There is something about harboring a confessed criminal in your house that can bring new excitement to your life. Within minutes of meeting the so-called "homeless hacker" Adrian Lamo, he was showing me how to reprogram my cell phone. That is the kind of guy he is -- someone who has broken into numerous computer systems around the world and knows his way around the cell phone firmware, yet isn't afraid to share his knowledge with the common reporter. The funny thing was, he could remember the codes to get it into programming mode, but had trouble finding the phone's power switch. It was sort of cute, in a way.
You could say he is a criminal with a conscience, and I mean that in just the nicest way. When I told him to help himself to whatever he could forage in my fridge (which is always a risky proposition in even the best of times), he told me he boosted a yogurt. No, you didn't steal it, I offered it to you, I said. Then he told me his credo: "If you are going to be a criminal, you might as well be a trustworthy one." I completely agree. So have all the yogurts you can find, Adrian. In the meantime, I got to watch him in action and spend more time with him doing normal (i.e., non-computer-related) activities. It was a gas.
I guess a more prudent person wouldn't have offered his own sofa as a hacker crash pad, but there was something about my conversations with Lamo through the years that endeared him to me, and yes, made me trust him. Maybe it is his youthful exuberance. He is only 22 and still has that starry-eyed look about him. Maybe I find in him some of the same personality traits that I recall in the younger edition of myself long ago and in a galaxy far, far away. Maybe it was all of his storied exploits into various computer networks that he has helped himself to during the years. Maybe it was the same quality that attracted me to many of my high school students when I was teaching them about how to break into the school network and use hacker tools. After all, Lamo wasn't much older than my students when he got his start.
Above all, I was impressed with his intensity. He has to be that way to deal with what he's done over the past couple of years. He is completely self-trained, which is even more impressive given the knowledge that he has about computer networks and security practices. He told me he got his start when someone infected his PC with a virus, and he had to stop and figure out what made the virus work. From then on, he was hooked on computers.
I've corresponded with Lamo for about two years now. I finally got a chance to meet him and break bread with him this week, while he was in town to cop a plea. He has admitted to stealing information from the New York Times computer network and continues to be harassed by the FBI, despite his subsequent offer to show the Times how to protect itself from hackers like him
What distinguishes Lamo from many others that break into computer networks is that he is the first to bring open-source techniques to his stock in trade. He doesn't just try to force his way into vulnerable places over the Internet, but lets you know exactly what the weaknesses he observed and the methods he uses. He wants to share his knowledge with the rest of the world; in the hopes that many people will figure out ways to eliminate these sloppy security practices. In many cases, the methods are simplicity itself, with just a Web browser and little more than some savvy guessing about unprotected proxy servers. (Check out http://www.freelamo.org)
For those of you that don't know what these are, think of an open door that brings you into your data center, with no protection and allows you to bypass all kinds of perimeter security checks. In fact, an open proxy is much worse: it is really a transporter machine that can take you directly inside a corporate network, if you can figure it out. Every Web browser has a setting to use these proxy servers, and it can take seconds to set it up properly and connect to the right one, provided you know the IP address and the port number that it is using. Once you do connect, your session can become part of the trusted internal network, and just about every corporate security asset can be compromised.
Surprisingly, most corporations have these proxies running on their networks, and it isn't all that hard to find them. Indeed, there are several sites that keep track of them, including openproxies.com. Lamo told me that he occasionally uses these to hide some of his activities, and you too can mask your own identity (if that is what you so desire) by changing your browser proxy settings.
Of course, Lamo does get off on the street theater of it all. He likes to talk about his exploits, which is one of the reasons I guess that the FBI isn't thrilled with him to begin with. In his wake this week were other journalists and a videographer that might turn his exploits into a TV movie. But I have begun to think of him as more of a collector of digital assets. True, some of these are highly illegal and sensitive to the particular parties that he has collected them from, but how different is this from the average teenager who downloads buckets of MP3 files from Morpheus? Not all that much, if you start to think about it. Granted, the teen didn't have to break into a corporate network to find those MP3s, but shouldn't companies take better care of protecting their digital assets? Can't they learn from Lamo's exploits? One true thing: There is no such thing as a protected Web site. If you think your security is adequate, think again.
Lamo is now going to journalism school, which has a delicious irony to it. After spending so much time talking to journalists and being the subject of so much press, he now has a chance to get on the other side of the story and craft things his way. I wish him luck. He has the right combination of natural burning curiosity about the world around him coupled with an overpowering zeal to explain complex things in simple terms. And maybe he'll teach us old pros a few things about seeing the other side of our subjects as well. He certainly brought some new perspective to this grizzled veteran.
Entire contents copyright 2004 by David Strom, Inc.
David Strom, email@example.com, +1 (516) 562-7151
Port Washington NY 11050
Web Informant is (r) registered trademark with the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress
If you'd like to subscribe (issues are sent via email), please send an email to: