18
Mar 18

Adrian Lamo, ‘Homeless Hacker’ Who Turned in Chelsea Manning, Dead at 37

Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.

Adrian Lamo, in 2006. Source: Wikipedia.

I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.

The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame.

In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks.

By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media.

Lamo had previously hacked into the likes of AOL Time Warner, ComcastMCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies.

By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight.

In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand.

While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets.

In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed.

In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort).

In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution.

Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: adrian.lamo@us.army.mil. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses.

The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file.

EARLY LIFE

Lamo was born in 1981 outside of Boston, Mass. into an educated, bilingual family. Lamo’s parents say from an early age he exhibited an affinity for computers and complex problem solving. In grade school, Lamo cut his teeth on a Commodore64, but his parents soon bought him a more powerful IBM PC when they grasped the extent of his talents.

“Ever since he was very young he has shown a tendency to be a lateral thinker, and any problem you put in front of him with a computer he could solve almost immediately,” Lamo’s mother Mary said in an interview in 2003. “He has a gifted analytical mind and a natural curiosity.”

By the time he got to high school, Lamo had graduated to a laptop computer. During a computer class his junior year, Lamo upstaged his teacher by solving a computer problem the instructor insisted was insurmountable. After an altercation with the teacher, he was expelled. Not long after that incident, Lamo earned his high school equivalency degree and left home for a life on his own.

For many years after that he lived a vagabond’s existence, traveling almost exclusively on foot or by Greyhound bus, favoring the affordable bus line for being the “only remaining form of mass transit that offers some kind of anonymity.” When he wasn’t staying with friends, he passed the night in abandoned buildings or under the stars.

In 1995, Lamo landed contract work at a promising technology upstart called America Online, working on “PlanetOut.com,” an online forum that catered to the gay and lesbian community. At the time, advertisers paid AOL based on the amount of time visitors spent on the site, and Lamo’s job was to keep people glued to the page, chatting them up for hours at a time.

Ira Wing, a security expert at one of the nation’s largest Internet service providers, met Lamo that year at PlanetOut and the two became fast friends. It wasn’t long before he joined in one of Lamo’s favorite distractions, one that would turn out to be an eerie offshoot of the young hacker’s online proclivities: exploring the labyrinth of California’s underground sewage networks and abandoned mines.

Since then, Lamo kept in touch intermittently, popping in and out of Wing’s life at odd intervals. But Wing proved a trustworthy and loyal friend, and Lamo soon granted him power of attorney over his affairs should he run into legal trouble.

In 2002, Wing registered the domain “freeadrian.com,” as a joke. He’d later remark on how prescient a decision that had been.

“Adrian is like a fast moving object that has a heavy affect on anyone’s life he encounters,” Wing told this reporter in 2003. “And then he moves on.”

THE MANNING AFFAIR

In 2010, Lamo was contacted via instant message by Chelsea Manning, a transgender Army private who was then known as Bradley Manning. The Army private confided that she’d leaked a classified video of a helicopter attack in Baghdad that killed 12 people (including two Reuters employees) to Wikileaks. Manning also admitted to handing Wikileaks some 260,000 classified diplomatic cables.

Lamo reported the theft to the FBI. In explaining his decision, Lamo told news publications that he was worried the classified data leak could endanger lives.

“He was just grabbing information from where he could get it and trying to leak it,” Mr. Lamo told The Times in 2010.

Manning was later convicted of leaking more than 700,000 government records, and received a 35 year prison sentence. In January 2017, President Barack Obama commuted Manning’s sentence after she’d served seven years of it. In January 2018, Manning filed to run for a Senate seat in Maryland.

HOMELESS IN WICHITA

The same month he reported Manning to the feds, Lamo told Wired.com that he’d been diagnosed with Asperger Syndrome after being briefly hospitalized in a psychiatric ward. Lamo told Wired that he suspected someone had stolen his backpack, and that paramedics were called when the police responding to reports of the alleged theft observed him acting erratically and perhaps slurring his speech.

Wired later updated the story to note that Lamo’s father had reported him to the Sacramento Sheriff’s office, saying he was worried that his son was over-medicating himself with prescription drugs.

In 2011, Lamo told news outlet Al Jazeera that he was in hiding because he was getting death threats for betraying Manning’s confidence and turning him in to the authorities. In 2013, he told The Guardian that he’d struggled with substance abuse “for a while.”

It’s not yet certain what led to Lamo’s demise. He was found dead in a Wichita apartment on March 14. According to The Wichita Eagle, Lamo had lived in the area for more than a year. The paper quoted local resident Lorraine Murphy, who described herself as a colleague and friend of Lamo’s. When Murphy sent him a message in December 2016 asking him what he was up to, he reportedly replied “homeless in Wichita.”

“Adrian was always homeless or on the verge of it,” Murphy is quoted as saying. “He bounced around a great deal, for no particular reason. He was a believer in the Geographic Cure. Whatever goes wrong in your life, moving will make it better. And he knew people all over the country.”

The Eagle reports that Wichita police found no signs of foul play or anything suspicious about Lamo’s death. A toxicology test was ordered but the results won’t be available for several weeks.

Tags: , , , , , ,

72 comments

  1. Thank you for your touching remembrance, Brian.

    It reminds me of those fun and innocent days in 2004/2005 when the potential of the internet was limitless and security was a secondary [or tertiary] concern. It could be treated in a lighthearted fashion by people on couches.

    Now, it’s a bloody free-for-all of nation-states, vandals, corporate identity-mining, credit fraud, ransomware, credential theft, and resource appropriation. And it’s only been 14 years between then and now.

  2. Another great example of Adrian’s greatest skill: To manipulate mostly everyone he encounters, with an extra focus on journalists for the purpose of using them to further his over-exaggerated sense of self-importance.

    One day, all of the stories about his abuses against animals, women, and teens, mentally and physically, will come out by the victims who were once too scared to speak up. And the people who remember him as a “troubled soul” will stand with egg streaming down their faces.

    If you personally knew Adrian, you knew he was a true sociopathic megalomaniac.

    • How did he have so many friends then?

    • Got any evidence for the trolling comments you made? Of course not.

      • These facts are well known in the hacking scene, where he was widely despised, even before he sold out Manning for his 15 minutes. He stole exploits & claimed credit for the workd of others, he snitched people out and fucked people over,

        For instance, see https://m.facebook.com/story.php?story_fbid=10155138511467027&id=682962026 (I am not the author of this post)

        But keep sippin on that Adrian flavoured kool-aid.

        • sounds like adrian lamo was a modern day judas iscariot. seems to be allot of them running round teh interwebs these dayz. and some of them be big internwebz company ceo’s. just sayin.

    • I knew him personally and spent a lot of time with him. Yes, I do truly consider him a friend. He would crash at my place for weeks at a time so I got to know him pretty well. I was there for comcast to yahoo and even got a visit from the FBI because of nyt. I never would have gotten to meet people like Mitnick or Poulsen if it wasn’t for him. Even with his flaws he was good at bringing people together.

      I never once saw Adrian abuse anyone or any animal. If anything he was always on the defense in a community that he just didn’t feel accepted in. I’m not saying he was the complete victim here because he did have some personality traits that could rub people the wrong way. That’s probably on par with the majority of the people in the hacker community though.

      It’s sad that people constantly want to judge someone they probably didn’t even know. I guess that’s the internet for you though. Everyone wants to be that armchair expert on things they couldn’t even do themselves.

      Thank you Brian, this is by far the best article on him I’ve read. I have no doubt Adrian would have been very honored by it.

  3. Good riddance.

  4. Really interested to see how this story develops. Such and interesting and polarizing character. Why exactly do so many people get him?

  5. He was a snitch. What he did to manning was inexcusable.

    • …B Brodie,

      and what Manning did was … what? Heroic?

    • Let us not forget it was Manning who was charged and convicted. I guess leaking 700,000 government documents is okay. Too bad he/she was released by Obama.

  6. Adrian’s greatest “contribution” was to betray a friend and confidant to the US government. His fate was deserved and he can no longer harm others.

  7. When I was in third grade, I lived in a house whose locks used skeleton keys — generic keys you could buy at the hardware store, because they’d work in every skeleton key lock. Just like most John Deere tractors use the same key. And most Caterpillar tractors use a standardized Caterpillar key.

    At the same time, we had state-run mental institutions. We weren’t restricting the use of technology; we were locking-up the crazies. Kids would drive to school with stocked gun racks in the back of their pickups — they might do some competitive shooting after school, or some hunting — made sense to have your rifle handy.

    We’re now in an arms race where the content of your character — or your sanity — is thrown out the window….instead, we fixate on raiding cached speculative outcome information from processors and exploiting flaws in security workflows.

    • “Just like most John Deere tractors use the same key. And most Caterpillar tractors use a standardized Caterpillar key.”

      I’ve heard that pretty much ALL heavy equipment makers use the same equipment on all models. Do a web search for “heavy equipment keys” to find many vendors selling a huge key ring with one for each.

      The story goes that manufacturers were going to change that, and have their keys be more like autos. Construction companies said “no way.” For them, that would add huge inconvenience and little security. They’d have to make sure that the right workers have the right keys to do their jobs, while anyone who’s comfortable with stealing an excavator is probably also comfortable with smashing a window and hotwiring an engine. For anti-theft security, construction companies are not depending on ignition keys.

      I once spoke with someone who’s attended a huge construction equipment auction in Florida. He says that many people attending have keys to most of the equipment, and take the opportunity to do test-drives. Most of the excavators on display have holes scooped out of the ground next to them, and he witnessed someone unlock and start a bulldozer, push out a sizable pond in the ground, and then cover it all back level, park the dozer, and move on.

      • For the companies that want more security than a standardized key provides most equipment companies offer a keypad/PIN code type system… I’ve worked on Bobcats like that.

  8. I only talked to Adrian a couple of times via chat back in 2009, but there are several people in my social circle who were close to him. We’ll have to wait for the toxicology report to be sure, but I suspect it’ll show this to be an extreme example of unintentional self-harm.

    Adrian is the second notable to fall in the last seventy days – Jamie Cochran’s death remains a mystery, but she was also a big fish in the same pond.

    Bad news comes in sets of three, I wonder who else is skating on thin ice. Weev comes to mind first.

    • I don’t think Jaime belongs in the same category as Adrian, and certainly not in the same category as weev. She contributed a lot of positive things, along with her trolling, and will be missed. I think Adrian was probably not very nice. And I’m downright certain weev isn’t a good person.

      • Esther, you must not be aware that Jaime was weev’s best buddy and sidekick, partner in crime. They were even said to be lovers, or whatever, which might have been real or might have been for the shock value of weev being supposedly coupled up with a transgender person. Jaime was equally antisemitic and racist and harassing, right along with best friend weev.

    • Gee Neal, if you are imagining a trifecta, how about James McGibney? He seems quite a worthy candidate.

      • Someone reached out to me last night and suggested that James Dolan of SecureDrop fame was the first in the train of three, which makes sense.

        While Dolan, Cochrane, and Lamo had different attitudes and skills, they *HAD* skills, which is the minimum requirement for consideration.

    • Hi Neal-

      Brett Kimberlin wants you to give him a call.

      He’s getting the band back together.

  9. Lorraine Murphy is not a local resident of Kansas. She lives in Vancouver , BC, Canada. She is also known as
    @raincoaster She is a fake journalist who pretends to be friends with lots of hackers. Wise people would not believe a word she says or writes.

    • Hi Jack!

      I don’t live in Vancouver and haven’t in years, nothing about me is fake except for my hair colour, and I just had a story in the Guardian this weekend.

      Carry on.

  10. Brian, thank you for pointing out the shades of gray in a world that is becoming increasingly being perceived as high contrast black/white. I cheered when Chelsea was pardoned but am glad for your insights into the life of Adrian Lamo.

  11. The Sunshine State

    Another cyber-criminal diagnosed with Asperger Syndrome

  12. For all the naysayers and those with nothing but negativity to say about Adrian and others with similar backgrounds don’t forget that many of the new technologies and security products now available are due to their findings for which many never get any credit for….just because many companies were quick and eager to push their un-secure software out the door to the masses full of security holes these guys found and exploited doesn’t make them all criminals…..especially if they were notifying the companies involved of the holes they found before going public….stop being so high & mighty….why not direct your tirades at the companies putting out crappy software day in & day out…..

    • Here, here. Well said, Jason!

    • Thank you, Jason. I find all the negativity here today rather sad. Asperger’s is tough stuff. I know because I work with a folks who are developmentally disabled including Asperger’s. Regardless of anything he did or didn’t do, he was obviously brilliant and it is sad that his life ended so young.

    • People aren’t negative about Adrian because of his hacking history and security contributions (or lack thereof). People aren’t negative because about him because he has a criminal record. They are negative because he never really contributed anything meaningful to the scene yet continually spun the narrative to make himself appear relevant. He was a grade A attention whore who sold Chelsea Manning out for another fix of narcissistic supply.

  13. Interesting, but the name calling, bad. And the bit about ausbergers? So many way wrong. Painti g the many with such a broad brush. Bad. They are innovative without a bound. Usually able to extrapolate a solution without the steps necessary to prove a theory. But right or wrong, innovative.

  14. Lorraine Murphy is not a local Wichita resident. Lorraine Murphy is me, and I live in Canada.

    When Adrian was the admin of the 2600 The Hacker Quarterly Facebook group, I was elected to be admin as well. I reported to him for years and that’s how I got to know him.

    Pretty sure, as part of his job of surveillance on non-Americans abroad, he was watching me and several others I know.

    • Thank you, Lorraine Murphy for your courage by speaking out. I had no idea about the group on FB but I bet it was mighty interesting. Hope all is going well for you. I hope Adrian is resting in peace. How sad that no one was able to help him.

  15. It was good that he turned in the traitor Bradley Manning. Rest in Peace Adrian.

  16. I’ll miss you, Adrian. I admired your work and your wits. RIP

  17. Zachary Drummond

    Thank you for getting him right.
    He was hard to understand and you had to know him to get that about him, about his patience and his internal contradictions. You’re doing him a great service by writing this, but as you seem to be aware, nothing short of a book would properly capture him.

    He will be missed by many of us, and for those that don’t appreciate him, I understand. But I think if you knew him you’d probably change your mind.

  18. I chatted with Adrian a couple of time 12 or 15 years ago – didn’t find him to be that engineering savvy so we made no real connection. But I’ve been fairly disturbed to see the number of people expressing satisfaction or joy over his death. I can’t even count the number of hackers I’ve seen make bad or questionable decisions over the years. I long lost track of the folks who’ve ended up being manipulated by others for some ‘political’ purpose. We all do the best we can at any given time. I hope Andrian rests in peace, and I offer his family my condolences.

  19. Thanks, Brian.

  20. Lorraine Murphy @raincoaster is the one that left the Daily Dot and International Business Times with egg on their faces after they ran her ridiculous stories of the Rustle League hacking the lights at the Super Bowl and of same group hacking the twitter accounts of Anonymous. Murphy got kicked out of those publications and has since gone on to peddle stories to other unwary publications. Let the Buyer Beware.

    • Hi Ron. It IS Ron Brynaert, isn’t it?

      I have never worked for IBTimes. I left the DailyDot when they eviscerated my article on the j35t3r to suit him. And I have since moved on to Vanity Fair and The Guardian, which drives you mad, doesn’t it?

      You do you.

      • In all fairness, Lorraine, you have a number of unappreciative um… past acquaintances. I rarely hear you brought up in polite discussion without someone rolling their eyes immediately. That’s probably not because everybody is a jerk and you’re very pleasant.

  21. Let me guess, his death is the outcome of a robbery gone wrong.

    Regarding him reporting Manning to the FBI, he did the absolute right thing.

    Manning should still be in jail. Whatever the reason was it does not absolve of the crime.

  22. Adrian wasn’t a hacker. He was more of a celeb hacker, like mitnick. Let’s not hyperbolize his antics. He had script kiddie skills at best.

  23. Yeah, that’s how you diagnose Aspergers. They meet new people every day and love to change their habitual residence as often as possible. Never would they mind travelling just because they tend to sensual overload.
    Lord, please send more brain to Earth.

  24. I’m confused. You say he was born in 1981, don’t mention accelerated schooling, and in 1995 he’s working for AOL? They hired a 14 or 15 year old? Was he already homeless at that point? It sounds like it. Which means he must have graduated from high school at 14, at the latest. That’s impressive, if the dates are correct.

    • The article says he got contract work for aol. They probably had no idea of his age and did not care. He was working online and knew what he was doing and they sent him money for doing it. Big deal. I’ve known a lot of people doing online work at even younger ages. The article does not say he graduated from high school, it says he was expelled his junior year, then left home, then got his high school equivalency. This all makes sense to me. At about 14, working online for aol. At about 16 or 17, being expelled from school. Leaving home, living on his own, getting his high school equivalency. Which part of this does not make sense to you? A lot of people start making money as soon as they are able and a lot of people leave home as soon as they can. A lot of people work while in high school or even grade school. I personally started working for money when I was 12.
      A lot of people do. It depends on one’s needs, opportunities, and skill set. Not everyone grows up coddled by parents handing them everything.

      • Ok, most of that makes sense. Although where I live, you need a work permit to get an official job if you are under 16, and if AOL hired him without knowing his age, they may not have done so legally. Or perhaps he lied and got away with it.

        • He was working online, on a contract basis. It is extremely unlikely he filled out an application or ever met anyone connected to the company. He worked and they sent him money. They “knew him” by his reputation online. There are many people right now hiring people to do stuff online and they don’t have any idea of their real names, what nation they live in, let alone their ages. What is an “official job”? Those sort of things are not very common in online work.

      • Indeed. I had a friend in high school who dropped out at age 16, moved to California, and started doing contract work for game developers. By the time he was 18 he moved back with a bundle of money of questionable origin. His employers had basically abandoned him mid-development and left him to finish the titles, so he ended up with the last couple milestone payments since he was the only one left to do the work and they’d rather pay him and get the title vs. not pay him and not get the title. Lots of crazy stuff going on in game development those days, and it wasn’t small companies either. He was working on titles then for some of the biggest game companies around today.

        Basically if you had the skills back in the 80s and early 90s companies didn’t ask a whole lot of questions.

    • Around then it wasn’t uncommon for people [1][2] to get jobs w/ Netscape w/o diplomas/degrees.

      Within the Mozilla project, we had contributors [3] who weren’t Bar Mitzvah (13) — I attended one in SF.

      While it was possible to skip diplomas/degrees, there were indications that in the long run, the paper would have some residual value, although it was almost certainly more valuable to get the internship and be set to have a job upon graduation.

      [1] https://pavlovdotnet.wordpress.com/2008/10/23/ten-years/
      [2] https://en.wikipedia.org/wiki/Blake_Ross
      [3] http://mozillamemory.org/detailview.php?id=7594

      • Dandy Highwayman

        I believe this is the first time I have seen an online comment with footnotes and citations. Well done.

  25. So shocked and slightly sad to stumble across this post.

    I was randomly hacking and cracking on AOL/AIM years ago and wound up discovering Adrian Lamo amidst my escapade of taking over accounts.

    I spoke with him briefly about certain things once realizing who I had discovered. I wonder if I still have the logs for nostalgia.

    His screen name was “Alamo” and it was registered to a 2600.com email address. RIP Adrian RIP AOL d;-]

  26. A little known fact that might be of interest to this article is that from ’11 to ’15 following the Manning affair, he was living in Bogota, Columbia but suggesting to people that he was living in DC the entire time. He told me that recently in a discussion we had in August.