When Adrian Lamo first started compromising Web sites and alerting the owners to the security holes, he was thanked, until he struck the likes of The New York Times and Microsoft.
He spent six months on home detention and studied journalism before becoming a threat analyst.
Motivated by the process of hacking and delighted by the unexpected opportunities that could arise, Lamo spent time doing things like responding to customer help desk requests he discovered languishing in the networks he broke into.
In the third of a three-part Q&A series with hackers, Lamo, now 28, talks about his "hack value," his remorse for the trouble he caused network administrators, and how he hopes to make people smile.
Q: How did you get started hacking?
I was around computers as a very young child. I had a Commodore 64 when I was like 6 or so. And my first interest in seeing how things worked behind the scenes wasn't all about technology necessarily, and my interest in what you might call hacking isn't really primarily about technology...It's not sexy when I'm exploring less obvious aspects of the world that don't involve multibillion-dollar corporations. There's a certain amount of tunnel vision there.
As a kid, before I ever was interested in how my computer worked behind the scenes as opposed to just say popping in a soccer game cartridge and running it, I was already much more interested in figuring out, say, the school public address system or the garbage schedule to the office so I could grab the memos that teachers had discarded on the way to class to know what it was they were meeting about, when the fire drills were, things like that and not for even any real particular purpose.
(It was) just because I wanted to know and was fascinated by the fact that it was another layer that I, as a very young student never saw. I could totally tell you a story about some epiphany I had working with computers as a kid and it might even be true in some respects, but it wouldn't be the story.
It's not about passion for the technology? It was more about how to get information?
Are you familiar with the term hack value?...It's defined on Wikipedia and I was actually not familiar with it until somebody hyperlinked my Wikipedia article from it as an example of somebody with an appreciation for hack value and then I realized I totally am. It's 'the notion among hackers that something is worth doing or is interesting. This is something that hackers often feel intuitively about a problem or solution; the feeling approaches the mystical for some.' (the word "mystical" links to Lamo's Wiki entry) It's not that it's about the information...it's always been for me about the process, which is why I can say without exaggeration at all that no system I compromised used a published or unpublished 'exploit' in that I wasn't looking for buffer overflows or flaws in the software. I was just trying to take normal every day information resources and arrange them in improbable ways. I didn't spend time downloading databases of customer information.
One example is Excite@Home, which of course no longer exists per se. When I compromised them I had full access to the customer data, including credit card data in full text. That was of no interest to me. What I thought was really cool, what had hack value to me was that I could log in to support accounts that they didn't check anymore and answer help desk requests from users who otherwise would never get an answer. I love the f*** out of the idea of living in a world where something like that can happen; where you can submit a help desk request that a company is going to ignore and along comes a hacker and says 'no, this is totally what you need to do to fix that.'
Did you answer them?
Yes. I answered probably close to 100. In at least one instance, I called the guy at home because he had written in saying that somebody on Internet Relay Chat had scrolled (through) his billing information during a dispute as a way of saying 'ha ha! You're owned. I know everything about you.' He had complained and Excite had determined that it was probably one of their outsourced help desk employees. So, as a result, they were going to take no further action and they never got back to the guy. He was in Canada...I told him...I felt bad you never got a reply...and so I sent him the full minutes and full logs of all e-mail correspondence between the Excite employees saying 'This guy got shafted but we're not going do anything about it.'
What did he say?
He was just happy that somebody got back to him; that somebody took the time to treat his concern like it was worth a damn. It's one of my frequent quotes, that I believe in a world where all these things can happen even if I have to do them all myself. I think we would live in a far more boring world if that chain of events could not transpire and the reason that...discussions about my intrusions made so many allusions to faith and a sense of purpose is that I do truly and very much believe that the universe appreciates irony; that the universe appreciates absurdity. And if we're here for any purpose it's to create novel situations that were heretofore unique in the human experience. (Sci-fi author) Spider Robinson has a fantastic quote: 'If a person who indulges in gluttony is a glutton, and a person who commits a felony is a felon, then God is an iron.' That's pretty much what I mean by hack value. It's not about how big the company was or how sensitive the information was, but more about with how much vigor I could say 'what are the odds?'
For the challenge and the fun?
No. Well, yes and no. The fun yes. But the challenge is secondary and not immaterial, but honestly security at most major companies is not all that challenging. It's finding ways to apply the insecurity in a way that makes it more than just some guy breaking in and stealing data, but rather turn it into an experience that is novel; that I can look at and re-tell and have even the people that I have hacked get a laugh out of it, that's really what it's more about. If I wanted a real challenge I would have gone with more technical means. But I guess you could also say that compromising a company using Internet Explorer on a Windows 98 machine could be considered challenging in its own right to some people.
When did you first start compromising Web sites?
(When did they put) Internet Web sites on port 80? I don't know. Maybe 1996. Earlier with other Internet services. I'd spend hours at the San Francisco Public Library, using their Internet terminals to telnet out to other systems, including ones that let me use their own modems to dial out.
So what is the hack you are the most proud of, or that you enjoyed the most?
Whichever one made the most people within the company or the people reading about it to be unable to restrain themselves from cracking a smile. In an abortive and eventually unpublished interview I did with Rolling Stone a long time ago, they were really gung-ho on the idea that what I was doing was performance art. And I really can't disagree with that assessment.
What did you do that got you arrested?
I was arrested for unauthorized access to networks belonging the New York Times and Reed Elsevier's Lexis-Nexis' site in violation of 18 U.S.C.1030(a)(5)(A)(ii) and 1029(a)(2). Included as 'relevant conduct' in the complaint (conduct that is alleged and may be used to show that the defendant is generally a bad guy, but need not be proven beyond a reasonable doubt) were allegations that defendant Lamo had additionally compromised other corporate networks. These allegedly included Excite@Home, Yahoo, Microsoft, MCI Worldcom, SBC and Cingular... In the ultimate proceedings in USA v. Lamo, a conviction was secured only for the intrusions against the NYT, Lexis-Nexis, and Microsoft. All three were amalgamated in a single count.
Why did you did it? Excite@Home praised you at the time for notifying them of the security hole you found. Was your intention to point out security holes in the Web sites?
I'm grateful for the thanks Excite@Home, Google, MCI WorldCom and others extended me. But as for why I did it, I believe my actions, statements to date, and conduct speak for themselves. There's nothing I could proffer that would say anything to the topic that has not already been said, although I reaffirm that I never sought to justify my actions then, and I don't now. Some things don't need explaining.
I never considered myself all that technical, or a hacker. I still don't. I was in the right place at the right time. I still am. But that's more about religion than technology.
What happened with your case?
My plea agreement called for a minimum of six months custodial sentence. The judge was willing to sentence me to six months of house arrest and 24 months of probation, plus $60,000 in fines. I'm the last person in the world to say that what I did wasn't illegal, or shouldn't have been illegal because I was trying to help people out in the process. I knew all along it was illegal. I just figured that as long as I was committing a crime I might as well be a decent human being about it...I felt that actions have consequences and it probably couldn't go on forever but God I liked the idea that it could happen for as long as it did.
Would you do it again?
The universe does not encourage repetition. What's done has been done and it's not there for replays. Perhaps more importantly, I'm not 19 or 20 anymore. I can't go back and do it again and expect to have a normal life. I have a lot of avenues for curiosity for exploration, for absurdity, that are just as rewarding. As I said before, I'm not that technical a guy. It's just that the technical aspects get the most attention. I still push the envelope really hard, but I am not going to give the government another opportunity to f*** with me. And I also want to point out that I pled guilty at the earliest opportunity because I was, in fact, guilty and because I had always said that I would. There were some aspects of the government's case I had issues with, specifically that they brought my Microsoft intrusion into it where all I did was go to a URL that was just the default splash page; it didn't require a password, it didn't say it was confidential, and (it) served up the entire Microsoft customer database. And they added that to my restitution because clearly I have to pay Microsoft back for the immense effort it took them to not have their f***ing customer database not on a public facing web page. My God, that must have cost thousands. I'm being kind of dry there.
That's what the $60,000 was for?
No. The $60,000 was for the New York Times, Microsoft, and Lexis-Nexis, roughly evenly split. Lexis-Nexis pissed them off a lot because I spent a good deal of time pulling information on people within the government. I searched for ownership information on every Crown Victoria Police Interceptor in the United States just for the hell of it. Things like that...I wanted to see who owned them in order to ascertain which fleet vehicles were actually part of the motor pool for federal law enforcement.
I wish I remembered the guy's name, but at one point I pulled up records of a credit card application for somebody with a really unusual name who was a Colombian drug figure who was supposedly dead but who apparently was alive and well in New York. And given that he wasn't making any effort to hide his existence I can only assume that his existence there was sanctioned by the government, which is one of several reasons they were not terribly interested in going into too much detail about my Lexis-Nexis intrusion. Every time the U.S. Attorneys office talked about what I did they said 'Yeah, he searched for himself... there were literally hundreds of other people and they tried to play it off as an ego surfing spree.
What are you doing now?
At the moment I'm a threat analyst for a privately held company and I'm looking at an option as a staff scientist in what's called 'adversary characterization,' figuring out who is going to break into your s*** before they do it and how they're going to do it before they even formulate the plan. I'm not interested in narcing out hackers. These are exclusively pretty much foreign nationals with bad intentions.
Can you say what the company is you work for now and who you want to be a scientist for?
The privately held company is Reality Planning LLC and it would be inappropriate to specifically state who I would be a staff scientist for.
Is it the government?
I would not be in the employ of a government agency. No.
The sentencing you got, were you a minor at the time of the activity?
Negatory. My entire course of criminal conduct took place when I was an adult. I was 22 when they came for me...it was in 2003. And in 2004, I plead guilty.
Did they come bust down your door and seize your computers?
They never got my computers. They went to the wrong place. They went to my parents' house assuming they would find me there. They surrounded it for several days and I ended up having to do a live local interview on a public street to prove I wasn't there so they would leave my parents alone.
So how did you end up in custody?
I voluntarily surrendered after negotiations with the assistant U.S. Attorney who initially had the lead on the case. My conditions were that I wanted to know what I was being charged with because they hadn't disclosed it. I wanted them to call the feds off my family, off my friends, and off me until I surrendered, and to their credit they were reasonable. They realized I was trying to do the right thing. They obliged. However, as just a very mild f*** you, I surrendered to the U.S. Marshals Service instead of the FBI to avoid giving them the opportunity to have me alone in a room.
You were dubbed the 'homeless hacker.' What was the situation?
You know you spend a couple years traveling the country around on Greyhound (bus) and you sleep in abandoned buildings and all of a sudden you're the homeless hacker. It was entirely a media-created accolation. I don't really care what terms people use to describe me. I've certainly been called worse. But it's one of the things that evokes for me the sense that I'm talking about somebody else when I describe these things. I'm not talking about the Adrian Lamo who gets up in the morning and quibbles with supermarket clerks over a stacking coupon (using multiple coupons). I'm talking more about a media and public created persona that is a role that I stepped into and out of, and that's not terribly unusual. We all have our own faces and personas that are developed to suit the situation...I have just had, I guess, more of a very conscious realization of it shoved in my face. But that's not a complaint. I'm familiar with the news gathering process. I'm familiar with how stories get written. And I've never really tried to tell somebody how they should cover me because a lot of the time they're going to do it their own way anyway. ...
Any thoughts on getting on the wrong side of the law or reflections on what happened and where you're going?
I can honestly say that I feel bad for the network administrators who had to get those calls from their bosses basically saying 'Dude, what the f***?! We're paying you to make these things not happen.' One of the reasons that I think I was as sincerely as remorseful as I was at my sentencing was that I felt bad for these guys. It was always easy for me to see it as kind of a consequence-free environment where nobody was really getting hurt and a lot of people tell me that if they had been doing their job right it never would have happened. But that's bulls*** because you can't protect against every possible eventuality.
One of the outcomes I would have liked to have seen...is having computer intrusion that doesn't have a profit motive no longer be seen as a catastrophic event, but rather something that a company can spin to its own advantage if it wants to. And that they can ... evolve from. Stress causes complex systems to evolve and I think that aspect of it is beneficial. But I can't help but feel bad for the people that got hurt along the way, be they the people on the other side of the wires or my own family or my friends who had to wonder why the hell the FBI was at their door.
That said I think that well-intentioned intrusion is very, very important to the security process and the process of the evolution of technology. We would not have the technology that we have today if it were not for people that had been willing to push the envelope; who had been willing to do things they may have been told were impossible or a dumb idea or just plain wrong.
I was absurdly lucky in my timing because sentences for hackers have gotten much less benign in recent years. I don't think that's a positive trend because legislation and litigation don't create security...I also think the ostracism of people with a history of hacking is a very significant threat to the security community and to security in terms of national infrastructure because what we have right now are people who are hired to secure systems who have very often come from the same sort of educational background and they've read the same books. If when they were younger they ever asked somebody 'What should I do to get started in security?' they were likely to have been told 'Well, install Linux...install these programs... learn to do this. And we've grown a crop of people who approach security in a very similar way.
I do think my success at intrusion is a symptom of that, because I never took any formal classes or schooling in the area of security. I had no pre-defined or pre-taught conception about how you were supposed to break into systems. If 10 years ago somebody had said 'You know what would totally break into this long list of incredibly secure companies? A web browser' they probably would have been laughed off. And ostracizing and marginalizing people with public backgrounds in criminal hacking or potentially criminal hacking is by far and by large just leaving us with systems that are secured by people who all have very similar mind sets. I find recurring security problems, not identical in implementation, but in concept. That is to say people make the same kinds of mistakes over and over and I really can't help but think that's a result of their educational background when it comes to information security. We don't have a diverse enough gene pool of thought in the area of security and it's going to continue to bite us. The standard excuse is to have security professionals say 'Well, we have to be right all the time and they (hackers) only have to be right once.' But that does not mitigate the fact that they often have no clear clue of what the newest kind of attack is going to be or how it's going to be formulated.
Where did you go to school?
In terms of higher education, I was court-ordered to attend school after I was arrested and I studied journalism at American River College in Carmichael, Calif.