Stop Him Before He Hacks Again
By Alex Salkever
Readers of The New York Times's "op-ed" page regularly find columns written by a host of world leaders and celebrities, from Palestinian leader Yassir Arafat and former U.S. President Jimmy Carter to hip-hop star and talk-show host Queen Latifah. The contact information for these luminaries is a closely guarded Times secret, as is the contents of the op-ed section's Rolodex.
Not anymore. The Times op-ed section and its list of contributors were recently penetrated by one of the most controversial hackers to emerge since Kevin Mitnick, who spent almost five years in prison for repeatedly invading computer systems at a slather of high-tech outfits. Meet Adrian Lamo, a soft-spoken 21-year-old snoop from San Francisco who hacks with nothing more than a laptop, a Web browser, and a Net connection at the local coffee shop.
Lamo recently broke into the Times computer network, where he co-opted contact-information files as well as sensitive details of the news-gathering and editing process at the Times. His tear through the Gray Lady's closet even gave him the ability to change the Web site at one of the world's most powerful media organizations with a few key strokes -- an option he didn't exercise. Lamo then contacted computer-security publication Security Focus Online and asked it to contact the Times on his behalf to outline the breach.
This isn't Lamo's first conquest. In September, 2001, he hacked into the content servers at Yahoo! -- and actually did alter a news story to demonstrate that he was capable of breaching security. A month later, he hacked customer-information databases at software powerhouse Microsoft. In December, 2001, he gained access to secret network-topography diagrams at voice-and-data carrier WorldCom, going so far as to e-mail company officials a supposedly secret file showing key locations of network equipment.
So why hasn't Lamo been prosecuted for computer crimes? In each of these cases, he warned the companies about their flaws after-the-fact and offered to help fix them for free. Lamo further claims that he has accepted no money or compensation from any of his targets, something that often happens in the computer-security world, where a consultant reporting a breach often gets awarded a contract. Rather than condemning him, Lamo's "victims" have mostly praised him for helping to secure their networks.
INTRUDER OR HERO?
So far, the Times has neither condemned nor lauded Lamo. "We are currently determining what the appropriate next steps will be," was how Times spokesperson Christine Mohan responded to an e-mail from BusinessWeek Online. To date, no one has pressed charges.
Lamo says his main motivation for hacking is mere curiosity. Does that make his escapades O.K.? Good question. Herein, two schools of thought -- each vehemently expressed in numerous Internet discussions of the affair that are still raging today. Let's examine the first, the attitude that says Lamo actually provided the Times with a service.
Fair enough. He did help by alerting the paper to the flaws in its networks. And it's quite possible that he saved it from a serious dose of egg on its august face -- not to mention a pile of legal fees -- if any private information had been hacked. Lamo did all this by walking through the equivalent of an unlocked door fronting a very public thoroughfare, the Internet. What's more, he hasn't profited from his exploits. Nor has he damaged the systems or done any real harm.
The second school of thought says Lamo should have the book thrown at him. Never mind his high-minded intentions or curiosity. According to this view's adherents, breaking into a company's or an individual's computer is akin to breaking into somebody's house. It's illegal, period -- even if the only result is that the homeowner now knows how easy it was to commit the crime.
In some of these cases, Lamo was actually poking around in these networks for extended periods. At WorldCom, his sojourn lasted several months, yet the telecom had no knowledge of his snooping. Clearly, Lamo could have warned these companies. Then there's the potential for inadvertent damage to the networks, a real possibility when someone who's largely unfamiliar with the intricacies of the system is snooping around.
Besides, why didn't Lamo ask the companies if he could break into their networks? They probably wouldn't have said, "Go ahead! Have fun." The proper way to enter a house is by knocking on the front door, no?
Finally, in each case, Lamo widely publicized what he did -- not just to the companies involved, but to the public at large. Granted, he did give the companies a chance to fix their network problems before he went public with the information. But why go public at all unless the goal of the exercise is to broadcast one's exploits?
Lamo is hardly the first to test networks for fun and sport. Many of these so-called white-hat hackers turn their skills to the trade of information security, where they look for vulnerabilities to gain prestige for themselves and their employers. The difference: These guys look for vulnerabilities in software products that, for the most part, they have legally licensed. As a general rule, they don't poke around in networks without being invited.
When I contacted Lamo on his cell phone (somewhere on public transit in San Francisco or Oakland, he told me), he seemed like a pleasant enough guy. He wasn't boastful. He conceded that he was operating in a gray area and that he could run afoul of the law. He also admitted that damaging a network inadvertently was a significant risk during his undertakings.
LETTER VS. SPIRIT.
All in all, it seemed that Lamo was quite clear-eyed about what he had done and its implications, although he did say he hoped it wouldn't develop into a legal battle. "It would be inaccurate to say that I don't care," says Lamo, "and that I feel that I'm beyond the law."
Did Lamo violate the law? Perhaps, if you look at its letter. On the Internet, when a perimeter is breached, it's trespassing. But in the spirit of the law, companies aren't throwing the book at him -- and for good reason. He's telling them things about their networks that are very valuable and cost them nothing to learn. And, again, his exploits have caused no harm. The "victims" of these victimless crimes have allowed him to continue going about his business.
Part of me admires Lamo. Part of me worries about him. Allowing this type of uninvited hacking to go on unchecked is unacceptable. Before you know it, Lamo's imitators will proliferate. Soon, hundreds if not thousands of people could be rattling the windows of companies' computer systems, checking the doors, and wandering through the house. That's hardly the best way to run a digital society.
Think of hundreds of garage mechanics hotwiring your car and taking it for a test-drive to see if it has any kinks. Even if they don't steal anything, it's a major invasion of privacy.
This issue has other ways of being resolved without prosecuting Lamo. Perhaps a court should require him to perform community-service security work for nonprofits or government agencies. Or maybe he should serve as a computer teacher to underprivileged kids. But if he commits further transgressions (on top of the many already detailed), he should be issued a stern warning by law enforcement.
Lamo is clearly not a malicious guy. But there's no shortage of good work a white-hat hacker could carry out without secretly breaking into systems.
Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online
Edited by Douglas Harbrecht