Andrian Lamo – The ‘homeless’ Hacker

Reading Time: 6 Minutes

Adrian Lamo was a hacker who found innovative ways to challenge companies to rethink their security measures. From infiltrating prestigious corporations while living out of a backpack to being labeled a “snitch” by the hacker community, Adrian was a highly controversial figure in the hacking world.

Early Days – Back Story

Adrián Alfonso Lamo Atwood was born in Malden, Massachusetts, on February 20, 1981. He attended high school in San Francisco but dropped out after numerous disagreements with his teachers. Although he did not graduate, he earned a GED and later studied journalism at American River College in Carmichael, California.

Lamo’s computer skills were largely self-taught. He received his first computer, a Commodore 64, at a young age and quickly became interested in software hacking by experimenting with the coding used to create his favorite video games.

His hacking journey began with hacking into computer games, creating viruses on floppy disks, and eventually practicing phone phreaking. This allowed him to make free long-distance calls by tapping into strangers’ phone lines and spoofing calls to go undetected by phone companies.

First Steps in Hacking

In the mid-90s, Lamo started using a simple web browser to explore the web and find security holes in company systems. He was unknowingly driven by the hacker culture, where individuals enjoy the intellectual challenge of overcoming software limitations using their creativity. It wasn’t about the size of the companies or the sensitivity of the information but about the thrill of discovering something previously unknown.

Reflecting on company security at the time, Lamo would say it wasn’t very challenging to find security holes. He would take available information resources and arrange them in improbable ways, focusing on the challenge rather than downloading databases or leaking customer information.

Lamo spent countless hours at the Public Library of San Francisco, using their internet terminals to telnet out to other systems, including those that allowed him to use their modems to dial out.

Security Holes Everywhere: Living Out of a Backpack

In 1997, as AOL introduced one of the first instant messaging services and the dot-com bubble began to form, Lamo watched the explosion of internet activity with a mix of excitement and concern about unseen dangers.

Living out of a backpack, he spent a couple of years traveling the country by bus, sleeping in abandoned buildings and on friends’ couches, while accessing the internet from university libraries and Kinko’s laptop stations.

During this time, while sleeping in an abandoned building under Philadelphia’s Ben Franklin Bridge, Lamo discovered security vulnerabilities at Excite@Home. Despite informing executives, no immediate action was taken. He even started helping customers by addressing their helpdesk tickets when the company ignored them.

Lamo’s first ISP was AOL, and he was curious about what went on behind the scenes. He found multiple vulnerabilities and managed to crack into the company’s network.

Rising to Notoriety

As a teenager in the early 2000s, Lamo gained notoriety with a series of attacks against large companies. Though mostly harmless, these attacks aimed to prove a point: if someone like Lamo, who was borrowing internet access from a local Kinko’s, could easily crack into companies like AOL, Yahoo, Microsoft, and the New York Times, anyone could. He exploited misconfigured proxy servers to bypass corporate firewalls and accessed an unprotected CMS tool on Yahoo’s news site. Despite trying to alert these companies to their vulnerabilities, no one took him seriously. Frustrated, Lamo went to the press, and Reuters covered the story, quickly drawing significant attention.

Adrian Lamo (left) and Wired's Kevin Poulsen (right) in 2001. The person in the middle, Kevin Mitnick, had no involvement in the Manning case. - source: Wikipedia

New York Times Hack and FBI Charges

In 2002, Adrian Lamo infiltrated the internal network of The New York Times, giving himself admin credentials and accessing a database containing information on over 3,000 contributors. He even added himself to the paper’s internal database of experts as a “hacking expert.” The Times took immediate action and contacted the FBI, leading to an investigation. In 2003, the FBI issued a warrant for Adrian’s arrest. By 2004, he pleaded guilty, resulting in a fine, six months of home detention, and two years of probation. Despite serving his sentence, federal authorities continued to monitor him.

FBI Report: HOPE conference 2010 - source: www.npr.org

Asperger’s Syndrome Diagnosis

In 2010, Lamo joined the ranks of hackers diagnosed with Asperger’s Syndrome, a list that includes Gary McKinnon and Albert Gonzalez. Typically, such diagnoses occur when hackers first encounter the criminal justice system, but Lamo’s diagnosis came six years after his sentencing. The diagnosis was reported by Kevin Poulsen, a former hacker and journalist for Wired.

WikiLeaks and the Chelsea Manning Case

Chelsea Manning, a former US soldier and well-known activist, contacted Lamo in May 2010 via encrypted emails. At the time, Manning was in Baghdad and facing discharge for “adjustment disorder” related to gender identity issues. Feeling isolated and fragile, Manning reached out to Lamo, hoping he would understand her situation.

Though Lamo couldn’t decrypt the emails, he invited Manning to chat on AOL Messenger. Between May 21 and May 25, using the nickname bradass87, Manning introduced herself as an Army intelligence officer and alluded to leaking classified material. Manning referenced a Wikipedia article on WikiLeaks and claimed responsibility for sections about the leaked Baghdad airstrike video and other materials.

Series of chats between Adrian and Chelsea - source: wikipedia.com

Manning had begun providing WikiLeaks with classified content in late 2009, including videos of airstrikes in Baghdad and Afghanistan, thousands of diplomatic cables, and half a million Army reports, later known as the “Iraq War Logs” and “Afghan War Diary.” Manning hoped the leaks would spark worldwide discussions, debates, and reforms.

The homepage of the WikiLeaks.org website circa 2010. The Manning leaks put a little-known transparency organization on the map and made its founder, Julian Assange, a household name. - source: www.npr.org

Lamo as a Whistleblower

After his initial chat with Manning on May 21, 2010, Lamo contacted Chet Uber of Project Vigilant, which researched cybercrime, and Tim Webster, who worked in Army counterintelligence. Concerned that his chats with Manning might be monitored, Lamo decided to report her, believing she was endangering lives. He met with FBI investigators on May 25 in California, showing them the chat logs and informing Wired reporter Kevin Poulsen.

The FBI alerted Army officials, leading to Manning’s arrest in Iraq on May 27. Wired broke the story on June 6, publishing some chat logs between June 6 and 10 and the full logs in July the following year.

Manning’s Arrest and Charges

Manning faced multiple charges, including violations of the Uniform Code of Military Justice and the Espionage Act.

Adrian Lamo (center) walks out of a courthouse in Fort Meade, Md. ,where Chelsea Manning's court-martial was held, on Dec. 20, 2011. - source: www.npr.org

Lamo’s actions drew significant scrutiny, especially from the hacker community, which largely ostracized him and labeled him a “snitch” at the 2010 “Hackers on Planet Earth” conference. Julian Assange, the founder of WikiLeaks, also criticized Lamo, suggesting his actions had nothing to do with WikiLeaks. However, some believed Lamo’s reporting allowed the government to mitigate potential harm from the leaked diplomatic cables.

Adrian Lamo in a motel room on Long Island, N.Y. Lamo tried to make light of his reputation as a snitch, even wearing a hat that labeled him as such. - source: www.npr.org

For some time in the early 2011s, he was allegedly “in hiding”, and claiming that his “life was under threat” after turning in Manning.

Chelsea Manning’s Sentence and Subsequent Events

Manning was sentenced to 35 years in prison but had her sentence commuted to seven years by President Barack Obama. Released on May 17, 2017, Manning faced numerous legal challenges, including subpoenas to testify against WikiLeaks and Julian Assange, which she repeatedly refused.

On March 11, 2020, she attempted suicide in prison but recovered and was released after the grand jury decided her testimony was no longer needed. Manning has since received multiple awards and has become a prominent public speaker.

Photo of manning 40 days after her release. Manning (left) in Brooklyn during the coronavirus pandemic in April 2020, forty days after her release from jail. - source: Wikipedia.com

Untimely Demise and Lasting Legacy

Adrian Lamo passed away unexpectedly on March 14, 2018, at the age of 37 in Kansas. His father announced the news on Facebook, describing Adrian as a bright mind and compassionate soul.

They found several bottles of pills in his home and the medical examiner, Scott Kipper, who handled Adrian’s autopsy explained that he couldn’t even rule out murder. He pointed out several irregularities in Lamo’s case such as a sticker found on Adrian’s left thigh, that read “Adrian Lamo, Assistant Director, ProjectVigilant, 70 Bates Street, NW, Washington, DC. “, but that wasn’t enough to point them in a definite answer.

Adrian’s bloodstream contained various chemicals, including prescribed benzodiazepines for his anxiety disorder. The most probable cause of his demise was an accidental combination of benzodiazepines with kratom, a recreational drug. The FDA had issued a warning a month before Lamo’s passing about the fatal risks of mixing these substances.

Adrian Lamo was a hacker who constantly sought to challenge companies to take their security seriously. His innovative methods and controversial actions left a lasting impact on the cybersecurity world, making him a polarizing figure in the hacker community. Despite his untimely demise, his legacy continues to provoke thought and discussion on hacking ethics and cybersecurity.

We hope that this write up has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.

 

Are you a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]