- 23 September, 2003 08:02
What do you do about someone like Adrian Lamo? Last week, Lamo turned himself in to U.S. marshals at the federal courthouse in Sacramento, California and was charged with hacking his way into the internal network of The New York Times and running up a US$300,000 bill on the newspaper's LexisNexis database account. At that price, you can understand why the Times wasn't as forgiving as WorldCom, Yahoo and other companies that praised Lamo after he found security holes in their networks and then helped to fix them for free.
But what now? What do you do about a guy like that?
If you let him walk, you're ignoring his lawbreaking. If you lock him up, you're spending $40,000 a year to incarcerate a valuable security resource - at a time when security problems loom larger than ever before.
The smart thing would be to sentence him to community service and put him to work finding security problems in government networks and critical infrastructure.
After all, Lamo has a brain that's somehow peculiarly tuned for finding misconfigured proxy servers, undocumented Web servers and other paths from the public Internet to what are supposed to be private networks. He's the Internet version of a man who can walk through walls, using nothing more than a Web browser.
And amazingly, in his years of wandering through electronic doorways that were left open, Lamo never seems to have done significant harm until he used expensive LexisNexis searches from the Times network to look for his name in the news.
Until then, nobody wanted to blow the whistle on a well-meaning character who routinely broke computer-intrusion laws but left improved security behind him wherever he went.
So at a time when malicious hackers, antisocial script kiddies and genuine cyberterrorists are regularly launching worms, intrusions and denial-of-service attacks, why waste Lamo's skills on anything other than improving security?
But even if a federal judge is wise enough to make the most of Lamo's talents, that leaves a question for the rest of us: What do we do about all the other people like him?
They're out there. They've been out there for decades, at least since the days 30 years ago when John "Cap'n Crunch" Draper and a group of blind teenagers regularly hacked the telephone system and then reported problems they found to phone company employees -- who didn't blow the whistle on them, even though that's what phone company policy demanded.
They're bright, curious, even helpful kids who like poking around communications networks. Today, they're kids who have always known PCs and barely remember a time when they didn't have Internet access.
Some of them will grow up to have an even better intuitive grasp of networks than Lamo. They'll walk through walls, too.
What will you do when you receive a message from one of them, proudly informing you that he has found a hole in your security?
Will you be able to get the maximum amount of information about the hole, so you can close it and track down any similar problems? Will you take the opportunity to discourage this kid from poking around in other people's networks -- but not sound so threatening that you scare him off before you get the details of what he found? Will you know what to say -- and what not to say, so you don't divulge any other information about your networks?
Most important: Does everyone in your IT shop know what to do when even the most helpful of hackers calls?
Make a plan. Make sure all your people know it. And make sure they'll stick to it.
Because when the next Adrian Lamo turns up, the last thing you want is for them to be wondering what to do.