AntiOnline: Maximum Security for a Connected World

Adrian Lamo travels the country with his trusty laptop and uses his wealth of computer knowledge to break into corporate networks.

Instead of thieving credit card numbers or making a fortune for himself on the information that he accesses, he alerts the companies he's hacked and shows them how to shore up their defenses.

Needless to say, sysadmins take security very seriously and unfortunately for Lamo, the New York Times wasn't in an appreciative mood. Now the feds are involved and his future is uncertain.

Lamo's story has sparked a heated discussion on AO's boards. To some, Adrian Lamo is a guardian angel, trying to keep one step ahead of black hat hackers. To others, any intrusion, regardless of intent, is an attack on data systems that are the lifeblood of the business world.

What would you do if he circumvented your company's network security?

Would you thank him, trust that he's honest about simply browsing your network, and implement his recommendations? Or do you lock down your network, have your IT dept check for the extent of damage (if any) he's done, and call the cops?

See what the AO community has to say about this tricky situation.


Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.

Direct link to this week's spotlight thread:
Catch Adrian... if you can.

Related:
Adrian Lamo (from the Web Security Forums)

Exerpts:

i2c believes that case is simply a matter of pride on the part of the New York Times.

I think its a great shame that the New York Times couldn't see the benefits of someone with ethics finding and reporting their vulnerabilities.

I really think its about pride, I think the Network admins were annoyed that someone with no fixed address, who travels the country, was capable of this. Instead of the Network admins who were blatantly incapable of accepting they were wrong and working with him

Hopefully the judge when he is found will acknowledge that what he was doing was in fact right, if against the law.

gunit0072003, on the other hand, feels that the very act of hacking a computer system is the virtual equivalent of breaking into someone's physical property.

If I break into your house, without your knowledge, and rummage through your personal belongings and then a month later call you up and tell you:

"Oh, hi. You don't know me, but I took the liberty to break into your house the other day and I noticed your house is not as secure as you think, and oh by the way, don't worry I didn't steal anything. I'm just going around the neighborhood and attempting to break into people's homes without their permission, just to help them and identify which ones are not secure."

Would you be pissed off? Come on man... What gives? Sure I agree with you, his intentions were maybe honest. But he still broke the law and what he did was illegal and dumb.

Maestr0 gives us both sides of the coin, so to speak...
Heads: The Internet and networks in general are not the place they were in past years. The information stored in today's networks are worth vast amounts money and store information vital to the economics and security of individuals, companies and countries. Businesses have the right to conduct their affairs in a regulated and safe environment or they cannot conduct business. This ain't the Wild West anymore boys. You simply cannot infringe on the time, money and property of others and expect no repercussions legal or otherwise.

Tails: These are not just the 'homes' of individuals whose security is at risk. These are institutions both private as well as public whose information NEEDS to be protected for the safety of clients, citizens and countless others. I think if someone told you that a company/institution or otherwise, that is entrusted with sensitive information about you, your family and countless others was accessible to anyone at anytime, and that the people to whom you entrusted this information are the very people giving it away, you would also be a little pissed off. The bearers of this information are not often as motivated to admit the truth about the security of this information as the individual at risk, for a variety of reasons most of them relating to money. A bank will never tell you your money isn't safe with them. Microsoft will never tell you they are spying on you. If you can't trust the FBI and Microsoft, whom can you trust?

Read the rest of this thread and join in with your thoughts on the case.


What is AntiOnline?

AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.

We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the eye-opening discussions and expert participants that have helped make AO the "go to" online resource for network security.