows nothing about what he is passing his "judgement" on and therefore is incapable of hearing such a case.
The entire judicial process in the United states is based on "who has the most influencial or resourceful lawyer" not who is innocent or guilty.
it hasn't been about innoce
Re:An open door is an invitation (Score:2, Insightful)