Lamo Pleads Guilty To New York Times Intrusion

The big question now is if the judge will take into account the motivations Lamo claims for his transgressions.
Adrian Lamo, the hacker who made a name for himself by breaching the security of large companies and then offering to help them fix the vulnerabilities he found for free, pleaded guilty to a single hacking charge today in federal district court.

Before U.S. District Judge Naomi Reice Buchwald, at the Daniel Patrick Moynihan U.S. Courthouse, Lamo pleaded guilty to unauthorized access to the private network of The New York Times, where he added his name and contact information to the paper's op-ed database.

In pleading guilty, he agreed that his actions caused losses in the range of $30,000 to $70,000. The losses include costs of intrusions into the Times as well as use of the LexisNexis database and for alleged access to a Microsoft database in October 2001.

Lamo faces six to 12 months of imprisonment. In court, Lamo read a statement in which he admitted guilt and said, "I know that I crossed a line that should not be crossed and I'm genuinely remorseful."

The plea stems from a federal complaint that was filed in August in the Southern District of New York accusing Lamo of illegally accessing Times computers, causing $25,000 in damages to its op-ed database, and racking up $300,000 in LexisNexis search fees.

That complaint also listed a string of other intrusions allegedly conducted by Lamo--who, in each case, after breaching the security of the company, offered to help the company fix the flaws. After the security holes were plugged, Lamo then would make the breach public through the media.

The companies Lamo allegedly breached with his hack-and-tell tactic include [email protected], Yahoo, Microsoft, MCI-WorldCom, and SBC Ameritech. Some of the companies Lamo allegedly hacked, including WorldCom, thanked him for finding and helping to fix the security holes he uncovered.

In early September, Lamo was released into the custody of his parents on a $250,000 bond. He says he's attending college with a focus on journalism and is looking for work.

A sentencing hearing is scheduled for April 8.

Throughout Lamo's intrusions, he always said he wouldn't deny any of his actions, but federal law does not take into account the motivations of hackers.

"The question at sentencing is whether the court will take into account Lamo's motivation to hack and how open he was with his action. But it probably will not," says Mark Rasch, former head of the U.S. Department of Justice's computer crimes unit and now senior VP of security-services firm Solutionary.

"Whether you are a white- or gray-hat hacker, there is a line that can't be crossed, and when you cross that line there will be a judgment," says Rasch.

After the hearing, in front of the courthouse, Lamo was unusually tight-lipped in front of questioning reporters, saying only, "Faith manages."

Sean Hecker, Lamo's federal public defender, said to reporters, "Adrian Lamo has always maintained that he was willing to take responsibility, which is what he did today."

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Terry White, Associate Chief Analyst, Omdia
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer