, SecurityFocus 2004-01-08
NEW YORK-- Hacker Adrian Lamo pleaded guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April.
Clad, uncharacteristically, in a sports coat and loafers, Lamo answered federal judge Naomi Buchwald in a calm and clear voice Thursday as she meticulously reviewed his rights as a defendant, and asked if he wished to waive his right to a jury trial. Lamo told Buchwald that he regretted causing the Times financial harm. "I knew that I crossed the line," said Lamo. "I am genuinely remorseful."
"He has always indicated that he's willing to accept responsibility for what he did," said Lamo's defense attorney, federal public defender Sean Hecker, after the appearance.
In a statement, Times spokesperson Christine Mohan said Lamo's intrusion "was a serious offense, and we appreciate that it was treated as such by the authorities."
The federal case against Lamo began in February, 2002, when, according to court documents, FBI agent Christine Howard read about the
Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.
He also added his real name, phone number and e-mail address to a database of 3,000 contributors to the Times op-ed page, where he listed himself as an expert in "Computer hacking, national security, communications intelligence."
Financial Losses Disputed
Prosecutors charged Lamo with the intrusion last September, and in an affidavit Mohan accused the hacker of racking up $300,000 in charges by conducting 3000 searches on the Lexis-Nexis news and legal databases service under the Times' corporate account. Lamo said
Thursday's guilty plea caps an aggressive FBI investigation that generated controversy last September when the Bureau notified a dozen journalists who had covered the hacker's antics that it intended to subpoena reporters' notes-- a
In the months that followed, the probe saw FBI agents contacting a Who's Who of figures in the computer security and hacking community, some with no obvious connection to Lamo, like @stake's Chris Wysopal, and Tsutomu Shimomura, the researcher who helped the FBI track then-fugitive hacker Kevin Mitnick in 1995. Field agents also interviewed the nomadic hacker's friends and associates around the country, toting a list of questions that covered everything from Lamo's motives as a hacker, to queries about his social life. "They kind of tried to make me feel like I did something," said Lamo friend Matt Griffiths. "They asked if I was a hacker, if I ever hacked anything, what kind of programs I used."
The FBI didn't return a phone call on the case.
Lamo has become something a tech-media darling for his rootless, wandering lifestyle -- Wired News dubbed him the "Homeless Hacker" -- combined with his habit of publicly exposing security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited, sometimes visiting their offices or signing non-disclosure agreements in the process.
Until the Times hack, Lamo's cooperation and transparency kept him from being prosecuted, even after hacking Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered then helped close security holes in their intranet.
Lamo said after the court appearance Thursday that his plea agreement does not preclude the government charging him for some of his other intrusions, but, "there's sort of an understanding, which may or may not hold."
The hacker also says he's through committing computer crimes. He remains free on bail, obliged by court order to live with his parents and either work or attend school. He's now a student at a community college in Sacramento, California, where he's studying journalism.