New Architect: Hey, are you up yet?
Adrian Lamo: Yeahin process of waking up and breakfasting.
NA: Funny, it's past lunchtime here in SF.
AL: You're too linear.
NA: Where are you?
AL: About two hours south of San Francisco, with some friends.
NA: Most people think the stereotypical hacker lives alone in a windowless room.
AL: Most of the rooms I sleep in have windows. I've had a few that didn't. Tossed tinfoil over the windows at the apartment I split in Richmond, Virginia for a few months.
AL: Most neighborhoods, tinfoil on the windows gets you left alone. There, a neighbor showed up like a day later to ask whether we were growing pot. Can't win.
NA: Do you think hacking is seen as more criminal than growing pot?
AL: Depends massively on the location. You're very much subject to the foibles of local law enforcement, who range from ex-marine types who got turned down by the FBI, to the state police who like to take it out on minor offenders, to people who just have the job because it's easy, has good benefits, and enjoy a Jack Daniels and Xanax before bed. It's very subjective.
NA: It also depends on the "type" of hacker, right? You're white hat?
AL: Well, despite the frequent use of "white hat" to describe me, I've never identified myself as such, or claimed a specific label for what I do. I do what I do and encourage people to draw their own conclusions.
NA: So what kind of gear do you use?
AL: There's a bit of incidental stuff, but the center of most of the compromises has been my laptop, a Toshiba Portege 3480CE, and my Web browser, usually out-of-the-box Internet Explorer. Almost everything is Web based; I could do it from any workstation on any operating system, pretty much.
NA: Back in the day, most hacker tools were nasty DOS kluges. Things appear to have progressed a long way in the last few years.
AL: Conceptually, it's the same: You're dealing with the same basic sort of technology structures. People make the same sorts of mistakes. You think in the same ways of doing research. It's just the faces that change. With occasional exceptions, there are patterns to how things are arrayedpeople or machinesno matter how complex they get. Sometimes they're so subtle that you don't even really know what they are, you just move with them intuitively. The primary difference, to me, has been a change in people's awareness of how accessible much of it is.
NA: Are you saying people are now more aware of security risks or less?
AL: To most people, no matter how much exposure they get to the idea of computer security, it will still always be an opaque concept. They don't get that posting their resume and mentioning the URL of an intranet site they designed for Lockheed a year ago could lead indirectly to massive compromise, no matter how aware they are of the bugs that afflict their Outlook install.
NA: What's the root cause of this mentality? And is there anything that can be done?
AL: A scenario where all networks are perfectly secure might be desirable for someone with a long-term vested interest in security, butthankfullythat's not possible, and perhaps not even desirable. For many companies, it is harmful when intrusions happen, but it doesn't have to be. There's a stigma attached to them, and a sense that the companies are somehow lessened by having been targets of successful hacks. No company can be 100 percent secure, and the people securing them have tended to come from backgrounds that reflect zero-tolerance and linear, law-and-order approaches to security. It's easy to look at something that harms a company and say it's bad, but that denies the contextthat without many of the spurious, sometimes seemingly meaningless events that have taken place during the history of the Net and of society, we wouldn't be at quite the place where we are now.
People with a physical and national security background are trying to apply their life lessons to a situation outside that context, and they'll continue to do so for as long as they can. Everyone does what they feel they should do.
NA: Okay, so where do you fit in?
AL: I do what I do. I try to do it in ways that I'd generally be okay with if they were applied to me, and things work out one way or another. There's no quest that will be finished once I accomplish "X." I do what I'm geared to do, for lack of a better way of describing it.
NA: Fair enough. I want to ask about some of your hacks, and we'll leave the "why" to the muses. How do you pick your targets?
AL: They're there, and I'm there. It meshes with the above. If I really went out and looked for a specific target, I'd be going against the current of how this happens in the first place. It's random and unknowable.
NA: Any thoughts on your favorite hacks? Easiest? Most difficult? Best?
AL: Well, in keeping with how they happen, the more improbably it happens, the more of a kick I get out of it. With the New York Times, I couldn't even piece together every link in the chain of events, but when the intranet page loaded, my friend sitting next to me was just floorednot because it was the Times, but because of how randomly it had happened: Sitting there, chatting, me just randomly following a chain of sites on a random tangent. Read an article on one, push the security envelope on another, follow up on something I saw mentioned during the course of that, and research it on a different one, eventually end up with an interest in who had written something specific, and fire off an email to an autoresponder to get their middle initial to see if it was the right person, and see a specific IP address in the headers of the autoresponse from the New York Times that led to finding another subnet that I scanned on a whim...that glosses over a lot of it, but when things unfold like that, it's really the best for me. Sure, you can protect yourself against $5,000 commercial scanning software, but can't nothing protect you against unlikely coincidence. Chance undoes the best of our plans; it's important that we keep a sense of absurdity about it.
NA: And you reported the hole to the Times?
AL: I browsed, and promptly forgot about it. It just wasn't that interesting. They're a newspaper. Big deal. Eventually I made a call to SecurityFocus to see when they thought would be best to do the disclosure.
NA: What was the reaction from the Times?
AL: The Times has had no official reaction other than to convey how seriously they take security, and that they're still evaluating all their options. It'd be nice if they'd contacted me. [Editor's Note: Since our interview, an FBI investigation appears to have been initiated.]
NA: Have you ever been prosecuted for any of your hacks?
AL: I've not been prosecuted. Probably my closest brush with the law has been any of my several random police stopsI'm frequently in random places at night, on a dark road in middle of nowhere, walking on the shoulder, whatever. That's the only context in which I've had any cop/detainee interactions that were in any way serious.
NA: Does prosecution concern you?
AL: I am, of course, aware of the possibility of prosecution. It's not a distant, theoretical awareness eitherI think about it when I hear cars outside late at night, and I don't make any sudden moves when a white Crown Victoria pulls up near me when I'm walking. But we all take risks in life. The important thing is to not stop living my life because of what might or might not happen.
NA: Random places at night? Dark roads in the middle of nowhere? Explain.
AL: I just end up in strange places. Like when I got stranded in Ohio because of a string of random luck, I didn't think it was unreasonable to walk about twenty miles to Dayton, but the local cop that got a call from a concerned farmer did.
NA: How do you fund your travels?
AL: Walking is free, and Greyhound from coast to coast is something around $110. Occasional security/network work funds my interests the rest of the time.
NA: I assume your security/network contracts know about your after-hours activities?
AL: I mention it to the occasional ones that don't know, but more out of courtesy than out of thinking it's somehow crucial that they know.
NA: Ever any hesitation from clients?
AL: Not that I recall. I don't usually solicit clients; it's generally the other way around. The work isn't a priority; I can do a month on about $150 if I want to. If my laptop died after an improbable plunge into some underground river or something, I might make a couple calls.
NA: Let me ask about specific vulnerabilities in systems these days. Any common holes?
AL: That ties back to what I've said before in a lot of waysit's less specific things that usually need patching. But for the sake of some slightly more specific notes, it's frequently conceptual vs. system-centric vulnerabilities. Your unreasonably expensive firewall that blocks ubiquitous scanning tools doesn't matter if I learn everything I need to know about your network with a ten-minute Google search. Authenticating by social security number and date of birth doesn't matter if I can get both with a fax from the public records department at the courthouse. Requiring logins to come from on-campus and blocking all outside connectivity is cool, but it won't matter if I can walk into the HR reception area and use one of the computers on your internal LAN that you thoughtfully provide to browse job listings.
NA: Any words of advice for companies on the other end of a connection from you... or, worse, from a malicious hacker?
AL: Yeah. Operate in a world where your business model depends on honesty, full disclosure, and the realistic portrayal of your product and company on their own merits, rather than one where the incidental glimpse behind the scenes is traumatizing to the corporation as a whole. More realistically, setting a precedent for less damaging intrusion isn't unreasonable. If your company accepts that it won't ever be 100 percent secure, accepting good-faith conduct and full disclosure from intruders that come forwardand holding them to itmay prevent a more serious intrusion in the future, in ways that playing up an "Unbreakable" front won't.
More practically, segment your operations. If I compromise a secretary in graphic design, there's no need for him to be able to access HR records. You'll probably be surprised by how much room there is for improvement. But at the same time, don't cut people down into specialized worker bees that will go out of their way to get more access in the face of massive restrictions.