Stop Him Before He Hacks Again

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/bwdaily/dnflash/mar2002/nf2002035_9312.htm

MARCH 5, 2002 
SECURITY NET 
By Alex Salkever 

Adrian Lamo has made quite a name for himself by breaking into
corporate networks. He has done no harm -- but that's not the issue

Readers of The New York Times's "op-ed" page regularly find columns
written by a host of world leaders and celebrities, from Palestinian
leader Yassir Arafat and former U.S. President Jimmy Carter to hip-hop
star and talk-show host Queen Latifah. The contact information for
these luminaries is a closely guarded Times secret, as is the contents
of the op-ed section's Rolodex.

Not anymore. The Times op-ed section and its list of contributors were
recently penetrated by one of the most controversial hackers to emerge
since Kevin Mitnick, who spent almost five years in prison for
repeatedly invading computer systems at a slather of high-tech
outfits. Meet Adrian Lamo, a soft-spoken 21-year-old snoop from San
Francisco who hacks with nothing more than a laptop, a Web browser,
and a Net connection at the local coffee shop.

FRIENDLY WARNING.  Lamo recently broke into the Times computer
network, where he co-opted contact-information files as well as
sensitive details of the news-gathering and editing process at the
Times. His tear through the Gray Lady's closet even gave him the
ability to change the Web site at one of the world's most powerful
media organizations with a few key strokes -- an option he didn't
exercise. Lamo then contacted computer-security publication Security
Focus Online and asked it to contact the Times on his behalf to
outline the breach.

This isn't Lamo's first conquest. In September, 2001, he hacked into
the content servers at Yahoo! -- and actually did alter a news story
to demonstrate that he was capable of breaching security. A month
later, he hacked customer-information databases at software powerhouse
Microsoft. In December, 2001, he gained access to secret
network-topography diagrams at voice-and-data carrier WorldCom, going
so far as to e-mail company officials a supposedly secret file showing
key locations of network equipment.

So why hasn't Lamo been prosecuted for computer crimes? In each of
these cases, he warned the companies about their flaws after-the-fact
and offered to help fix them for free. Lamo further claims that he has
accepted no money or compensation from any of his targets, something
that often happens in the computer-security world, where a consultant
reporting a breach often gets awarded a contract. Rather than
condemning him, Lamo's "victims" have mostly praised him for helping
to secure their networks.

INTRUDER OR HERO?  So far, the Times has neither condemned nor lauded
Lamo. "We are currently determining what the appropriate next steps
will be," was how Times spokesperson Christine Mohan responded to an
e-mail from BusinessWeek Online. To date, no one has pressed charges.

Lamo says his main motivation for hacking is mere curiosity. Does that
make his escapades O.K.? Good question. Herein, two schools of thought
-- each vehemently expressed in numerous Internet discussions of the
affair that are still raging today. Let's examine the first, the
attitude that says Lamo actually provided the Times with a service.

Fair enough. He did help by alerting the paper to the flaws in its
networks. And it's quite possible that he saved it from a serious dose
of egg on its august face -- not to mention a pile of legal fees -- if
any private information had been hacked. Lamo did all this by walking
through the equivalent of an unlocked door fronting a very public
thoroughfare, the Internet. What's more, he hasn't profited from his
exploits. Nor has he damaged the systems or done any real harm.

EXTENDED VISITS.  The second school of thought says Lamo should have
the book thrown at him. Never mind his high-minded intentions or
curiosity. According to this view's adherents, breaking into a
company's or an individual's computer is akin to breaking into
somebody's house. It's illegal, period -- even if the only result is
that the homeowner now knows how easy it was to commit the crime.

In some of these cases, Lamo was actually poking around in these
networks for extended periods. At WorldCom, his sojourn lasted several
months, yet the telecom had no knowledge of his snooping. Clearly,
Lamo could have warned these companies. Then there's the potential for
inadvertent damage to the networks, a real possibility when someone
who's largely unfamiliar with the intricacies of the system is
snooping around.

Besides, why didn't Lamo ask the companies if he could break into
their networks? They probably wouldn't have said, "Go ahead! Have
fun." The proper way to enter a house is by knocking on the front
door, no?

WHITE-HAT HACKER.  Finally, in each case, Lamo widely publicized what
he did -- not just to the companies involved, but to the public at
large. Granted, he did give the companies a chance to fix their
network problems before he went public with the information. But why
go public at all unless the goal of the exercise is to broadcast one's
exploits?

Lamo is hardly the first to test networks for fun and sport. Many of
these so-called white-hat hackers turn their skills to the trade of
information security, where they look for vulnerabilities to gain
prestige for themselves and their employers. The difference: These
guys look for vulnerabilities in software products that, for the most
part, they have legally licensed. As a general rule, they don't poke
around in networks without being invited.

When I contacted Lamo on his cell phone (somewhere on public transit
in San Francisco or Oakland, he told me), he seemed like a pleasant
enough guy. He wasn't boastful. He conceded that he was operating in a
gray area and that he could run afoul of the law. He also admitted
that damaging a network inadvertently was a significant risk during
his undertakings.

LETTER VS. SPIRIT.  All in all, it seemed that Lamo was quite
clear-eyed about what he had done and its implications, although he
did say he hoped it wouldn't develop into a legal battle. "It would be
inaccurate to say that I don't care," says Lamo, "and that I feel that
I'm beyond the law."

Did Lamo violate the law? Perhaps, if you look at its letter. On the
Internet, when a perimeter is breached, it's trespassing. But in the
spirit of the law, companies aren't throwing the book at him -- and
for good reason. He's telling them things about their networks that
are very valuable and cost them nothing to learn. And, again, his
exploits have caused no harm. The "victims" of these victimless crimes
have allowed him to continue going about his business.

Part of me admires Lamo. Part of me worries about him. Allowing this
type of uninvited hacking to go on unchecked is unacceptable. Before
you know it, Lamo's imitators will proliferate. Soon, hundreds if not
thousands of people could be rattling the windows of companies'
computer systems, checking the doors, and wandering through the house.  
That's hardly the best way to run a digital society.

APPROPRIATE REMEDIES.  Think of hundreds of garage mechanics hotwiring
your car and taking it for a test-drive to see if it has any kinks.  
Even if they don't steal anything, it's a major invasion of privacy.

This issue has other ways of being resolved without prosecuting Lamo.  
Perhaps a court should require him to perform community-service
security work for nonprofits or government agencies. Or maybe he
should serve as a computer teacher to underprivileged kids. But if he
commits further transgressions (on top of the many already detailed),
he should be issued a stern warning by law enforcement.

Lamo is clearly not a malicious guy. But there's no shortage of good
work a white-hat hacker could carry out without secretly breaking into
systems.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.