By Erin Sherbert
By Howard Cole
By Erin Sherbert
By Erin Sherbert
By Leif Haven
By Erin Sherbert
By Chris Roberts
By Kate Conger
There are many in the computer security industry who, while freely admitting they find some form of nobility in Lamo's peculiar brand of hacking, worry that those who follow his lead may do so not because they admire his spirit, but because they want to grab some headlines themselves.
"Benevolent hackers have been a piece of the computer underground for years," says Skoudis of Predictive Systems. "Adrian doesn't leave me ill at ease ... he's too smart. My fear is that it's not reproducible. Adrian does his thing, but Adrian is pretty decent about what he does; someone who doesn't have his skills, or his personality, could be like a bull in a china shop."
FBI officials, meanwhile, won't say whether the bureau has ever investigated any of Lamo's intrusions. "There's no way I'd be able to tell you that," a spokeswoman in the FBI's Washington, D.C., office says.
At one hotel in Washington, D.C., there's a vending machine that dispenses 20 cents in nickels every time it's hit with a Taser, an electric stun-gun meant for personal defense that is one of the more useful things Adrian Lamo has ever owned. "You never know what something's going to do when you Tase it," Lamo enthuses. "It's like the Swiss Army Knife of electronic devices."
It's a mild Sunday evening in late March, and Lamo has cashed in a gift card at Banana Republic for a new black jacket, which he wears over his usual dun-colored pants and boots. He's also sporting a new black shoulder bag -- complete with a sleeve on the strap for his cell phone -- that he bought, with another gift card, at the Gap. Protests against Operation Iraqi Freedom have roiled these streets in downtown San Francisco for much of the past two weeks, but Lamo has been away from the city, recuperating, again, from too many sleepless nights. Since turning 22, Lamo has noticed that his sleep schedule (or lack thereof) has been harder on him, and as we walk down the mostly empty streets, he stops to gaze in the window of a health food store. He's heard that some herbs and vitamins have anti-convulsive properties, which might help him stave off the spasms he suffers when he doesn't get enough rest. The convulsions are the result of a neurological disorder, which Lamo says stems from an amphetamine overdose he endured last year. As with most of the steady influences on Lamo's life, drug use is something he regards as a necessary element of his lifestyle -- which also includes mainlining caffeine-laced energy drinks like Red Bull, Jolt Cola, and Mountain Dew Code Red.
"I've resisted including this in news reports because I think it would make me intolerable to the government if I was advocating both intrusion and drug use, but substances that disassociate you from your senses have played a big part in my life," Lamo says. "The point, with substances, has always been to show myself where I can go without them. Drugs are not an indispensable part of my life. But there are times when I'd rather stay up until the next bus comes instead of curling up and finding my backpack gone when I wake. There are times I don't want to feel the pain."
He pauses, stops on a corner of the sidewalk in the Financial District, and waves his hand toward the nearest storefront. "This is my historic Kinko's," he says. "A great many of my compromises occurred here. I believe it's still 24-hours ..." Peering at the sign on the door, he steps back, aghast. "Goddamn it, it's not! How could they do this to me?" He shakes his head, then slips back into his role as tour guide. "It does not have a restroom but it has a vending machine, so I can keep the Code Red coming. So much miscellaneous stuff has happened from this Kinko's, from that far desk over there. Most of the exploration for the WorldCom intrusion happened here."
Before he penetrated the New York Times, Lamo's incursion into the troubled telecom giant WorldCom was perhaps his greatest coup. It was vintage Lamo: He was drifting around the company's site, with no preformed plans to hack it, when one thing led to another. Over a handful of all-day sprees -- "whenever I'd get bored and remember WorldCom," as he puts it -- Lamo got access to the company's internal system via open proxy servers, dedicated machines that act as a go-between for employees' computers and the Internet. This, too, is his trademark. Whereas most hackers obsess over known software vulnerabilities, endlessly scanning a company's security applications in the hopes of finding a random glitch, Lamo sneaks through these more nebulous, less intentionally geeky, holes. When brought online, proxy servers are often misconfigured, both accepting and forwarding connections from the outside as well as the inside, and Lamo can change his browser's preferences to match those of the proxy server.
Open proxy servers don't require a username or password, and once inside a company's system, Lamo hunts down passwords that enable him to view other pages on the company's own intranet. And this is one of Lamo's fundamental gripes: When you put a network, any network, online, you accept the responsibility for securing it, he says. And spending millions of dollars on front-door security software doesn't mean anything if the back door is wide open.