A 22-year-old computer hacker credited with breaking into more than a dozen networks owned by some of the largest companies in the world is facing federal charges of computer intrusion and unlawful use of passwords.
Known as the “homeless hacker” for his laptop-only wanderings and as the “helpful hacker” for breaking into major corporate networks and then working with companies to close security holes, Adrian Lamo is scheduled to report to federal officials in New York on Thursday.
While he won praise in some security circles and even from some victimized corporations, including WorldCom, it appears Lamo’s luck ran out in February 2002 when he gained access to The New York Times’ intranet and accessed personal information about company employees and contacts.
Lamo, who was released on US$250,000 bail following his surrender in Sacramento Tuesday, has been barred from computer use and now faces penalties including fines and prison time, according to the federal Computer Fraud and Abuse Act of 1986. Joe Valiquette, an FBI agent and spokesperson in New York, told TechNewsWorld that, if found guilty, Lamo faces a maximum sentence of 15 years in prison and a $500,000 fine.
Corporate Hit List
Among the corporate networks Lamo has admitted to compromising are Yahoo, WorldCom, SBC, Ameritech and Microsoft. The hacker also has been linked to breaches at Citigroup, Bank of America, DaimlerChrysler, H&R Block and General Electric.
Independent security expert Ryan Russell told TechNewsWorld that Lamo is unique in that he has consistently gone to companies to address security lapses before publicizing them or informing friends or peers.
“He’s probably the best example of your gray-hat kind of hacker — kind of playing both sides of the fence,” Russell said.
Shades of Gray
Gartner research vice president Richard Stiennon told TechNewsWorld that while corporations have “an almost rabid desire” to catch creators of viruses and worms, such as those that disrupted networks last month, hackers are seen as more of a nuisance.
However, Stiennon said, many companies do want to prosecute intruders who break into computer systems that contain sensitive data.
“I think for the most part, companies are glad [to see charges brought against hackers],” he noted. “Obviously, the activity is illegal and tantamount to trespassing.”
While he referred to the various degrees of hacker malice or “dark shades of gray” in the hacker world, Stiennon said the law is black and white.
“It’s really not too hard to draw a line between what’s illegal hacking and what’s not,” he said.
Times Hack Brings Trouble
Russell, co-author of Stealing the Network, said he is sad to see Lamo being prosecuted because, although he might have violated the letter of the law, the spirit in which Lamo has cracked computer networks has been a benevolent one.
However, Russell added that considering the long list of company networks Lamo has broken into, charges were bound to be filed sooner or later.
“It only takes one company to request that action be taken, and maybe even doesn’t take that,” Russell said. “Even though some of the other companies he’s broken into may have not perceived a slight or loss, federal authorities may be going after him anyway.”
The New York Times has said it is working with law enforcement on the case, but has not commented on the charges against Lamo, making it unclear whether Lamo’s arrest was initiated by the publishing company or by authorities.
Computer Access Denied
Lamo, who has seen support from a new Web site at www.freelamo.com, was ordered to cease computer use by a federal judge who expressed concern about computer hacking and virus attacks. The judge also ordered Lamo to seek employment or enroll in college while awaiting trial.
Russell, who said he views the court-ordered employment or schooling and computer ban as a mandated lifestyle change, said he disagrees with The New York Times’ decision to pursue someone such as Lamo, but understands it.
“From a lawyer’s point of view, they may have to defend themselves or it’s weakening their position in the future,” he said. “It’s not completely unreasonable from their point of view. They don’t want to send the wrong message.”