http://strom.com/awards/355.html
There is something about harboring a confessed criminal in
your house that can bring new excitement to your life. Within minutes of
meeting the so-called "homeless hacker" Adrian Lamo, he was showing
me how to reprogram my cell phone. That is the kind of guy he is -- someone who
has broken into numerous computer systems around the world and knows his way
around the cell phone firmware, yet isn't afraid to share his knowledge with
the common reporter. The funny thing was, he could remember the codes to get it
into programming mode, but had trouble finding the phone's power switch. It was
sort of cute, in a way.
You could say he is a criminal with a conscience, and I mean
that in just the nicest way. When I told him to help himself to whatever he
could forage in my fridge (which is always a risky proposition in even the best
of times), he told me he boosted a yogurt. No, you didn't steal it, I offered
it to you, I said. Then he told me his credo: "If you are going to be a
criminal, you might as well be a trustworthy one." I completely agree. So have all the
yogurts you can find, Adrian. In the meantime, I got to watch him in action and
spend more time with him doing normal (i.e., non-computer-related) activities.
It was a gas.
I guess a more prudent person wouldn't have offered his own
sofa as a hacker crash pad, but there was something about my conversations with
Lamo through the years that endeared him to me, and yes, made me trust him.
Maybe it is his youthful exuberance. He is only 22 and still has that
starry-eyed look about him. Maybe I find in him some of the same personality
traits that I recall in the younger edition of myself long ago and in a galaxy
far, far away. Maybe it was all of his storied exploits into various computer
networks that he has helped himself to during the years. Maybe it was the same
quality that attracted me to many of my high school students when I was
teaching them about how to break into the school network and use hacker tools.
After all, Lamo wasn't much older than my students when he got his start.
Above all, I was impressed with his intensity. He has to be
that way to deal with what he's done over the past couple of years. He is
completely self-trained, which is even more impressive given the knowledge that
he has about computer networks and security practices. He told me he got his
start when someone infected his PC with a virus, and he had to stop and figure
out what made the virus work. From then on, he was hooked on computers.
I've corresponded with Lamo for about two years now. I
finally got a chance to meet him and break bread with him this week, while he
was in town to cop a plea. He has admitted to stealing information from the New
York Times computer network and continues to be harassed by the FBI, despite his subsequent offer to show the Times how to
protect itself from hackers like him
What distinguishes Lamo from many others that break into
computer networks is that he is the first to bring open-source techniques to
his stock in trade. He doesn't just try to force his way into vulnerable places
over the Internet, but lets you know exactly what the weaknesses he observed
and the methods he uses. He wants to share his knowledge with the rest of the world;
in the hopes that many people will figure out ways to eliminate these sloppy
security practices. In many cases, the methods are simplicity itself, with just
a Web browser and little more than some savvy guessing about unprotected proxy
servers. (Check out http://www.freelamo.org)
For those of you that don't know what these are, think of an
open door that brings you into your data center, with no protection and allows
you to bypass all kinds of perimeter security checks. In fact, an open proxy is
much worse: it is really a transporter machine that can take you directly
inside a corporate network, if you can figure it out. Every Web browser has a
setting to use these proxy servers, and it can take seconds to set it up
properly and connect to the right one, provided you know the IP address and the
port number that it is using. Once you do connect, your session can become part
of the trusted internal network, and just about every corporate security asset
can be compromised.
Surprisingly, most corporations have these proxies running
on their networks, and it isn't all that hard to find them. Indeed, there are
several sites that keep track of them, including openproxies.com. Lamo told me
that he occasionally uses these to hide some of his activities, and you too can
mask your own identity (if that is what you so desire) by changing your browser
proxy settings.
Of course, Lamo does get off on the street theater of it
all. He likes to talk about his exploits, which is one of the reasons I guess
that the FBI isn't thrilled with him to begin with. In his wake this week were
other journalists and a videographer that might turn his exploits into a TV
movie. But I have begun to think of him as more of a collector of digital
assets. True, some of these are highly illegal and sensitive to the particular
parties that he has collected them from, but how different is this from the
average teenager who downloads buckets of MP3 files from Morpheus? Not all that
much, if you start to think about it. Granted, the teen didn't have to break
into a corporate network to find those MP3s, but shouldn't companies take
better care of protecting their digital assets? Can't they learn from Lamo's
exploits? One true thing: There is no such thing as a protected Web site. If
you think your security is adequate, think again.
Lamo is now going to journalism school, which has a
delicious irony to it. After spending so much time talking to journalists and
being the subject of so much press, he now has a chance to get on the other
side of the story and craft things his way. I wish him luck. He has the right
combination of natural burning curiosity about the world around him coupled
with an overpowering zeal to explain complex things in simple terms. And maybe
he'll teach us old pros a few things about seeing the other side of our
subjects as well. He certainly brought some new perspective to this grizzled
veteran.
Entire
contents copyright 2004 by David Strom, Inc.
David
Strom, dstrom@cmp.com, +1 (516) 562-7151
Port
Washington NY 11050
Web
Informant is (r) registered trademark with the
U.S.
Patent and Trademark Office.
ISSN
#1524-6353 registered with U.S. Library of Congress
If
you'd like to subscribe (issues are sent via email), please send an email to:
mailto:Informant-request@avolio.com?body=subscribe.