Sign in to follow this  
Followers 0
Bi0s

Lamo to surrender?

16 posts in this topic

'Homeless hacker' may surrender to FBI

By Declan McCullagh

Staff Writer, CNET News.com

September 5, 2003, 4:00 PM PT

Adrian Lamo, the so-called homeless hacker who claims responsibility for a series of high-profile electronic intrusions over the last two years, is negotiating with the FBI to surrender over criminal charges.

Lamo, 22, said his attorney is talking with the U.S. Attorney's office in New York City over unspecified allegations of criminal misconduct. On Thursday, FBI agents showed up at his parents' home in Sacramento, Calif., Lamo said in a telephone interview Friday evening, during which he would not disclose his location.

"(The FBI agents) went to my parents' house to try to find me there," Lamo said. "Since then, I've been told they're looking for me. But I've had no direct contact with them."

Mary French, a deputy public defender in Sacramento who is representing Lamo, provided a statement that said: "We have confirmed that there is a sealed complaint from the Southern District of New York and a federal arrest warrant for (Lamo)."

Lamo, whose brazen exploits, media savvy and rootless lifestyle have made him something of a legend in hacker circles, indicated that he's willing to give himself up after he learns what the charges against him are. "I wanted to know more about the counts against me, before I agreed to surrender to face them," he said.

On Aug. 22, Lamo contacted CNET News.com to say he believed a federal criminal investigation of his intrusions into The New York Times' computers had been accelerated. But he was unable to confirm the situation until the FBI agents showed up on Thursday, he said.

"We have been cooperating with the authorities in their investigation of the security breach that happened in February 2002," Christine Mohan, a spokeswoman for New York Times Digital, said on Friday. "We've cooperated with them since that breach, and we're continuing to do so."

Mohan would not provide details of the cooperation. She would not say whether the company had filed a criminal complaint against Lamo after the intrusion took place.

In that incident, which New York Times Digital confirmed at the time, Lamo was able to view employee records, including Social Security numbers. He was also able to access the contact information for the paper's sources and columnists, including such well-known contributors as former U.S. President Jimmy Carter, former Marine Col. Oliver North and hip-hop artist Queen Latifah.

Lamo also claims to be responsible for intrusions into systems at MCI WorldCom in December 2001, Microsoft in October 2001, Yahoo in September 2001, and Excite@Home in May 2001. When he entered Yahoo's system, Lamo found he was able to alter news articles on the company's site.

Many, if not all, of these intrusions appear to violate the federal Computer Fraud and Abuse Act, which calls for punishment of anyone who "intentionally accesses a computer without authorization or exceeds authorized access" with fines and between one and five years in prison, depending on the charges.

The U.S. Attorney's office in New York City did not immediately respond to a request for comment.

In addition to these intrusions, Lamo is known for his homeless-hacker lifestyle. He has no fixed address, and instead wanders around the United States on Greyhound buses, sleeping on friends' couches and, when necessary, staying in vacant or derelict buildings. Especially now that he knows the FBI is after him, Lamo said: "I'm in constant motion. Like Saddam Hussein, no two nights in one place."

Interesting, this should make screamer happy. :lol:

0

Share this post


Link to post
Share on other sites

MY worry is this: They tell him the complaints/charges that they have filed against him. He sees them and decides that they are minor or defendable and turns himself in. Then, they suddenly start ADDING CHARGES saying they have NEW EVIDENCE or some shit like that and then he is fukked.

0

Share this post


Link to post
Share on other sites

and make an "example" out of him.......wait a minute exactly how many of these "examples" have they made so far?! isnt an example supposed to be one out of a lot that shows the "typicality" of something?!

0

Share this post


Link to post
Share on other sites

With all this sentiment all I gotta say is yes examples blow big time, but dude, he broke itno many systems with no permission, it doesn't matter if he reported or not, no permission, do we need more grey hats or something? ;)

0

Share this post


Link to post
Share on other sites

well, permission to break into somebody's pc is a pretty hard thing to obtain, and breaking in is usually the only way to convince somebody its not secure....anyway, i know we DONT need any more examples.

0

Share this post


Link to post
Share on other sites

What I'm dying to see is how Wired handles it, will their next story be about the digital loner wandering the countryside, or is he suddenly a "dirty blackhat" like many of the slashdot readers say? The kid went into a computer and looked around, until someone shows me how this is suddenly any different from what they thought he did before then I'm not going against him. I'd need proof he went in to commit a crime, because in my opinion, getting in doesn't hurt anyone. It's what you actually do that matters, because you can't charge a drunk driver with vehicular manslaughter until you can prove he actually committed the crime. And getting into a computer to play around doesn't pose nearly as much damage as driving drunk, in fact, if you're smart enough to get in you're probably smart enough to not format a drive here and there.

But wait, I guess since the media is now calling him bad everyone else has to start thinking the same way...oh those poor slashdotters, my how impressionable youth can be.

0

Share this post


Link to post
Share on other sites

"getting in doesn't hurt anyone."

Hurts me, I have to Audit logs, re-format, re-install OS, re-install Applications, fix the exploit that wasn't patched... I don't want anyone on my computer, my Cycles are not for free, and I'm sure Fortune 500 companies don't either...

0

Share this post


Link to post
Share on other sites

I don't really know why you'd have to reinstall and reformat, there are easier ways to fix things, unless you want to trump up the charges like so many corporations do. And why would you have to patch a vulnerability and audit your logs just because someone got in? You wouldn't patch things and check to make sure everything's ok if someone simply warned you about the hole? Plus, let's be careful when comparing home PC's to massive mainframes owned by big businesses. A personal home computer holds nothing of interest to someone playing with computers, and I can see how intrusive it is to have someone break in. But when you talk about a huge mainframe that has hundreds of users logging in and out, I don't really see how much damage that one unauthorized user causes. I suppose you could argue "you don't know what they really did", like sold your info for example, but that's why we have "innocent until proven guilty" in this country. Until evidence is shown that proves you committed a crime, you're innocent of all charges. When I see proof that Lamo conducted corporate espionage, then I'll go against him. (Defending Lamo...weird...*shiver*)

0

Share this post


Link to post
Share on other sites

Re-format/re-install OS, remove trojans or commonly buffer overflows or different vulns can leave a service useless or break things... I don't care if he e-mails or not, I don't want him, my computer is for me...

0

Share this post


Link to post
Share on other sites

well, then if its only for you, you should secure it so that nobody gets in.

0

Share this post


Link to post
Share on other sites

Careful hac, that argument is easily countered with "just because I don't lock my car doesn't mean someone should steal it." I know securing your system is the best thing to do, but no matter how secure you are someone can undoubtedly get in. And again I should point out I'm not condoning the act of getting into someone's home computer, I'm referring to huge, impersonal machines that numerous people use.

My point is not that you should secure your machines, it's that whether or not someone merely warns you or actually gains entry, you still have to go through the same amount of work to make sure everything's all right. Far too often I see companies merely get pissed off and paranoid, resulting in a kid being dragged through the legal system like he was the unabomber. And unfortunately, because the justice system doesn't understand what actually happened, it's easier to have the book thrown at someone for numerous charges, when all they did was digital tresspassing. We need to put aside the "could have's" and focus on what people actually did, and if we can't prove it happened, then they're not guilty. That's the way the courts work in all other cases, I don't see why this should be any different.

0

Share this post


Link to post
Share on other sites

yeah, i understand your point, but there is a very BIG difference between stealing your car and getting inside your computer. when you get 0wned you don't really loose anything physically. so that's why it is very different. of course the courts don't understand computers when the judge is using aol, i mean unless these people are going to be tried by knowledgeable computer security experts (and im not talking about lance spitzner.....juarez) they're never going to get a fair trial.

0

Share this post


Link to post
Share on other sites

The laws need to be changed, up to 5 years in federal prison is way to much punishment

for this type of crime. However the law is the law and if you break it then dont be shocked

when they come looking for you. This guy is gonna get some time and his parole will

involve no computer access for the duration. Now I read this dude goes from place to

place yada yada, he should think about disappearing for good if he doesnt want to be

in prison. If you are an "elite" security expert and you can break into Yahoo, Microsoft,

whatever else we dont know about then go get yourself a 100k+ paying job protecting

some company. Seems that life would be much better with a nice house,a little woman,

things you enjoy, money in the bank and oh ya no one hunting you down. I can understand

the want or need to show people hey I broke into your system here is the flaw, but in reality

you cant do that anymore. People are gonna want to label you a criminal and why the hell

do you want to have that follow you everywhere for the rest of you life. Maybe even be

denied great jobs you could have got, all because you had to show them they have some

crap ass security. Send an email through a remailer advising them, Hell why even care?

If they are gonna be dumb enough to let there shit get exposed then let them. People

will fix it, life will go on and atleast you wont be behind bars with your life in

the shitter. There is plenty of fun shit to do .. how about duals flashbox.. heh

oh ya baby .. the flashbox.. heh my opinion anyhow..

0

Share this post


Link to post
Share on other sites

Dont get my wrong, in aosme sence he has my respect, but Lamo was very stupid.

Not only did he crack high profile networks, but he rubbed it in there faces and make it a public knowledge that these people are insecure - Somone is going to take offence, and these people ahve allot of power they can use if pissed off.

Yes he had the balls to do it and yes he helped out 'some' people.. but he also pissed off allot of higher ups and made them look bad, and nothing gets you in trouble in america faster then shaming somone in power, and he should know this.

0

Share this post


Link to post
Share on other sites

That's pretty much the same conclusion I've come to, why even bother helping other people? Now I know that Wired and NetIQ would like us to be good little doggies and report everything we find, but why should we if we're facing these penalties? Adrian Lamo used to be their lapdog, corporate America's image of the perfect hacker, and that was an image they wanted to spread around the entire country, if not the world. But now that we see he's done things he hasn't talked about, it's back to being public enemy #1.

If the US, and other countries I suppose (how am I supposed to know, I'm American!) want people to remain tight lipped about security vulnerabilities, fine. If they don't want our help, then the information will stay in the "underground." Security through obscurity is what they live for, so let's keep all the info to ourselves.

0

Share this post


Link to post
Share on other sites

I'd have just not even tried to do it, I've stumbled upon a couple of web based SQL injection vulns and not looked back, I'm not gonna risk it... Call me a wuss but hey I am...

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0