A self-styled security expert and serial self-promoter, Adrian Lamo made headlines as a grayhat hacker. Then the Gray Lady came down on his head.
Not long ago Adrian Lamo was exploring an abandoned gypsum processing plant in West Philadelphia with two friends, when a police cruiser drove slowly by. Lamo's friends were high on methamphetamines, and at the sight of the cops they urged him to run. Instead, Lamo stood still, and as he did, he heard a strange rasping sound. Peering down a nearby sewer grate, Lamo found the source: a kitten, meowed to hoarseness, scrambling around on a pile of trash.
When a second squad car pulled up and fixed its spotlight on Lamo, he walked forward. "I said, 'Officer, I'm so glad you're here!'" Lamo recalls, using his most innocent voice. "'There's a kitten trapped down here.'" The officer was suspicious, but two hours later, with the assistance of three additional cruisers and a police van, the kitten was out.
| 
Illustration by Matthew Curry
"There we were," Lamo says. "Circle of police cars, flashing lights, me – quasi-notorious cybercriminal – and my coconspirators all working in concert to try and get this kitten out of the drain." In the hubbub, neither Lamo nor his friends got searched, and the kitten went home with them in a discarded juice carton. Lamo named it Alibi.
Being saved against all odds is a theme with Lamo, who told me the story of Alibi shortly after he was arrested by the FBI in September for computer fraud. The charges – that Lamo had broken into the private network of the New York Times Company and run up a $300,000 bill on the pay-per-use search tool Lexis-Nexis – carried a possible 15-year prison sentence. Asked if he was afraid of going to jail, Lamo said simply, "I'm sure it would be educational. The beautiful thing about the universe is that nothing goes to waste."
Thin and pale, Lamo has a delicate, androgynous face and a habit of hunching his shoulders as though to stay warm. He is one of the best-known hackers in the country, and was out being filmed for a documentary when the cops came looking for him at his parents' house in Sacramento. While cameras rolled, Lamo described his most famous hacks, a string of highly publicized computer intrusions – Microsoft, AOL, and Excite@Home – of which the Times was merely the most recent. Just months before the Times hack, he had made the papers by burrowing into WorldCom's intranet, where he found a database containing Social Security numbers, bank account data, and direct deposit instructions for some 86,000 WorldCom employees – plus a Web router maintenance tool that enabled him to go deep into the private networks of Bank of America, Citicorp, and JP Morgan.
Known as the Homeless Hacker before his arrest, Lamo did most of his virtual exploring from the Internet connections at Kinko's copy shops. Besides his laptop – an eight-year-old Toshiba with six keys missing – he traveled light, usually with a blanket, a change of clothes, and a Taser stun gun, which he used to pick electronic locks and sometimes to shock vending machines to see if they would drop food or spare change.
Relentlessly nomadic – he has crossed the country by bus half a dozen times – he's also a connoisseur of serendipity. He once spent two weeks attending a Pennsylvania Bible school on a whim. Mostly, though, he transited between Washington, DC, and San Francisco, where he grew up. Because he has friends in those cities, Lamo could usually count on finding a place to sleep that was both more secure and more pleasant than his usual home, an abandoned building. The capital also has the virtue of being an information hunter's paradise. "In DC, it's hard to open a dumpster without finding classified documents," he tells me wistfully.
In return for food and a place to sleep, Lamo took his hosts on rambling adventures: through city sewer systems or locked office buildings. The tours were always surreal, one friend recalls: "Not so much fun as different."
"To me," Lamo explains, "ending up in a city that I've never been to before, with no money, where I know nobody, and yet somehow making it work out is as much a unique and amazing exercise of faith as going to a computer network that I know nothing about and somehow finding myself in its innermost recesses."
Lamo prides himself on his ability to get out of tight situations, and once he became a wanted felon, he briefly dropped out of sight. But the FBI, prompted by fears of Internet terrorism, was only getting started. In the end, even the Justice Department got involved, unsuccessfully attempting to subpoena the notes of a dozen reporters who had interviewed Lamo. The game had suddenly turned serious. After five days as a fugitive, Lamo surrendered in a Sacramento Starbucks.
For someone with such a glamorous hacking resume, Lamo is strangely unschooled. Illiterate in computer languages like Java and C++, he cannot exploit loopholes in a system's underlying code. Instead, he uses a common man's tool: the Web browser. Firing up Internet Explorer, Lamo will troll through a corporation's homepage, seeking outsourced jobs like advertising, distribution, and payroll. The companies that handle these tasks link to the main corporate database, but their proxy servers – the point of connection between the two networks – are often poorly secured, sometimes with standard-issue passwords that no one bothers to reset.
Finding these weak points is a matter of perseverance more than talent, but Lamo has also been unusually lucky – often materializing in areas of corporate networks that were heavily guarded and distinctly off-limits. One fellow hacker describes the skill – with a nod to sci-fi author Neal Stephenson – as "the ability to condense fact from the vapor of nuance."
It was this vaporous instinct that in February 2002 first drew Lamo to the New York Times servers. Messing with the Times' news site would be a coup, Lamo knew, but the Gray Lady had been hacked this way once before, and security was tight. Rebuffed from the news server, Lamo focused on the corporate network, sending test emails to the paper's autoresponder, culling IP addresses, and finally stumbling onto a subnetwork that controlled, among other things, the database containing information about op-ed writers. This being The New York Times, the list of contributors was particularly luminous, an establishment who's who that included UN weapons inspector Richard Butler and former National Security Agency head Bobby Inman, as well as celebrities like Robert Redford and Rush Limbaugh. Many of the names had phone numbers and home addresses attached, along with notes on the person's area of expertise, payment history, and editorial temperament. After browsing a bit, Lamo added himself to the roster, brazenly giving his full name and cell phone number. (For his expertise, he drily listed "computer hacking, national security, communications intelligence.") Once the deed was done, he called SecurityFocus.com reporter Kevin Poulsen, a confidant and a convicted hacker himself. Lamo gave him the scoop, and Poulsen, hoping to verify the story, called the Times.
Publicly exposing the company whose system he has just compromised is Lamo's MO, and for the most part it has served him well. WorldCom, for instance, officially thanked Lamo after he ignored the temptation to steal a quick million in paychecks; he later spent a weekend briefing managers on the details of his work. Excite@Home also offered thanks. The Times did not feel similarly indebted. Notified of the breach, the company alerted the US Attorney's office, which began an investigation in February 2002. By shadowing the 23-year-old hacker, the agencies learned that Lamo had done more than just add his name to the list of op-ed writers. He had also created several passwords that gave him access to the paper's account with Lexis-Nexis and its massive database of public records and thousands of newspapers and magazines.
| 
Photo by Steven Yeater �In DC,� says Lamo, now 23, �it�s hard to open a dumpster without finding classified documents.�
Lamo, it turns out, spent several months playing on Lexis-Nexis, mostly digging for personal information on other hackers and on journalists who had written critically about his work. At one point, he also attempted to find all the license plate numbers assigned to undercover vehicles registered with the FBI. All told, he conducted more than 3,000 searches. Although the Times doesn't pay retail for the service, the FBI calculated Lamo's damages using the full Lexis-Nexis rate, which added up to a shocking $300,000. It was clearly a punitive figure. Had Lamo simply bought an unlimited three-month account with Lexis-Nexis rather than piggybacking off the Times, it would have cost him just $1,500. But for the Times, it was not the money so much as the principle: "A serious offense," says a Times spokesperson. No one was particularly grateful to Lamo for pointing out the vulnerability in the op-ed database, and some even saw the action as sinister: a subtle attempt to divert attention from the real ongoing theft. When the FBI concluded its investigation last summer, the company decided to press charges.
When it comes to ethics, hackers fall into three main categories. The good guys – the whitehats – have jobs with computer security firms and work strictly within the law. The blackhats break into networks illegally, usually to steal or vandalize. Lurking in the middle are the grayhats – hackers who are not openly destructive but who get their thrills from joyriding through private systems or conducting uninvited "security checks." In a typical example, a pair of hackers known as the Deceptive Duo defaced dozens of military and commercial Web sites, plastering their homepages with a picture of the American flag, crossed pistols, and a warning to "Tighten security before a foreign attack forces you to." Grayhats see themselves as Internet Zorros – high-minded vigilantes who are righteously setting information free while nobly helping to protect it from vandals. In practice, though, it can be hard to tell the noble outlaw from the petty criminal. Breaking the law in the name of improving the law is rarely condoned, let alone idealized. The line between self-interest and "setting information free," moreover, is easily blurred – and it's the murky middle ground in the already ill-defined grayhat arena where Lamo most likes to operate.
Exactly what shade of gray hat Lamo wears remains a matter of heated debate. On Slashdot, a Web site popular with the computer security crowd, members spent days bickering over the most appropriate metaphor for Lamo's corporate hacking. Was it a purely good deed, like walking by an unlocked car full of money and alerting the owner? Or was it much creepier, like rattling the locks on a neighborhood house, then leaving a note on the bed telling the owner that she left her bathroom window open?
In theory, it's easy to see Lamo as a good guy. Unlike many hackers – even whitehats – he never uses a pseudonym and makes no effort to hide his identity. If the company he notifies appears grateful, he will often offer to help plug the hole he's discovered for free. Poulsen, for one, believes that Lamo "practices a style of hacking – open, brash, illegal, but carefully observant of an unwritten code of ethics – that went out of style a decade ago."
Indeed, Lamo's hacks are uncommonly witty and at times almost inspiring. Once, after tunneling into Excite@Home's customer service database, Lamo pulled the email and phone number of a customer whose complaint had gone unanswered for a year. Lamo called him up, chatted briefly, then offered to forward him all the company's internal correspondence pertaining to the original complaint.
Stunts like this have made Lamo a legend in hacker circles. His Friendster account is full of admiring testimonials from fellow geeks. Craig Calef, a 22-year-old engineer from Massachusetts, writes, "I'm not a religious man, but Adrian is the closest thing I have to a messiah." Nevin Williams, who was a lead operations engineer for Excite@Home at the time of Lamo's hack, says, "It's unclear whether you should be amused, comforted, concerned, inspired, or indicted for the privilege of not ever being bored in his presence. He is the Man's Man, though the Man doesn't seem to know he's been hacked yet."
At his best, Lamo seemed to be operating not just outside the law, but above it. And though supporters praise this kind of freelance justice, detractors question Lamo's motives. Given his habit of alerting the media to every hack, many on both sides believe that Lamo is driven largely by vanity. Fellow hacker Mike Sanders maintains that Lamo didn't actually discover the Excite@Home security hole – he just made it public and took the credit. Lamo has also demonstrated his techniques for MSNBC, and the outgoing message on his cell phone (666-HACK) leads to a line offering detailed instructions for reporters on deadline.
Moreover, Lamo's unwritten code of ethics includes some disturbing fine print. If he feels that a store clerk has been surly, for instance, he's not above picking through dumpsters for that employee's personal information. Three years ago, when Lamo had a falling-out with several contributors on Observers.net, an anti-AOL site, he took revenge by appropriating the offenders' online identities. His ex-girlfriend, who requested that her name be withheld, has also accused him of stalking her. "Every time I moved, he'd send an anonymous email," she remembers. "Sometimes he'd include my unlisted phone number, which nobody else had. He made a point of showing that he knew where I was." The court issued a restraining order against Lamo, following a complaint in which his then-girlfriend described an ongoing pattern of harassment and abuse. "He carried a stun gun, which he used on me," she recalls. "He was very controlling. He wanted to know where I was constantly. After we stopped talking, he would hack into the phone company's service center and change my phone services."
Since his arrest in September, Lamo has been living with his parents in Charmichael, a suburb of Sacramento. His computer use is restricted, and he must check in with his pretrial services officer regularly – ostensibly to prove that he hasn't skipped town. In practice, however, this system seems rather lax. For one recent check-in, Lamo used a voice-over-IP connection that gives outgoing calls an out-of-state number and area code. The officer didn't blink, Lamo reports. "If he'd checked his caller ID, it would be like: 'Gee, this call is coming from Connecticut!'"
For our first interview, Lamo suggests that we meet at a Starbucks across town from the one where he gave himself up six weeks before. His parents, he explains, are "poorly disposed" toward reporters. This is disappointing, since I've been curious about his parents, who strike me as almost unfathomably tolerant. According to Lamo, in order to post the $250,000 bail that resulted from his arrest, the Lamos – who also have a 5-year-old daughter and an 11-year-old son – had to put a lien on their house. And yet, so far, they have not insisted that Lamo get a job, or even that he stop breaking into corporate computer systems. "They're dream parents," says Darci Wood, who helped found FreeLamo.com, a Web site dedicated to raising money for Lamo's legal expenses. "It's amazing the way they've supported him in the face of these charges." (Wood is the girlfriend of the notorious Kevin Mitnick, who spent five years in jail for hacking his way into the phone system.) When I ask Lamo what his parents think about his ongoing career in computer trespass, he says with practiced wryness, "They think it's about time for me to do something that doesn't involve mandatory federal sentences."
| 
Photo by Steven Yeater Lamo is led from a Manhattan federal building by FBI agents in September.
In person, Lamo is not quite as I imagined him. He's beset by facial tics, including one that makes it look like he's winking. He is, however, disarmingly polite, offering me half of his pastry and apologizing when the din from a Frappuccino blender threatens to overwhelm my tape recorder. Candid to the point of incrimination, he also cheerfully recounts the details of "my alleged Lexis-Nexis foray," and lets me in on several new intrusions. Among other things, he says, he now has the ability to shut off the FBI's phone service. "All of it?" I ask incredulously. "Well, the field offices," he demurs. "There's a lot of FBI."
Lamo began hacking into phone systems in high school. It was a lonely time, and he eventually dropped out with an equivalency degree. After a short stint doing computer work for PlanetOut.com, Lamo began to roam. At one point, he spent a month stranded in a small California town outside Visalia, too poor to afford Greyhound and unwilling to accept his parents' offer of $40 to cover the ticket. (His mother compromised by mailing him soup.)
Perpetually broke and often hungry, Lamo would also rely heavily on the material advantages of his more solvent friends. (While in Visalia, he slept on an acquaintance's floor for a month.) Nevin Williams, the former Excite@Home engineer, regularly offered Lamo a place to stay when he was in San Francisco but now says he feels manipulated. "If there's a generous person, and you make them aware of a need in a roundabout manner, the generous person might be inclined to offer help," he says drily. "I think Adrian understands this very well."
Lamo is an eager interview subject, but the longer we talk, the more anxious he gets. At one point he stops midsentence and tips his head meaningfully toward a man stirring his coffee at the counter next to us. An FBI eavesdropper? I say that maybe we should go. "It's OK," Lamo shrugs. "They probably have the Starbucks bugged anyhow." He pulls on fleece gloves and slides his hands along the underside of the table. "I used to carry a frequency counter," he says. "Now I can't afford one."
As we're leaving, Lamo points out another customer, who left when we got up and is now sitting in his car reading the paper. Lamo has me drive us around the parking lot a few times, then jumps out and raps on the guy's car window. The man rolls it down.
"Do you now or have you ever worked for the government?" Lamo asks. The man looks startled and wants to know what's going on. "Oh, I'm an accused felon," Lamo volunteers cheerfully. "Alleged to have compromised certain computer systems." Back in the car, he giddily shows me the man's business card. He's happy again, with the residual charge of someone who's just survived a close shave. I, however, am suddenly peevish. "Wouldn't any self-respecting undercover FBI agent carry a fake business card?" I ask. Lamo's face falls. We leave the parking lot without further discussion.
Lamo's paranoia is infectious. Not long after our first meeting, I interview two of his friends, both of whom joke that he has probably tapped my phone. This seems improbable, but after a while, I can't seem to shake the idea. A few days later, Lamo calls at midnight. He patches me through to an IRS recording at the point where they're asking for a Social Security number, tells me to enter mine, and promises he won't listen. When I refuse, he gets angry. "I'm doing this for you," he huffs. But when I ask what, precisely, he is trying to do, he says that he won't discuss it over the phone.
In another late-night phone call, Lamo reveals that he recently went to a doctor, again announced that he was "an accused felon," and said that he wanted his life to be less stressful. To Lamo's annoyance, the doctor gave him prescription sleeping pills and a four-week supply of Paxil, which he refuses to take. He was hoping to score Xanax, which he says is good for short-term anxiety, panic attacks, and insomnia. "If you say 'I want Xanax' up front, they say 'Oh boy, only Paxil for you!'" Lamo explains. "But if I go back in two weeks and say, 'The Paxil isn't working, plus I've started getting these little, like, electric shocks throughout my body' – then they think you're showing signs of petit mal seizure, which is one of the side effects, and they give you Xanax."
Lamo actually is seizure-prone, ever since he overdosed on prescription amphetamines back in 2001. Now, he explains, he sticks to depressives and dissociatives. "The dissociatives are amazing," he boasts. "You can look at your face in the mirror and completely not recognize it."
Not long after this exchange, Lamo leaves a message that he's "concerned about the direction" that some of my reporting has taken. He also calls my editor, informs him that I have been asking "inappropriate" questions about his mental health, and threatens to stop cooperating with the article. It's an uncharacteristic reaction for Lamo, who in the past had treated the idea of being profiled with unnatural enthusiasm – at one point even reassuring me that a negative portrayal of him would be fine. What pushed Lamo over the edge, I learned, was that I had asked his friends about his drug use and whether they ever worried about his health. (For what it's worth, most said that they do worry, but that Lamo can take care of himself.) Lamo eventually rescinded his threat, although the fact he made it at all is revealing.
Getting hacked is a creepy feeling – one that has more to do with privacy than actual damage. After all, the real reason the New York Times called the FBI is not because Lamo mooched off its Lexis-Nexis account but because he dug through a database that was confidential and personal. Yet the anxiety of exposure cuts both ways. Ironically, the very thing that made Lamo so uncomfortable is precisely what he does to the rest of the world. Once I began sifting through Lamo's personal information – even with an invitation – he reacted much like the Times. Rather than trusting his friends to be kind, or me to be fair, he panicked and called the authorities.
In January, nearly two weeks after I had last spoken to Lamo, news comes down that he has agreed to a plea bargain. By confessing to a felony charge, he will receive a shortened sentence of six to 12 months and pay no more than $70,000 in damages. Copping to a felony that will plunge him into debt doesn't seem like much of a victory, but when I call Lamo afterward, he sounds surprisingly upbeat. "I always said that I would accept the consequences of my actions," he says. While acknowledging that the past week had been difficult, he is quick to move on to happier matters. Just recently, he reports, he was offered the chance to write a monthly security column at $500 a shot for a new magazine on mobile computing. He has talked before about hanging up his spurs to become a journalist, and this should be a dream job for an aspiring technology reporter. Lamo, however, has already dismissed the offer. The magazine will "popularize" his copy, he insists. "For me, it would have to be either exactly as I put it down on paper or not all."
This seems a bit high-handed to me, and I tell Lamo that I think he's being foolish. Now that he's saddled with a felony conviction and thousands in debt, how choosy can he be? Lamo, however, will not be swayed. "I think the editors see the column the way McDonald's sees flipping burgers, while I see it as an effort of religion," he muses. As to his future, Lamo says merely that he hopes the universe will provide. What he doesn't realize is that the universe has provided, just not in the way that he wants. After all, the chance to be a columnist is nearly as miraculous as finding a kitten in a gypsum factory. But to reinvent himself, Lamo would have to shed his life as the Homeless Hacker – and that's something he seems unwilling to do. Even after he has served his time, Lamo will remain a prisoner of his own myth, picking through the rubble of life on the margins.
