Posts Tagged: Chelsea Manning


18
Mar 18

Adrian Lamo, ‘Homeless Hacker’ Who Turned in Chelsea Manning, Dead at 37

Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.

Adrian Lamo, in 2006. Source: Wikipedia.

I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.

The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame.

In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks.

By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media.

Lamo had previously hacked into the likes of AOL Time Warner, ComcastMCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies.

By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight.

In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand.

While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets.

In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed.

In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort).

In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution.

Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: adrian.lamo@us.army.mil. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses.

The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file. Continue reading →