Lamo’s unauthorized entry into the Times’ site last month-where he also accessed sensitive employee payroll accounts and subscriber information-was not his first such escapade. During the past year, he has altered a news story on the Yahoo! site and made illegal entries into the AOL, Microsoft and WorldCom networks. Each time, he followed up by contacting the breached sites, informing authorities of security lapses, and sometimes even helping to plug the holes (without pay).
So far, Lamo’s cooperative attitude apparently has enabled him to escape prosecution for hacking-a federal crime that can carry a jail sentence of five to 10 years. But that could change as U.S. lawmakers take a fresh look at punishing those who crack Internet security codes. On Feb. 29, panels from House and Senate Judiciary committees met to consider enacting stricter cybercrime laws in the aftermath of a spate of high-profile hacking incidents. Other recent anti-hacking legislation includes the USA Patriot Act- which expands federal prosecutorial power to any hacker who affects U.S. commerce or communication, even if both the hacker and the computer system hacked are both located outside of the United States-and the Cyber Security Enhancement Act of 2002, which calls for tougher sentencing guidelines for hackers.
Lamo spoke to NEWSWEEK’s Karen Fragala about hacker “ethics,” the threat of cyberterrorism and the controversial new Internet security laws.
NEWSWEEK: Should companies consider you a threat or a help to their network security?
Adrian Lamo: I’m not leaning on them to consider me one way or another. If their interests are threatened by full disclosure of their vulnerabilities, then they need to consider why it is threatening to them, and what we can do to make it less of a threat.
You don’t get paid for exposing these security breaches. So why do you do it?
There is no motivation behind the process other than the fact that in moving around networks, I try to apply the same sort of interests and approaches as I do in real life. I try to learn all I can about my surroundings and not rely on what has been published to inform me about what I am interested in. As a side effect of that, security compromises do happen sometimes online, and I figure that as long as I am doing that, I might as well do it in the best possible way.
Is it really that difficult to secure a Web site?
Securing a Web site or an Internet property is easy in the sense that there are things you can put in place, like firewalls, to minimize your chances of becoming yet another Internet crime statistic. On the other hand, it is also an incredibly complicated process. The more involved your network becomes, the more exposure you have, and I would say that for any corporate network, it is impossible to build a completely secure network.
Aside from misconfigured proxy servers, what are the top causes of network vulnerabilities? Are administrators incompetent or lazy?
The people that build these networks are not incompetent, but they are mainly from corporate security, intelligence and law enforcement backgrounds and have gone to seminars to learn how to set up secure networks. When you have a generation both at home and abroad that has grown up around these networks, the approach they are going to take toward intrusion is not going to mesh with what [they] have been taught on how to secure network systems. So there is a divide between the security that is being deployed, and the effects that are going to be seen as more people have an intuitive grasp of how these things work.
Do you think that your work is beneficial to society?
I don’t believe that anything is really ever wasted. I think that, regardless of the short-term positive or negative consequences, it all contributes to both the evolution of society and the evolution of the universe that we live in as a whole. It’s easy to look at the immediate negative effects of something or the positive effects of something, but I think that it’s important that these things happen to further a more evolved Internet, and a more evolved universe.
How do you choose your corporate “victims?”
It is random, sort of keeping with the auditing scheme that goes on when I am exploring a target. Rather than having a sequential model when I am approaching a network, I operate on a less linear and more intuitive level.
What is the likelihood that someone with your skills-but less benevolent intentions-could cause serious damage through something like cyberterrorism or identity theft? What is the worst that could happen?
Any resource that is made available to people always has the potential for being misused. The more power that we invest in these resources, the easier we make it to accomplish significant ends through the click of a mouse. So far, almost all of the computer crime that we have seen has been regular mundane crime transferred into the Internet medium, but there is no limit to human ingenuity in that department. Although you really can’t overstate the risk, it is another aspect of the Net that will balance itself out in the long term.
You’ve been portrayed as an “ethical hacker” because you always use your real name, you notify network administrators after a security breach, and you don’t accept payment for helping to fill those gaps. What would cross over your line of ethics?
I don’t have a book of ethics that I work from. I don’t necessarily feel that doing things the way that I do them makes what I do somehow better than how anyone else does it-that’s one of the foibles of how I do things.
You sleep in your car, work off your laptop at Kinko’s, live off your savings and travel around the country at random. Why do you live like this, instead of using your skills to make a reasonable salary?
I’ve considered the whole corporate thing, and at this point in my life, I don’t want to end up in a job where the job will eventually be something that can be leveraged against me, [when someone says] “Well, gosh , Adrian, you don’t want to lose this job, so you better do things our way.”
Also, I did a lot of work for non-profits in the San Francisco area early on, and one of the things that I saw was that people went in at a young age, totally motivated to be doing what they wanted to do, only to end up a few years down the road embittered about whatever they were passionate about before. I don’t want to take something that I am subjectively good at and turn it into something that I have to dread going to work every morning and doing. Maybe I’m just protecting myself with a little reality bubble around me, but it’s worked out so far.
You’ve protested publicly against cyber legislation such as the Digital Millennium Copyright Act, the anti-piracy law that makes it a crime to circumvent software licensing measures, forbids the distribution of illegally-copied software and requires Webcasters to pay licensing fees to record labels when using their music. Do corporations deserve to have any rights in protecting their own interests?
“Deserve” is a tricky concept. The only thing that I could say they deserve is whatever they can procure for themselves. It would be nice if the interests of the Internet civil liberties strata and the interests of the corporations were not mutually exclusive. There is a certain amount of artificial debate that goes on because a lot of legislation is so ridiculously restrictive that one couldn’t really hope to enforce it and make a lasting change on the Net. You can’t take a medium that is inherently about the free exchange of information and expect that passing a law is somehow going to curtail that indefinitely and totally.
Are companies doing enough to ensure their own network security and fight unauthorized breaches?
Everyone does what they have to. I don’t think that any company can ever expect to be completely secure, and I don’t think that is desirable. These intrusions are important to the growth of the Internet medium. A lot of security efforts are lackadaisical on a lot of fronts. People are not doing everything that they reasonably could, but even if they were, there is nothing that they could do to prevent intrusion altogether.
Should cybercrimes be prosecuted?
I’m not a legislator and I don’t have standing to make a call on that one way or another.
Do you see yourself in any danger of being prosecuted?
I’m very aware of the possibility of being prosecuted. I don’t feel that I’m in any way above the law, and I don’t feel that I should be treated differently just because I do things in a way that could be construed as being ethical…
I understand that I am subject to their legal penalties, but I don’t think that I could feel well about myself if I let my actions be guided by fear in that respect.
How could the increasingly punitive measures in cybercrime laws Congress is trying to pass right now-doubling prison time for hackers, for example-affect the evolution of the Internet?
When laws of that nature come to pass, you generally see that there is some deterrence among segments of the population that are more likely to be deterred, the people who are not seriously committed to the illegal activity in question. Conversely, the people that are left practicing are the hard-core criminals. It would cut down some of the casual hacking-certainly not all of it-but it would also intensify the criminal aspect of network intrusion.
