SBN

Adrian Lamo, ‘Homeless Hacker’ Who Turned in Chelsea Manning, Dead at 37

Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.

Adrian Lamo, in 2006. Source: Wikipedia.

I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.

The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame.

In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks.

By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media.

Lamo had previously hacked into the likes of AOL Time Warner, ComcastMCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies.

By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight.

In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand.

While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets.

In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed.

In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort).

In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution.

Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: [email protected]. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses.

The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file.

EARLY LIFE

Lamo was born in 1981 outside of Boston, Mass. into an educated, bilingual family. Lamo’s parents say from an early age he exhibited an affinity for computers and complex problem solving. In grade school, Lamo cut his teeth on a Commodore64, but his parents soon bought him a more powerful IBM PC when they grasped the extent of his talents.

“Ever since he was very young he has shown a tendency to be a lateral thinker, and any problem you put in front of him with a computer he could solve almost immediately,” Lamo’s mother Mary said in an interview in 2003. “He has a gifted analytical mind and a natural curiosity.”

By the time he got to high school, Lamo had graduated to a laptop computer. During a computer class his junior year, Lamo upstaged his teacher by solving a computer problem the instructor insisted was insurmountable. After an altercation with the teacher, he was expelled. Not long after that incident, Lamo earned his high school equivalency degree and left home for a life on his own.

For many years after that he lived a vagabond’s existence, traveling almost exclusively on foot or by Greyhound bus, favoring the affordable bus line for being the “only remaining form of mass transit that offers some kind of anonymity.” When he wasn’t staying with friends, he passed the night in abandoned buildings or under the stars.

In 1995, Lamo landed contract work at a promising technology upstart called America Online, working on “PlanetOut.com,” an online forum that catered to the gay and lesbian community. At the time, advertisers paid AOL based on the amount of time visitors spent on the site, and Lamo’s job was to keep people glued to the page, chatting them up for hours at a time.

Ira Wing, a security expert at one of the nation’s largest Internet service providers, met Lamo that year at PlanetOut and the two became fast friends. It wasn’t long before he joined in one of Lamo’s favorite distractions, one that would turn out to be an eerie offshoot of the young hacker’s online proclivities: exploring the labyrinth of California’s underground sewage networks and abandoned mines.

Since then, Lamo kept in touch intermittently, popping in and out of Wing’s life at odd intervals. But Wing proved a trustworthy and loyal friend, and Lamo soon granted him power of attorney over his affairs should he run into legal trouble.

In 2002, Wing registered the domain “freeadrian.com,” as a joke. He’d later remark on how prescient a decision that had been.

“Adrian is like a fast moving object that has a heavy affect on anyone’s life he encounters,” Wing told this reporter in 2003. “And then he moves on.”

THE MANNING AFFAIR

In 2010, Lamo was contacted via instant message by Chelsea Manning, a transgender Army private who was then known as Bradley Manning. The Army private confided that she’d leaked a classified video of a helicopter attack in Baghdad that killed 12 people (including two Reuters employees) to Wikileaks. Manning also admitted to handing Wikileaks some 260,000 classified diplomatic cables.

Lamo reported the theft to the FBI. In explaining his decision, Lamo told news publications that he was worried the classified data leak could endanger lives.

“He was just grabbing information from where he could get it and trying to leak it,” Mr. Lamo told The Times in 2010.

Manning was later convicted of leaking more than 700,000 government records, and received a 35 year prison sentence. In January 2017, President Barack Obama commuted Manning’s sentence after she’d served seven years of it. In January 2018, Manning filed to run for a Senate seat in Maryland.

HOMELESS IN WICHITA

The same month he reported Manning to the feds, Lamo told Wired.com that he’d been diagnosed with Asperger Syndrome after being briefly hospitalized in a psychiatric ward. Lamo told Wired that he suspected someone had stolen his backpack, and that paramedics were called when the police responding to reports of the alleged theft observed him acting erratically and perhaps slurring his speech.

Wired later updated the story to note that Lamo’s father had reported him to the Sacramento Sherriff’s office, saying he was worried that his son was over-medicating himself with prescription drugs.

In 2011, Lamo told news outlet Al Jazeera that he was in hiding because he was getting death threats for betraying Manning’s confidence and turning him in to the authorities. In 2013, he told The Guardian that he’d struggled with substance abuse “for a while.”

It’s not yet certain what led to Lamo’s demise. He was found dead in a Wichita apartment on March 14. According to The Wichita Eagle, Lamo had lived in the area for more than a year. The paper quoted local resident Lorraine Murphy, who described herself as a colleague and friend of Lamo’s. When Murphy sent him a message in December 2016 asking him what he was up to, he reportedly replied “homeless in Wichita.”

“Adrian was always homeless or on the verge of it,” Murphy is quoted as saying. “He bounced around a great deal, for no particular reason. He was a believer in the Geographic Cure. Whatever goes wrong in your life, moving will make it better. And he knew people all over the country.”

The Eagle reports that Wichita police found no signs of foul play or anything suspicious about Lamo’s death. A toxicology test was ordered but the results won’t be available for several weeks.

*** This is a Security Bloggers Network syndicated blog from Krebs on Security authored by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2018/03/adrian-lamo-homeless-hacker-who-turned-in-chelsea-manning-dead-at-37/