Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Lamo denies $300,000 database hack
Kevin Poulsen, SecurityFocus 2003-09-10

Days before going public with his penetration of the New York Times internal network last year, hacker Adrian Lamo created five new user accounts with the LexisNexis database service under the Times corporate account, which he used to rack up $300,000 in charges over the following three months, a federal complaint in New York charges.

Comments Mode:
Lamo denies $300,000 ego-surfing spree 2003-09-10
Anonymous
How stupid can the government be...order someone to get a job. Let's round up all the unemployed people in the U.S. and order them to get jobs or else.

Adrian's job is probably in India by now anyway and I dont think India was on the list of places he could go....

[ more ]  [ reply ]
Lamo 2003-09-11
Anonymous (1 replies)
The net user in me thanks him for making the net a safer place.

The system admin in me thinks he didn't have any business poking around without permission.

The small voice of the hacker in me admires his skill (but his wiles more!) and his passion but thinks he's too into the glory of the disc...

[ more ]  [ reply ]
Easy target 2003-09-11
Anonymous
Well, let's be realistic about this. Lamo works in the open, so he was an easy target. The FBI has had a lot more trouble tracking down the really dangerous people, the ones who *don't* talk about what they find. This will give them a nice high-profile conviction so they can look like they're doi...

[ more ]  [ reply ]
Lamo the polishing rag. 2003-09-11
Got Worm?
Also during Wednesday?s hearing, a deputy assistant U.S. attorney general bristled over suggestions by Rep. Adam Putnam, R-Fla., that the government?s lackluster record making arrests after major Internet attacks indicates it does not consider them serious threats...

[ more ]  [ reply ]
Lamo denies $300,000 ego-surfing spree 2003-09-11
Anonymous (1 replies)
All I can say is, time for some real growth on his part....

[ more ]  [ reply ]
Lamo denies $300,000 ego-surfing spree 2003-09-12
Anonymous
> All I can say is, time for some real growth

> on his part.

And it's way past time for some growth on the part of the NYT....

[ more ]  [ reply ]
Lamo denies $300,000 database spree 2003-09-11
Anonymous (1 replies)
Maybe instead of investigating lamo and all his friends/acquantences the FBI should investigate NYT for filing a false claim report? Last I knew, it was EXTREEMLY illegal to lie to any law enforcement.

Adrian, my thoughts and what not are with ya....

[ more ]  [ reply ]
Is Maurice Clarett 2003-09-11
Anonymous
working for the NY Times. Maybe the learned how to report damages from him. This 300K number is a complete joke....

[ more ]  [ reply ]
Of course he should be tried 2003-09-11
drg (3 replies)
Erm, what the hell is all this. Both these articles have been repeating "when he's usually praised by his victims." Blah blah blah.

This comes back to the analogy that if you break into someone's house and then tell them they have a weak lock on their front door, it's illegal.

If this guy hone...

[ more ]  [ reply ]
Of course he should be tried 2003-09-11
The 420 Zodiac (1 replies)
People who compare network/computer security with home security know nothing of either.

Stop using that stupid analogy and try coming up with a better argument.

Open your mind and think about information companies might have on you and think about how careless those companies are when it c...

[ more ]  [ reply ]
Of course he should be tried 2003-09-12
Wckd (1 replies)
I agree, the house analogy is a horrible one.

Secondly, you don't know if there is a vulnerability unless you exploit it.

Most companies won't take you seriously if you contact them about a problem without proof, and even then there is a good percentage that just couldn't give a dam.

Furt...

[ more ]  [ reply ]
Of course he should be tried 2003-09-12
Anonymous (2 replies)
Sounds like you "no big deal" folks have never dealt with a security breach in your lives...I have. When somebody exploits a security hole (rather than simply reporting it), hundreds if not thousands of man hours need to go into just finding out what that person did, and creating a report of the inc...

[ more ]  [ reply ]
Of course he should be tried 2003-09-14
Anonymous
Well said, I coudn't agree more.

His motives or whatever were probally to boost his ego. He needs to grow up....

[ more ]  [ reply ]
Of course he should be tried 2003-09-18
Anonymous
I havn't seen a listing of exactly what information he provides to companies he exploits, but since he seems to be doing it to boost sales of his services (hence the offer to help fix the problems) he should be keeping detailed logs of exactly what he does to get in so he can show that to the custom...

[ more ]  [ reply ]
Of course he should be tried - Enough analogies! 2003-09-12
Anonymous (1 replies)
There are very few similarities between invading someone's home and invading a corporate computer. This particular analogy is both emotionally loaded and highly imperfect.

In this sort of situation bad analogies only lead to further hysteria. Judging from the NYT's damage claims, there's been en...

[ more ]  [ reply ]
Of course he should be tried - Enough analogies! 2003-09-13
Jagdwulfe (2 replies)
"There are very few similarities between invading someone's home and invading a corporate computer. This particular analogy is both emotionally loaded and highly imperfect."

Actually there are a great many similarities. Both are private property which you have no business accessing without the pe...

[ more ]  [ reply ]
Of course he should be tried - Enough analogies! 2003-09-15
Anonymous
If there are a "great many", why do you only name one? However, since you have named the most significant similarity, I'll name the most significant dis-similarity: threat to life and limb. When someone enters your house illegally, they pose threat to your physical safety. That's why the law tends ...

[ more ]  [ reply ]
Of course he should be tried - Enough analogies! 2003-09-17
Anonymous
"Actually there are a great many similarities"

Like the previous poster said, this analogy is way too emotionally loaded. Who do you think would be more upset, the person who wakes in the morning to find an intruder has been in their house, looking though their private belongings, or a company wh...

[ more ]  [ reply ]
Of course he should be tried 2003-09-15
Anonymous (1 replies)
He did not exploit such trivial matters openly. He was quiet about helping most of the companies regain security posture. Lamo obviously recognizes the need for stronger coding practices and decided to participate in free-lance audits. Maybe if NYT took responsibility in safeguarding information, an...

[ more ]  [ reply ]
Of course he should be tried 2003-09-21
Anonymous
Of course he should be tried

There is a reason Lamo was arrested.

There is a reason there is a law against his actions.

You want to discourage folks from rummaging around your personal belongings whether they belong to a person or a corporation.

There is a reason it is called private prope...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous (1 replies)
Well, perhaps he (himself) did not rack up 300k of charges, but what about the people he shared the login information with?...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous
There's no proof that he shared login information - in fact, I don't think that that's even been accused.

That would be out of keeping with Adrian's normal M.O....

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous
300k for a few queries???? They must be using the same formula that they use to calculate the National Debt!!!...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Mike (2 replies)
He's an idiot. Discovering such vulnerabilities is a good thing, but then you TELL THE COMPANY about it, and work with them to resolve the issues.

You don't take advantage of it and hack the system - steal access, create passwords, use expensive applications, etc.

People who defend Lamo are d...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous
Did you not read the whole article? HE DID TELL THE COMPANY.

And currently there is nothing to prove that he created passwords, or ran any 'expensive' applications. Only the NYT's word.

Whatever happened to innocent until proven guilty? Doesn't it seem odd that no one else has ever clai...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous
Be careful how you stereotype groups of people.

A lot of people who are out here supporting Adrian, are doing so to ensure that he gets a fair trial. Something that has been missing from many hacker cases.

Also, there needs to be some reforms in our laws. It is ridiculous to have the same pu...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-11
Anonymous
I doubt that the general atmosphere in New York would give Lamo a fair chance.

God Speed Lamo......

[ more ]  [ reply ]
The difference between my network and yours..... 2003-09-11
Anonymous Hacker Supporter (3 replies)
My network does not get hacked becuase I am conscious about security. I take steps to ensure my network is as secure as I can make it.

Your network get's hacked because you do not do these things. Your Network gets hacked because you run insecure services/applications exposed to the net.

Do...

[ more ]  [ reply ]
The difference between my network and yours..... 2003-09-11
Anonymous
I wish that I could have said it better myself, but I don't think that I could have.

To the Gent above! Great thread!

To Lamo, I wish to you strength and wisdom to make it through these dark times. I hope that fareness and triumph lights your way.

I hope that the times isn't lying, but we...

[ more ]  [ reply ]
The difference between my network and yours..... 2003-09-17
Sunfire (1 replies)
I agree with you over 1000%. This is why many of the IT Admins, MIS, Admins, paper techs should be I.D.10.T Certified....

[ more ]  [ reply ]
The difference between my network and yours..... 2003-09-18
phaust
your working on a 5 people compagny or what?

you talk like the guy who work in Mcdonald and know nothin.

try to secure a compagnie with over 5000 users. you CAN'T think for everyone. security budjet are so low these they that you don't have anought staff, or anought technologies and software t...

[ more ]  [ reply ]
The difference between my network and yours..... 2003-09-18
Anonymous
It is a common knowledge that killers exists.

If you or your family get killed it is your fault as a LAZY PERSON.

Why didn't you learn shooting. Why didn't you put a barbed wire around your house.

Someone broke into your house: your fault - your doors are not strong enough; you have been so stupi...

[ more ]  [ reply ]
breaking into someone's house analogy doesn't work !!! 2003-09-11
Anonymous (2 replies)
I often hear analogies made in order to explain what is happening on the web. Most of these analogies sound something like "what if I would break into someone's house and then tell them how they dont have any security..." Well thats a horrible analogy! Even though internet have been around for aroun...

[ more ]  [ reply ]
breaking into someone's house analogy doesn't work !!! 2003-09-12
The 420 Zodiac
Well said. The house analogy is only used by those who do not understand computer and or network security.

Let's not forget, the key word in analogy is anal and most people who use analogies are exactly that....

[ more ]  [ reply ]
breaking into someone's house analogy doesn't work !!! 2003-09-12
An idiot like the one that posted before me.
I agree... Therefore I am going to install a live oak, steel-plated door, with security keycard access, chrome kick-plate and a grecian door knob on the front of my mini-tower. There, that will keep those nasty hackers out.

Sppff......

[ more ]  [ reply ]
Moral question. 2003-09-12
Anonymous (2 replies)
In situations like these I like to go to a moral saying which has helped me many times.

"Don't do to your fellow what you would not want to be done to you."

There are two ways to look at the situation:

1) What Lamo did was a good thing and therefore NYT should be happy and the above moral sente...

[ more ]  [ reply ]
Moral question. 2003-09-12
Anonymous (4 replies)
well i was actually going in a different direction. I didnt say whether what Lamo did was moral or immoral. My personal opinion is that there is no such thing as moral or immoral, only acceptable and not acceptable. What I was saying is that hackers shouldn't be judged by analogies in real world. In...

[ more ]  [ reply ]
Moral question. 2003-09-12
Anonymous
You mean that if information exists only in electronic - virtual - form it doesn't have similar value than the same information in physical world?

Getting the same information at the physical world would have required to do crimes as well, and since the owner of the information would have liked to ...

[ more ]  [ reply ]
Moral question. 2003-09-12
Anonymous
"My personal opinion is that there is no such thing as moral or immoral, only acceptable and not acceptable."

Acceptable by whom? by society or by each individual?

I will assume you mean socially acceptable and not socially acceptable, that would make more sense.

Assuming that - What does s...

[ more ]  [ reply ]
Moral question. 2003-09-12
Anonymous
one have the right protect their privecy.

one have the right to pursue knowlage.

If one's privecy is not protected - one need only blame oneself and no one else.

It is wrong to limit one freedom to streanghten another - all one's freedoms equally important....

[ more ]  [ reply ]
Moral question. 2003-09-15
MartinX
While I admit that the house breaking analogy is flawed, I find the distinction drawn between "Real" and "Virtual" in the minds of many to be greatly troubling.

I think you'd have a hard time convincing any company accountant that the bills for the Servers, Routers, Switches, cabling, manhours, e...

[ more ]  [ reply ]
Moral question. 2003-09-14
Anonymous (1 replies)
>I wish Lamo good luck, he did a mistake and

>everyone deserves a second chance, especially

>people with high morals like Lamo. I do not

>beleive 3 years in prison would do any good to

>anyone.

Lemme guess, you probally are a Christian?

Why don't you go find another god/hero/martyr to w...

[ more ]  [ reply ]
Moral question. 2003-09-17
Gregory T. Buckhead
Not only was that an ignorant rant, it was off-topic. And posted by Anonymous... no suprise there. Someone needs a hug ;-)

Lamo, having what have been described as the best intentions in the world, screwed up. To this point, he has remained largely in the grey. Unfortunately, with the Time...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-12
Anonymous
Now give him a good job and support and make sites safe instead of screwing him. Protect and help him. Do it and you may be safe....

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-12
Anonymous
Believe they came to that particular amount knowing full well that if they win the case it will result in significant jail time (federal offense) vice minimal jail time or probabtion, etc. Although I believe what he did was wrong...it's hacking by any other name, but does he deserve 3 yrs if convic...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-12
Anonymous
So he must go and get a job now. But he can't use computers. So with someone of the skills that he has, what does that leave him to do? Work at a low level menial labor job that will hire someone that is waiting to be taken to court for a federal crime? That doesn't make much sense, now does it?...

[ more ]  [ reply ]
Of course he should be tried 2003-09-12
BigTymer-
The only way to find out if something is exploitable is to exploit it... there is no way in knowing "if a door has a weak lock if you don't try to open it" I think Lamo shouldn't be punished severly due to the fact that he IS A WHITE HAT hacker... I hope everything works out for him...

[ more ]  [ reply ]
Adrian & me 2003-09-12
kepi blanc (1 replies)
Last year, at H2K2, Adrian and I were busted together. No, not by the feds, but by the security crew of the Hotel Pennsylvania for gaining access to the roof. (It's what Adrian referred to as "real-world hacking".) Although I didn't think much of it at the time, I consider it a badge of honour now!...

[ more ]  [ reply ]
Adrian & me 2003-09-17
lowtec
Hey I was there too! hehe I wasn't with you guys when you got caught though, I went up on Friday night. Do you have that picture we took by the satellite dish on the roof ?...

[ more ]  [ reply ]
Hey buddy you left your lights on... 2003-09-13
Anonymous
You would hope that was the intent of the 'actions' he took.

There is not much wrong in that, on the surface in any case.

...

[ more ]  [ reply ]
hacks and hacks 2003-09-14
Anonymous (1 replies)
From the article, sounds like there may also be a question of a '$300,000 damages' legal system hack....

[ more ]  [ reply ]
hacks and hacks 2003-09-17
A nony mouse
Lamo = Your Friendly Neighborhood SPIDERMAN

In my opinion what he did was no more than walking down the street; smell a gass leak; finding the door unlocked; going in looking though your phone book; and calling you at work to tell you what is wrong.

Why not call the gas comapny? Well in this cas...

[ more ]  [ reply ]
He does not deserve a punishment 2003-09-15
HaCkGhosT
Adrian may have been wrong in getting into NYT internal network and exploiting the problems without telling them. But one should look at his past record of worldcom where in he was praised for his efforts, and this clearly shows what his intentions were...

At times things are beter done than told...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-15
Anonymous
For WorldCom to praise him for his "help" clearly reflects the competency of it's techs. Let's not forget he created like what.. 5 accounts and used it at his own dispense...

[ more ]  [ reply ]
Lamo = Your Fiendly Neighborhood SPIDERMAN 2003-09-17
A nony mouse (1 replies)
I think what he did was no more than the equivalent of someone walking by your house smelling a gass leak; finding the door unlocked; and going in the house looking though your ohone book to find your work phone number and calling you to let you know.

Why not call the gas company you ask? Well in t...

[ more ]  [ reply ]
Lamo = Your Fiendly Neighborhood SPIDERMAN 2003-09-19
Anonymous
well... no... it more like throwing a lit match on your leaking gas pipes... I like the analogy though :-)...

[ more ]  [ reply ]
Pssh. 2003-09-18
Phreak
Ok, ok...I SORT of agree that he shouldn't be punished for what he did, he was doing a public service really, now that they know what the security flaw was, it can be sealed, if he didn't show them it, someone could have done some FAR worse things than he could ever do, HOWEVER...under U.S law, gain...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-18
penfold
Firstly, the charges of 300k against Adrian are outrageous. I think that the complaint made against him is not only exagerated, but immoral.

Firstly, the complaint made against him stated that each search racked up charges of $100 each search, even though LexisNexis searchs cost between $3 - $12....

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-19
Chris
lol, i love it, big ass company gets its pants pulled down in front of everyone (the flaw in their intranet allowing him access) so they use the guy that found and told them about the exploit to help them look better and make some money on the side because of their inadequate IT and network administ...

[ more ]  [ reply ]
Lamo denies $300,000 database hack 2003-09-22
Anonymous
If he was doing this as a helpful thing I do not think he should of tampered with the accounts for one. Plus how many businesses do you know have glass windows. Brick and mortar businesses that is. Now lets say I throw a brick through the window no alarm sounds and I go through the place snooping a...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus