Adrian Lamo, the hacker who made a name for himself in the US by breaching the security of large companies and then offering to help them fix the vulnerabilities he found for free, has pleaded guilty to a single hacking charge in a US federal district court.
Before US District Judge Naomi Reice Buchwald, at the Daniel Patrick Moynihan US Courthouse, Lamo pleaded guilty to unauthorised access to the private network of The New York Times, where he added his name and contact information to the paper's op-ed database.
In pleading guilty, he agreed that his actions caused losses in the range of US$30,000 to US$70,000. The losses include costs of intrusions into the Times as well as use of the LexisNexis database and for alleged access to a Microsoft database in October 2001.
Lamo faces six to 12 months of imprisonment. In court, Lamo read a statement in which he admitted guilt and said, "I know that I crossed a line that should not be crossed and I'm genuinely remorseful."
The plea stems from a US federal complaint that was filed in August in the Southern District of New York accusing Lamo of illegally accessing Times computers, causing US$25,000 in damages to its op-ed database, and racking up US$300,000 in LexisNexis search fees.
That complaint also listed a string of other intrusions allegedly conducted by Lamo -- who, in each case, after breaching the security of the company, offered to help the company fix the flaws. After the security holes were plugged, Lamo then would make the breach public through the media.
The companies Lamo allegedly breached with his hack-and-tell tactic include Excite@Home, Yahoo, Microsoft, MCI-WorldCom, and SBC Ameritech. Some of the companies Lamo allegedly hacked, including WorldCom, thanked him for finding and helping to fix the security holes he uncovered.
In early September, Lamo was released into the custody of his parents on a $250,000 bond. He says he's attending college with a focus on journalism and is looking for work.
A sentencing hearing is scheduled for 8 April.
Throughout Lamo's intrusions, he always said he wouldn't deny any of his actions, but US federal law does not take into account the motivations of hackers.
"The question at sentencing is whether the court will take into account Lamo's motivation to hack and how open he was with his action. But it probably will not," said Mark Rasch, former head of the US Department of Justice's computer crimes unit and now senior VP of security-services firm Solutionary.
"Whether you are a white- or grey-hat hacker, there is a line that can't be crossed, and when you cross that line there will be a judgment," said Rasch.
After the hearing, in front of the courthouse, Lamo was unusually tight-lipped in front of questioning reporters, saying only, "Faith manages."
Sean Hecker, Lamo's federal public defender, said to reporters, "Adrian Lamo has always maintained that he was willing to take responsibility, which is what he did today."
Additional reporting by George V. Hulme.
Copyright (C) 2003 CMP Media LLC