oston-born security enthusiast Adrian Lamo has been alternately described as the most effective and controversial hacker of the 21st century, the “Bobby Fischer of hacking”, and a common criminal. His alleged high-profile computer intrusions have been the subject of hundreds of news articles, television segments, and book citations. He is a threat analyst and journalist, known as a former “grey hat” hacker, principally for breaking into a series of high-security computer networks, and his subsequent arrest. Best known among these were his intrusions into The New York Times. Yahoo! News and Microsoft. He is also known for identifying security flaws in computer networks of Fortune 500 companies and then notifying them of any flaws he found. Lamo was born in Boston, Massachusetts to Mario Lamo and Mary Lamo-Atwood. He spent his early childhood in Arlington, Virginia, until moving to Bogotá, Colombia around the age of 10. When his family moved back to the United States two years later, they settled in San Francisco, where Adrian lived until he tested out of High School a year early. Popularly called the “homeless hacker” for his transient lifestyle, Lamo spent most of his travels couch-surfing, squatting in abandoned buildings and traveling to Internet cafes, libraries and universities to investigate networks, and sometimes exploiting security holes. Despite performing authorized and unauthorized vulnerability assessments for several large, high-profile entities, Lamo refused to accept payment for his services. In his spare time, he donates his time and expertise to Voluntary Legal Services of Northern California, a Sacramento-based nonprofit organization providing assistance to indigent and low-income clients involved in civil litigation. Lamo was appointed to the Lesbian, Gay, Bisexual, Transgender, Queer and Questioning Youth Task Force by San Francisco Supervisor Tom Ammiano. In February 2009 Lamo was revealed to have been a donor to disclosure site Wikileaks. In May 2010 at age 29, he was diagnosed with Asperger’s syndrome. Adrian Lamo is perhaps best known for breaking into The New York Times internal computer network in February 2002, adding his name to confidential databases of expert sources, and using the paper’s LexisNexis account to conduct research on high-profile subjects, although his first published activities involved operating AOL watchdog site Inside-AOL.com.
The Times filed a complaint and a warrant for Lamo’s arrest was issued in August 2003 following a 15 month investigation by federal prosecutors in New York. At 10:15 AM on September 9, after spending a few days in hiding, he surrendered to the US Marshals in Sacramento, California. He re-surrendered to the FBI in New York City on September 11, and pleaded guilty to one count of computer crimes against Microsoft, Lexis-Nexis and The New York Times on January 8, 2004. Later in 2004, Lamo was sentenced to six months detention at his parent’s home plus two years probation, and was ordered to pay roughly $65,000 in restitution. He was convicted of compromising security at The New York Times and Microsoft, Yahoo! and MCI WorldCom. When challenged for a response to allegations that he was glamorizing crime for the sake of publicity, his response was “Anything I could say about my person or my actions would only cheapen what they have to say for themselves.” When approached for comment during his criminal case, Lamo frustrated reporters with non sequiturs such as “Faith manages”, (probably a reference to science fiction television show Babylon 5) and “It was a beautiful day.” At his sentencing, Lamo expressed remorse for harm he had caused through his intrusions, with the court record quoting him as adding “I want to answer for what I have done and do better with my life.” Lamo is interviewed by Leo Laporte on TechTV’s The Screen SaversAs of January 16, 2007, Lamo’s probation was terminated, ending a three-year period during which the U.S. District Court’s ruling prevented him from exercising certain freedoms, including the ability to employ any privacy protection software, travel outside certain established boundaries, or socialize with security researchers. On May 9, 2006, while 18 months into a two year probation sentence, Adrian Lamo refused to give the United States government a blood sample they demanded so as to record his DNA in their CODIS system. According to his attorney, Adrian Lamo has a religious objection to giving blood, but is willing to give his DNA in another form. “He went in there with fingernail clippings and hair, and they refused to accept it, because they will only accept blood,” said federal public defender Mary French. One of several mugshots taken of Lamo following his arrest.
On June 15, 2007, lawyers for Lamo filed another motion citing the Book of Genesis as one basis for Lamo’s religious opposition to the frivolous spilling of blood: “The Book of Genesis leaves unambiguous this matter. Therein, those who would spill the blood of man are rebuked as follows: ‘Whoever sheds the blood of man, by man shall his blood be shed; for in the image of God has God made man.’ Genesis 9:6″ Lamo continued: “Under this admonition, not only would I be blinding myself to the direct instructions of scripture by shedding blood, but I would similarly be casting whomever facilitated this act into sin, multiplying my culpability,” setting the basis for defense counsel Mary French to urge US District Court Judge Frank Damrell to exempt Lamo from the sampling entirely, or to order his probation officer to accept some other biological product in lieu of blood, as previously offered by Lamo. On June 21, 2007, it was reported that Lamo’s legal counsel had reached a settlement agreement with the U.S. Department of Justice granting Lamo’s original request. According to Kevin Poulsen’s blog, “On Wednesday, the Justice Department formally settled the case, filing a joint stipulation along with Lamo’s federal public defender dropping the demand for blood, and accepting cheek swabs instead.” Reached for comment, Lamo reportedly affirmed to Poulsen his intention to “comply vigorously” with the order. Since Lamo’s sentencing, he has entered the early stages of a career as an award-winning journalist, studying at American River College, with writing, photography, and editorial work / collaboration appearing in Network World, Mobile Magazine, 2600 Magazine, The American River Current, XY Magazine, and others. Lamo has interviewed personalities ranging from John Ashcroft, to Oliver Stone to alleged members of the Earth Liberation Front.
Lamo also has a history of public speaking – he was a keynote speaker at a government security conference in 2005 alongside Bruce Schneier, and a panelist at the Information Security In the Age of Terrorism conference. Lamo has shown signs of increased cooperation with media since his release from federal custody, including a podcast interview with Patrick Gray in Australia, and an April 2007 segment on 88.1 WMBR out of Cambridge. Lamo was removed from a segment of NBC Nightly News when, after being asked to demonstrate his skills for the camera, he gained access to NBC’s internal network in under five minutes. Hackers Wanted, a documentary covering Lamo’s life and times, is slated for release under the care of Trigger Street Productions. Directed by Sam Bozzo, it features Apple Computer co-founder Steve Wozniak, TechTV personality Leo Laporte, Digg and Revision3 founder Kevin Rose and narration by actor Kevin Spacey. The film explores the practical and ethical themes of modern computer hacking, intertwining Lamo’s story with those of controversial figures throughout history. In May 2009, a video purporting to be a trailer for Hackers Wanted was allegedly leaked to or by Internet film site Eye Crave. In May 2010, an earlier cut of the film was leaked on Bittorrent. According to an insider, what was leaked on the Internet was a very different film from the newer version which includes additional footage.
How did you get started hacking?
I was around computers as a very young child. I had a Commodore 64 when I was like 6 or so. And my first interest in seeing how things worked behind the scenes wasn’t all about technology necessarily, and my interest in what you might call hacking isn’t really primarily about technology…It’s not sexy when I’m exploring less obvious aspects of the world that don’t involve multibillion-dollar corporations. There’s a certain amount of tunnel vision there. As a kid, before I ever was interested in how my computer worked behind the scenes as opposed to just say popping in a soccer game cartridge and running it, I was already much more interested in figuring out, say, the school public address system or the garbage schedule to the office so I could grab the memos that teachers had discarded on the way to class to know what it was they were meeting about, when the fire drills were, things like that and not for even any real particular purpose. (It was) just because I wanted to know and was fascinated by the fact that it was another layer that I, as a very young student never saw. I could totally tell you a story about some epiphany I had working with computers as a kid and it might even be true in some respects, but it wouldn’t be the story.
It’s not about passion for the technology? It was more about how to get information?
Are you familiar with the term hack value?…It’s defined on Wikipedia and I was actually not familiar with it until somebody hyperlinked my Wikipedia article from it as an example of somebody with an appreciation for hack value and then I realized I totally am. It’s ‘the notion among hackers that something is worth doing or is interesting. This is something that hackers often feel intuitively about a problem or solution; the feeling approaches the mystical for some.’ (the word “mystical” links to Lamo’s Wiki entry) It’s not that it’s about the information…it’s always been for me about the process, which is why I can say without exaggeration at all that no system I compromised used a published or unpublished ‘exploit’ in that I wasn’t looking for buffer overflows or flaws in the software. I was just trying to take normal every day information resources and arrange them in improbable ways. I didn’t spend time downloading databases of customer information. One example is Excite@Home, which of course no longer exists per se. When I compromised them I had full access to the customer data, including credit card data in full text. That was of no interest to me. What I thought was really cool, what had hack value to me was that I could log in to support accounts that they didn’t check anymore and answer help desk requests from users who otherwise would never get an answer. I love the f*** out of the idea of living in a world where something like that can happen; where you can submit a help desk request that a company is going to ignore and along comes a hacker and says ‘no, this is totally what you need to do to fix that.’
Did you answer them?
Yes. I answered probably close to 100. In at least one instance, I called the guy at home because he had written in saying that somebody on Internet Relay Chat had scrolled (through) his billing information during a dispute as a way of saying ‘ha ha! You’re owned. I know everything about you.’ He had complained and Excite had determined that it was probably one of their outsourced help desk employees. So, as a result, they were going to take no further action and they never got back to the guy. He was in Canada…I told him…I felt bad you never got a reply…and so I sent him the full minutes and full logs of all e-mail correspondence between the Excite employees saying ‘This guy got shafted but we’re not going do anything about it.’
What did he say?
He was just happy that somebody got back to him; that somebody took the time to treat his concern like it was worth a damn. It’s one of my frequent quotes, that I believe in a world where all these things can happen even if I have to do them all myself. I think we would live in a far more boring world if that chain of events could not transpire and the reason that…discussions about my intrusions made so many allusions to faith and a sense of purpose is that I do truly and very much believe that the universe appreciates irony; that the universe appreciates absurdity. And if we’re here for any purpose it’s to create novel situations that were heretofore unique in the human experience. (Sci-fi author) Spider Robinson has a fantastic quote: ‘If a person who indulges in gluttony is a glutton, and a person who commits a felony is a felon, then God is an iron.’ That’s pretty much what I mean by hack value. It’s not about how big the company was or how sensitive the information was, but more about with how much vigor I could say ‘what are the odds?’
For the challenge and the fun?
No. Well, yes and no. The fun yes. But the challenge is secondary and not immaterial, but honestly security at most major companies is not all that challenging. It’s finding ways to apply the insecurity in a way that makes it more than just some guy breaking in and stealing data, but rather turn it into an experience that is novel; that I can look at and re-tell and have even the people that I have hacked get a laugh out of it, that’s really what it’s more about. If I wanted a real challenge I would have gone with more technical means. But I guess you could also say that compromising a company using Internet Explorer on a Windows 98 machine could be considered challenging in its own right to some people.
When did you first start compromising Web sites?
(When did they put) Internet Web sites on port 80? I don’t know. Maybe 1996. Earlier with other Internet services. I’d spend hours at the San Francisco Public Library, using their Internet terminals to telnet out to other systems, including ones that let me use their own modems to dial out.
So what is the hack you are the most proud of, or that you enjoyed the most?
Whichever one made the most people within the company or the people reading about it to be unable to restrain themselves from cracking a smile. In an abortive and eventually unpublished interview I did with Rolling Stone a long time ago, they were really gung-ho on the idea that what I was doing was performance art. And I really can’t disagree with that assessment.
What did you do that got you arrested?
I was arrested for unauthorized access to networks belonging the New York Times and Reed Elsevier’s Lexis-Nexis’ site in violation of 18 U.S.C.1030(a)(5)(A)(ii) and 1029(a)(2). Included as ‘relevant conduct’ in the complaint (conduct that is alleged and may be used to show that the defendant is generally a bad guy, but need not be proven beyond a reasonable doubt) were allegations that defendant Lamo had additionally compromised other corporate networks. These allegedly included Excite@Home, Yahoo, Microsoft, MCI Worldcom, SBC and Cingular… In the ultimate proceedings in USA v. Lamo, a conviction was secured only for the intrusions against the NYT, Lexis-Nexis, and Microsoft. All three were amalgamated in a single count.
Why did you did it? Excite@Home praised you at the time for notifying them of the security hole you found. Was your intention to point out security holes in the Web sites?
I’m grateful for the thanks Excite@Home, Google, MCI WorldCom and others extended me. But as for why I did it, I believe my actions, statements to date, and conduct speak for themselves. There’s nothing I could proffer that would say anything to the topic that has not already been said, although I reaffirm that I never sought to justify my actions then, and I don’t now. Some things don’t need explaining. I never considered myself all that technical, or a hacker. I still don’t. I was in the right place at the right time. I still am. But that’s more about religion than technology.
What happened with your case?
My plea agreement called for a minimum of six months custodial sentence. The judge was willing to sentence me to six months of house arrest and 24 months of probation, plus $60,000 in fines. I’m the last person in the world to say that what I did wasn’t illegal, or shouldn’t have been illegal because I was trying to help people out in the process. I knew all along it was illegal. I just figured that as long as I was committing a crime I might as well be a decent human being about it…I felt that actions have consequences and it probably couldn’t go on forever but God I liked the idea that it could happen for as long as it did.
Would you do it again?
The universe does not encourage repetition. What’s done has been done and it’s not there for replays. Perhaps more importantly, I’m not 19 or 20 anymore. I can’t go back and do it again and expect to have a normal life. I have a lot of avenues for curiosity for exploration, for absurdity, that are just as rewarding. As I said before, I’m not that technical a guy. It’s just that the technical aspects get the most attention. I still push the envelope really hard, but I am not going to give the government another opportunity to f*** with me. And I also want to point out that I pled guilty at the earliest opportunity because I was, in fact, guilty and because I had always said that I would. There were some aspects of the government’s case I had issues with, specifically that they brought my Microsoft intrusion into it where all I did was go to a URL that was just the default splash page; it didn’t require a password, it didn’t say it was confidential, and (it) served up the entire Microsoft customer database. And they added that to my restitution because clearly I have to pay Microsoft back for the immense effort it took them to not have their f***ing customer database not on a public facing web page. My God, that must have cost thousands. I’m being kind of dry there.
That’s what the $60,000 was for?
No. The $60,000 was for the New York Times, Microsoft, and Lexis-Nexis, roughly evenly split. Lexis-Nexis pissed them off a lot because I spent a good deal of time pulling information on people within the government. I searched for ownership information on every Crown Victoria Police Interceptor in the United States just for the hell of it. Things like that…I wanted to see who owned them in order to ascertain which fleet vehicles were actually part of the motor pool for federal law enforcement. I wish I remembered the guy’s name, but at one point I pulled up records of a credit card application for somebody with a really unusual name who was a Colombian drug figure who was supposedly dead but who apparently was alive and well in New York. And given that he wasn’t making any effort to hide his existence I can only assume that his existence there was sanctioned by the government, which is one of several reasons they were not terribly interested in going into too much detail about my Lexis-Nexis intrusion. Every time the U.S. Attorneys office talked about what I did they said ‘Yeah, he searched for himself… there were literally hundreds of other people and they tried to play it off as an ego surfing spree.
What are you doing now?
At the moment I’m a threat analyst for a privately held company and I’m looking at an option as a staff scientist in what’s called ‘adversary characterization,’ figuring out who is going to break into your s*** before they do it and how they’re going to do it before they even formulate the plan. I’m not interested in narcing out hackers. These are exclusively pretty much foreign nationals with bad intentions.
Can you say what the company is you work for now and who you want to be a scientist for?
The privately held company is Reality Planning LLC and it would be inappropriate to specifically state who I would be a staff scientist for.
Is it the government?
I would not be in the employ of a government agency. No.
The sentencing you got, were you a minor at the time of the activity?
Negatory. My entire course of criminal conduct took place when I was an adult. I was 22 when they came for me…it was in 2003. And in 2004, I plead guilty.
Did they come bust down your door and seize your computers?
They never got my computers. They went to the wrong place. They went to my parents’ house assuming they would find me there. They surrounded it for several days and I ended up having to do a live local interview on a public street to prove I wasn’t there so they would leave my parents alone.
So how did you end up in custody?
I voluntarily surrendered after negotiations with the assistant U.S. Attorney who initially had the lead on the case. My conditions were that I wanted to know what I was being charged with because they hadn’t disclosed it. I wanted them to call the feds off my family, off my friends, and off me until I surrendered, and to their credit they were reasonable. They realized I was trying to do the right thing. They obliged. However, as just a very mild f*** you, I surrendered to the U.S. Marshals Service instead of the FBI to avoid giving them the opportunity to have me alone in a room.
You were dubbed the ‘homeless hacker.’ What was the situation?
You know you spend a couple years traveling the country around on Greyhound (bus) and you sleep in abandoned buildings and all of a sudden you’re the homeless hacker. It was entirely a media-created accolation. I don’t really care what terms people use to describe me. I’ve certainly been called worse. But it’s one of the things that evokes for me the sense that I’m talking about somebody else when I describe these things. I’m not talking about the Adrian Lamo who gets up in the morning and quibbles with supermarket clerks over a stacking coupon (using multiple coupons). I’m talking more about a media and public created persona that is a role that I stepped into and out of, and that’s not terribly unusual. We all have our own faces and personas that are developed to suit the situation…I have just had, I guess, more of a very conscious realization of it shoved in my face. But that’s not a complaint. I’m familiar with the news gathering process. I’m familiar with how stories get written. And I’ve never really tried to tell somebody how they should cover me because a lot of the time they’re going to do it their own way anyway. …
Any thoughts on getting on the wrong side of the law or reflections on what happened and where you’re going?
I can honestly say that I feel bad for the network administrators who had to get those calls from their bosses basically saying ‘Dude, what the f***?! We’re paying you to make these things not happen.’ One of the reasons that I think I was as sincerely as remorseful as I was at my sentencing was that I felt bad for these guys. It was always easy for me to see it as kind of a consequence-free environment where nobody was really getting hurt and a lot of people tell me that if they had been doing their job right it never would have happened. But that’s bulls*** because you can’t protect against every possible eventuality. One of the outcomes I would have liked to have seen…is having computer intrusion that doesn’t have a profit motive no longer be seen as a catastrophic event, but rather something that a company can spin to its own advantage if it wants to. And that they can … evolve from. Stress causes complex systems to evolve and I think that aspect of it is beneficial. But I can’t help but feel bad for the people that got hurt along the way, be they the people on the other side of the wires or my own family or my friends who had to wonder why the hell the FBI was at their door. That said I think that well-intentioned intrusion is very, very important to the security process and the process of the evolution of technology. We would not have the technology that we have today if it were not for people that had been willing to push the envelope; who had been willing to do things they may have been told were impossible or a dumb idea or just plain wrong.
I was absurdly lucky in my timing because sentences for hackers have gotten much less benign in recent years. I don’t think that’s a positive trend because legislation and litigation don’t create security…I also think the ostracism of people with a history of hacking is a very significant threat to the security community and to security in terms of national infrastructure because what we have right now are people who are hired to secure systems who have very often come from the same sort of educational background and they’ve read the same books. If when they were younger they ever asked somebody ‘What should I do to get started in security?’ they were likely to have been told ‘Well, install Linux…install these programs… learn to do this. And we’ve grown a crop of people who approach security in a very similar way. I do think my success at intrusion is a symptom of that, because I never took any formal classes or schooling in the area of security. I had no pre-defined or pre-taught conception about how you were supposed to break into systems. If 10 years ago somebody had said ‘You know what would totally break into this long list of incredibly secure companies? A web browser’ they probably would have been laughed off. And ostracizing and marginalizing people with public backgrounds in criminal hacking or potentially criminal hacking is by far and by large just leaving us with systems that are secured by people who all have very similar mind sets. I find recurring security problems, not identical in implementation, but in concept. That is to say people make the same kinds of mistakes over and over and I really can’t help but think that’s a result of their educational background when it comes to information security. We don’t have a diverse enough gene pool of thought in the area of security and it’s going to continue to bite us. The standard excuse is to have security professionals say ‘Well, we have to be right all the time and they (hackers) only have to be right once.’ But that does not mitigate the fact that they often have no clear clue of what the newest kind of attack is going to be or how it’s going to be formulated.
Where did you go to school?
In terms of higher education, I was court-ordered to attend school after I was arrested and I studied journalism at American River College in Carmichael, Calif.