• On MovieTome: See Scarlett Johansson in 'Iron Man 2'
June 24, 2009 4:00 AM PDT

Q&A: Adrian Lamo, the hacker philosopher

by Elinor Mills

When Adrian Lamo first started compromising Web sites and alerting the owners to the security holes, he was thanked, until he struck the likes of The New York Times and Microsoft.

He spent six months on home detention and studied journalism before becoming a threat analyst.

Motivated by the process of hacking and delighted by the unexpected opportunities that could arise, Lamo spent time doing things like responding to customer help desk requests he discovered languishing in the networks he broke into.

In the third of a three-part Q&A series with hackers, Lamo, now 28, talks about his "hack value," his remorse for the trouble he caused network administrators, and how he hopes to make people smile.

Adrian Lamo

(Credit: Matthew Griffiths)

Q: How did you get started hacking?
I was around computers as a very young child. I had a Commodore 64 when I was like 6 or so. And my first interest in seeing how things worked behind the scenes wasn't all about technology necessarily, and my interest in what you might call hacking isn't really primarily about technology...It's not sexy when I'm exploring less obvious aspects of the world that don't involve multibillion-dollar corporations. There's a certain amount of tunnel vision there.

As a kid, before I ever was interested in how my computer worked behind the scenes as opposed to just say popping in a soccer game cartridge and running it, I was already much more interested in figuring out, say, the school public address system or the garbage schedule to the office so I could grab the memos that teachers had discarded on the way to class to know what it was they were meeting about, when the fire drills were, things like that and not for even any real particular purpose.

(It was) just because I wanted to know and was fascinated by the fact that it was another layer that I, as a very young student never saw. I could totally tell you a story about some epiphany I had working with computers as a kid and it might even be true in some respects, but it wouldn't be the story.

It's not about passion for the technology? It was more about how to get information?
Are you familiar with the term hack value?...It's defined on Wikipedia and I was actually not familiar with it until somebody hyperlinked my Wikipedia article from it as an example of somebody with an appreciation for hack value and then I realized I totally am. It's 'the notion among hackers that something is worth doing or is interesting. This is something that hackers often feel intuitively about a problem or solution; the feeling approaches the mystical for some.' (the word "mystical" links to Lamo's Wiki entry) It's not that it's about the information...it's always been for me about the process, which is why I can say without exaggeration at all that no system I compromised used a published or unpublished 'exploit' in that I wasn't looking for buffer overflows or flaws in the software. I was just trying to take normal every day information resources and arrange them in improbable ways. I didn't spend time downloading databases of customer information.

One example is Excite@Home, which of course no longer exists per se. When I compromised them I had full access to the customer data, including credit card data in full text. That was of no interest to me. What I thought was really cool, what had hack value to me was that I could log in to support accounts that they didn't check anymore and answer help desk requests from users who otherwise would never get an answer. I love the f*** out of the idea of living in a world where something like that can happen; where you can submit a help desk request that a company is going to ignore and along comes a hacker and says 'no, this is totally what you need to do to fix that.'

Did you answer them?
Yes. I answered probably close to 100. In at least one instance, I called the guy at home because he had written in saying that somebody on Internet Relay Chat had scrolled (through) his billing information during a dispute as a way of saying 'ha ha! You're owned. I know everything about you.' He had complained and Excite had determined that it was probably one of their outsourced help desk employees. So, as a result, they were going to take no further action and they never got back to the guy. He was in Canada...I told him...I felt bad you never got a reply...and so I sent him the full minutes and full logs of all e-mail correspondence between the Excite employees saying 'This guy got shafted but we're not going do anything about it.'

What did he say?
He was just happy that somebody got back to him; that somebody took the time to treat his concern like it was worth a damn. It's one of my frequent quotes, that I believe in a world where all these things can happen even if I have to do them all myself. I think we would live in a far more boring world if that chain of events could not transpire and the reason that...discussions about my intrusions made so many allusions to faith and a sense of purpose is that I do truly and very much believe that the universe appreciates irony; that the universe appreciates absurdity. And if we're here for any purpose it's to create novel situations that were heretofore unique in the human experience. (Sci-fi author) Spider Robinson has a fantastic quote: 'If a person who indulges in gluttony is a glutton, and a person who commits a felony is a felon, then God is an iron.' That's pretty much what I mean by hack value. It's not about how big the company was or how sensitive the information was, but more about with how much vigor I could say 'what are the odds?'

For the challenge and the fun?
No. Well, yes and no. The fun yes. But the challenge is secondary and not immaterial, but honestly security at most major companies is not all that challenging. It's finding ways to apply the insecurity in a way that makes it more than just some guy breaking in and stealing data, but rather turn it into an experience that is novel; that I can look at and re-tell and have even the people that I have hacked get a laugh out of it, that's really what it's more about. If I wanted a real challenge I would have gone with more technical means. But I guess you could also say that compromising a company using Internet Explorer on a Windows 98 machine could be considered challenging in its own right to some people.

When did you first start compromising Web sites?
(When did they put) Internet Web sites on port 80? I don't know. Maybe 1996. Earlier with other Internet services. I'd spend hours at the San Francisco Public Library, using their Internet terminals to telnet out to other systems, including ones that let me use their own modems to dial out.

So what is the hack you are the most proud of, or that you enjoyed the most?
Whichever one made the most people within the company or the people reading about it to be unable to restrain themselves from cracking a smile. In an abortive and eventually unpublished interview I did with Rolling Stone a long time ago, they were really gung-ho on the idea that what I was doing was performance art. And I really can't disagree with that assessment.

What did you do that got you arrested?
I was arrested for unauthorized access to networks belonging the New York Times and Reed Elsevier's Lexis-Nexis' site in violation of 18 U.S.C.1030(a)(5)(A)(ii) and 1029(a)(2). Included as 'relevant conduct' in the complaint (conduct that is alleged and may be used to show that the defendant is generally a bad guy, but need not be proven beyond a reasonable doubt) were allegations that defendant Lamo had additionally compromised other corporate networks. These allegedly included Excite@Home, Yahoo, Microsoft, MCI Worldcom, SBC and Cingular... In the ultimate proceedings in USA v. Lamo, a conviction was secured only for the intrusions against the NYT, Lexis-Nexis, and Microsoft. All three were amalgamated in a single count.

Why did you did it? Excite@Home praised you at the time for notifying them of the security hole you found. Was your intention to point out security holes in the Web sites?
I'm grateful for the thanks Excite@Home, Google, MCI WorldCom and others extended me. But as for why I did it, I believe my actions, statements to date, and conduct speak for themselves. There's nothing I could proffer that would say anything to the topic that has not already been said, although I reaffirm that I never sought to justify my actions then, and I don't now. Some things don't need explaining.

I never considered myself all that technical, or a hacker. I still don't. I was in the right place at the right time. I still am. But that's more about religion than technology.

What happened with your case?
My plea agreement called for a minimum of six months custodial sentence. The judge was willing to sentence me to six months of house arrest and 24 months of probation, plus $60,000 in fines. I'm the last person in the world to say that what I did wasn't illegal, or shouldn't have been illegal because I was trying to help people out in the process. I knew all along it was illegal. I just figured that as long as I was committing a crime I might as well be a decent human being about it...I felt that actions have consequences and it probably couldn't go on forever but God I liked the idea that it could happen for as long as it did.

Would you do it again?
The universe does not encourage repetition. What's done has been done and it's not there for replays. Perhaps more importantly, I'm not 19 or 20 anymore. I can't go back and do it again and expect to have a normal life. I have a lot of avenues for curiosity for exploration, for absurdity, that are just as rewarding. As I said before, I'm not that technical a guy. It's just that the technical aspects get the most attention. I still push the envelope really hard, but I am not going to give the government another opportunity to f*** with me. And I also want to point out that I pled guilty at the earliest opportunity because I was, in fact, guilty and because I had always said that I would. There were some aspects of the government's case I had issues with, specifically that they brought my Microsoft intrusion into it where all I did was go to a URL that was just the default splash page; it didn't require a password, it didn't say it was confidential, and (it) served up the entire Microsoft customer database. And they added that to my restitution because clearly I have to pay Microsoft back for the immense effort it took them to not have their f***ing customer database not on a public facing web page. My God, that must have cost thousands. I'm being kind of dry there.

That's what the $60,000 was for?
No. The $60,000 was for the New York Times, Microsoft, and Lexis-Nexis, roughly evenly split. Lexis-Nexis pissed them off a lot because I spent a good deal of time pulling information on people within the government. I searched for ownership information on every Crown Victoria Police Interceptor in the United States just for the hell of it. Things like that...I wanted to see who owned them in order to ascertain which fleet vehicles were actually part of the motor pool for federal law enforcement.

I wish I remembered the guy's name, but at one point I pulled up records of a credit card application for somebody with a really unusual name who was a Colombian drug figure who was supposedly dead but who apparently was alive and well in New York. And given that he wasn't making any effort to hide his existence I can only assume that his existence there was sanctioned by the government, which is one of several reasons they were not terribly interested in going into too much detail about my Lexis-Nexis intrusion. Every time the U.S. Attorneys office talked about what I did they said 'Yeah, he searched for himself... there were literally hundreds of other people and they tried to play it off as an ego surfing spree.

What are you doing now?
At the moment I'm a threat analyst for a privately held company and I'm looking at an option as a staff scientist in what's called 'adversary characterization,' figuring out who is going to break into your s*** before they do it and how they're going to do it before they even formulate the plan. I'm not interested in narcing out hackers. These are exclusively pretty much foreign nationals with bad intentions.

Can you say what the company is you work for now and who you want to be a scientist for?
The privately held company is Reality Planning LLC and it would be inappropriate to specifically state who I would be a staff scientist for.

Is it the government?
I would not be in the employ of a government agency. No.

The sentencing you got, were you a minor at the time of the activity?
Negatory. My entire course of criminal conduct took place when I was an adult. I was 22 when they came for me...it was in 2003. And in 2004, I plead guilty.

Did they come bust down your door and seize your computers?
They never got my computers. They went to the wrong place. They went to my parents' house assuming they would find me there. They surrounded it for several days and I ended up having to do a live local interview on a public street to prove I wasn't there so they would leave my parents alone.

So how did you end up in custody?
I voluntarily surrendered after negotiations with the assistant U.S. Attorney who initially had the lead on the case. My conditions were that I wanted to know what I was being charged with because they hadn't disclosed it. I wanted them to call the feds off my family, off my friends, and off me until I surrendered, and to their credit they were reasonable. They realized I was trying to do the right thing. They obliged. However, as just a very mild f*** you, I surrendered to the U.S. Marshals Service instead of the FBI to avoid giving them the opportunity to have me alone in a room.

You were dubbed the 'homeless hacker.' What was the situation?
You know you spend a couple years traveling the country around on Greyhound (bus) and you sleep in abandoned buildings and all of a sudden you're the homeless hacker. It was entirely a media-created accolation. I don't really care what terms people use to describe me. I've certainly been called worse. But it's one of the things that evokes for me the sense that I'm talking about somebody else when I describe these things. I'm not talking about the Adrian Lamo who gets up in the morning and quibbles with supermarket clerks over a stacking coupon (using multiple coupons). I'm talking more about a media and public created persona that is a role that I stepped into and out of, and that's not terribly unusual. We all have our own faces and personas that are developed to suit the situation...I have just had, I guess, more of a very conscious realization of it shoved in my face. But that's not a complaint. I'm familiar with the news gathering process. I'm familiar with how stories get written. And I've never really tried to tell somebody how they should cover me because a lot of the time they're going to do it their own way anyway. ...

Any thoughts on getting on the wrong side of the law or reflections on what happened and where you're going?
I can honestly say that I feel bad for the network administrators who had to get those calls from their bosses basically saying 'Dude, what the f***?! We're paying you to make these things not happen.' One of the reasons that I think I was as sincerely as remorseful as I was at my sentencing was that I felt bad for these guys. It was always easy for me to see it as kind of a consequence-free environment where nobody was really getting hurt and a lot of people tell me that if they had been doing their job right it never would have happened. But that's bulls*** because you can't protect against every possible eventuality.

One of the outcomes I would have liked to have seen...is having computer intrusion that doesn't have a profit motive no longer be seen as a catastrophic event, but rather something that a company can spin to its own advantage if it wants to. And that they can ... evolve from. Stress causes complex systems to evolve and I think that aspect of it is beneficial. But I can't help but feel bad for the people that got hurt along the way, be they the people on the other side of the wires or my own family or my friends who had to wonder why the hell the FBI was at their door.

That said I think that well-intentioned intrusion is very, very important to the security process and the process of the evolution of technology. We would not have the technology that we have today if it were not for people that had been willing to push the envelope; who had been willing to do things they may have been told were impossible or a dumb idea or just plain wrong.

Anything else?
I was absurdly lucky in my timing because sentences for hackers have gotten much less benign in recent years. I don't think that's a positive trend because legislation and litigation don't create security...I also think the ostracism of people with a history of hacking is a very significant threat to the security community and to security in terms of national infrastructure because what we have right now are people who are hired to secure systems who have very often come from the same sort of educational background and they've read the same books. If when they were younger they ever asked somebody 'What should I do to get started in security?' they were likely to have been told 'Well, install Linux...install these programs... learn to do this. And we've grown a crop of people who approach security in a very similar way.

I do think my success at intrusion is a symptom of that, because I never took any formal classes or schooling in the area of security. I had no pre-defined or pre-taught conception about how you were supposed to break into systems. If 10 years ago somebody had said 'You know what would totally break into this long list of incredibly secure companies? A web browser' they probably would have been laughed off. And ostracizing and marginalizing people with public backgrounds in criminal hacking or potentially criminal hacking is by far and by large just leaving us with systems that are secured by people who all have very similar mind sets. I find recurring security problems, not identical in implementation, but in concept. That is to say people make the same kinds of mistakes over and over and I really can't help but think that's a result of their educational background when it comes to information security. We don't have a diverse enough gene pool of thought in the area of security and it's going to continue to bite us. The standard excuse is to have security professionals say 'Well, we have to be right all the time and they (hackers) only have to be right once.' But that does not mitigate the fact that they often have no clear clue of what the newest kind of attack is going to be or how it's going to be formulated.

Where did you go to school?
In terms of higher education, I was court-ordered to attend school after I was arrested and I studied journalism at American River College in Carmichael, Calif.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Click here!
Recent posts from Security
Hacking the Defcon badges
At Black Hat and Defcon, hackers talk shop
Denial-of-service attack downed Gawker Media
Twitter warms up malware filter
Hanging with hackers can make you paranoid
Defcon: What to leave at home and other do's and don'ts
New Firefox patches authentication security holes
Report: White House acting cyberspace chief resigns
Add a Comment (Log in or register) (16 Comments)
  • prev
  • 1
  • next
by c-n-e-t June 24, 2009 4:56 AM PDT
That's all well and good, but ... *bites lip* when will c|net hold a poll to determine who's cuter: Adrian Lamo or Mark Abene?

Reply to this comment
by elinormills June 24, 2009 7:42 AM PDT
Okay, now that made me laugh. thanks.
by n3td3v June 24, 2009 6:07 AM PDT
Why is Cnet interviewing blackhat hackers? They don't deserve the attention.
Reply to this comment
by ancientt June 24, 2009 9:15 AM PDT
Because this is an interesting person who did interesting things and did NOT harm anybody in the process.
by Michichael June 24, 2009 2:09 PM PDT
He's not technically blackhat. I'd call that grey hat. Illegal yes, unethical no...
by Adrian Lamo June 24, 2009 7:09 PM PDT
I believe the short answer would be "ad impressions" =)
by krizhek June 24, 2009 6:22 AM PDT
This is a great interview I loved it. Very interesting read.
Reply to this comment
by divisionbyzero June 24, 2009 6:34 AM PDT
Please don't call this guy a philosopher.
Reply to this comment
by mbenedict June 24, 2009 8:11 AM PDT
Enjoyed the interview, thanks!!
Reply to this comment
by jclbca June 24, 2009 9:49 AM PDT
Wow. Isn't it ironic that the messages criticizing the interview is exactly the line of thinking that Lamo is trying to expose as fallible? Or did I miss something?
Reply to this comment
by InformedDigitalCitizen June 24, 2009 11:58 AM PDT
I've had the pleasure of meeting Mr. Lamo myself, and he was kind enough to speak at a computer security enthusiast meeting I run, without compensation. He is one of the most well-mannered, gentle, and thoughtful people I have ever met.

As a blackhat hacker means someone who is completely malicious and does not consider the well-being of anyone involved in their actions, I would say in response to n3td3v's comment that Adrian Lamo is NOT a blackhat hacker.

If the wikipedia definition (yes, it is cited from several textbooks published by reputable publishers) of philosophy is accurate, "Philosophy is a study of problems which are ultimate, abstract and very general. These problems are concerned with the nature of existence, knowledge, morality, reason and human purpose.", then we can say very positively, even if only from the contents of this interview, that Mr. Lamo IS, in fact, a philosopher.

Furthermore, I invite anyone to check the comment records of both n3td3v and divisionbyzero, which show a trend of disapproving, sarcastic, and negative comments. In other words, consider the source.

I think if there were more gentlemen like Mr. Lamo in the world, it would be a better place.
Reply to this comment
by allis0 June 25, 2009 7:17 AM PDT
Very well said!
by leedix8420 June 26, 2009 2:53 PM PDT
Not only would the world be a better place, but a safer, more resonsible and secure place. Especially the Internet... Everyday we get bombarded by the media with stories of fraudsters and cybercriminals who steal from hard working innocent people. To see it at its worst go check out McAfee's H*Commerce... I first heard of Adrian Lamo in Kevin Mitnick's Book, The Art of Intrusion, and I couldn't help but feel disgust towards the companies that prosecuted him. To my amusement I also couldn't help but smile and lol when he actually started helping the people who got neglected by those companies... To characterize him as a blackhat is unwarranted... Instead we should show respect to the "Robin Hood" of Hackers... I can only hope that there are more of him out there.. Challenging the impossible and discovering vulnerabilities but with the decency to help instead of harm...
by WilliaMITCHELL June 25, 2009 8:00 AM PDT
Good article, but once again, the real difference should be made between a 'hacker' and a 'cracker', or possibly coin some new appellation for the in-between. Hacking for the sense of 'learning', breaking into a site just for the thrill or just because it can be done, or cracking into a site for nefarious reasons, all maybe wrong, but, to me. there's a wide degree of difference. I guess it's intention at the time of the deed.
Reply to this comment
by Optimus6128 June 29, 2009 2:59 AM PDT
The original definition of a hacker was basically that of a very good, usually hobbyist (with a personal need to learn and explore computers), programmer. At that time you didn't need to be specifically into security breaking to distinguish yourself from the rest. I think that when people tried to pull out the distinction of a 'hacker' and a 'cracker' they meaned that one, not the good security breaker versus the bad security breaker. You don't need to be the ultra-cool / ultra-leet dude breaking stuff on the net to have the hacker spirit. As even the interviewed guy says "my interest in what you might call hacking isn't really primarily about technology...It's not sexy when I'm exploring less obvious aspects of the world that don't involve multibillion-dollar corporations. There's a certain amount of tunnel vision there. ". I actually liked this one.

Also, another bunch of people breaking copy protections from software are called 'crackers' and they have not much to do with the hacker/cracker distinction in my opinion. Nobody asked them. Those people are deep into programming and assembly coding. Most hackers do stuff with tools and by luck. Maybe few of the hackers have a good ethics I could respect, the most are doing it in the same way some anarchists break stuff in the city, without properly thought intentions, just because being a so called "hacker" is hip.

The H-word has died for me.
by matthaynie June 27, 2009 6:29 PM PDT
I know a few people in IT that have been "homeless", they also happen to be a few of the smarter people I know. I think it means that they are willing to ignore boundaries that most people won't. Sometimes it's good sometimes it's bad, but they probably expect more out of life than most.
Reply to this comment
  • prev
  • 1
  • next

Why consumers won't buy tablets

Apple's mythical tablet, the Crunchpad, and other keyboardless computers have one thing in common: Nobody wants them.

What Google's got cooking with Chrome

roundup The Chrome browser still has some distance to go to shift beyond technophiles to the mainstream. Here's what Google's been working on lately.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics


Inside CNET News

Scroll Left Scroll Right