Yo Adrian! Lamo on Wikileaks and Cablegate

I first met Adrian Lamo about ten years ago. Back then, I was teaching a high school networking class and I thought it would be cool to have the kids experience a “real” hacker, since so many of them aspired to learn how to get into the computerized grading system that the school ran.

Lamo at the time had been arrested for breaking into several different computer systems, including that of the freelancer database of the New York Times. His method was to find an open Web proxy server and use that to gain entry inside a corporate network. (It is still a common entry point, although many companies have finally figured out how to protect themselves.) At the time, he was called the “homeless hacker” ā€“ not because he was living on the streets, but because he was young and had no fixed address, and would go from couch to couch as the mood took him. I offered him a place to stay and a chance to get to know him better, thinking how cool could that be?

When I told my then-teenage daughter about his impending visit, she was rather incredulous (you have someone wanted by the police staying with us) but ultimately she was won over by his geek cred ā€“ she had a problem with her cell phone that she recalls him fixing in a matter of seconds.

Well, Lamo went on to settle his lawsuit with the Times, and got a degree in journalism, ironically enough. I went on to become one of those listed in the NYT freelancer database (thankfully now more secure, I hope), having written a few articles for them on technology over the years. And he then went on to become one of the important figures in the Wikileaks/Cablegate case last year, when he divulged the name of Private Manning to the feds as the leaker. At the time, his decision was vilified in the hacking community, with threats and other nastiness expressed online.

“Who would have thought that when we first met ten years ago that I would have been involved in the single biggest intelligence leak in history,” he told me. How true. He continues to work as a security consultant, helping corporations understand better security practices as well as going out on the speaking circuit. Ironically, his preferred method of communications these days is FedEx! “I’m a little bit of a Luddite these days,” he said. He also thinks that his actions were justified for the greater good of our nation’s overall security posture, and to help ensure further freedoms. An interesting position for a hacker to take, to be sure.

I had a chance to speak to Lamo last week and record the interview for ReadWriteWeb, where you can listen to the 13-minute podcast here.

4 thoughts on “Yo Adrian! Lamo on Wikileaks and Cablegate

  1. I enjoyed listening to Adrian and understanding his thoughts and feelings. Very well communicated.

    I’ll add my 0.02 on why encryption isn’t more widely used: In one word: certificates. The ASN.1/X.509 standards are horrendous, one of only a few holdovers from the ISO-OSI protocol bubble of the early 90’s. I’m sure you remember that, David! The bubble burst, leaving X.400, X.500, and X.509 in its smoking ruins. X.400 was a dying ember and is dead now. X.500 is alive only for being adopted by IBMers as “corporate directories”. Too bad, those dinosaur systems are dying too. Verisign came into being and was the number one most poorly managed companies you could imagine. Then there was the 40-bit “export restriction” foisted on us by the FBI, resulting in abominations like server-gated crypto and even more expensive certs. It quietly died. Certs for mail, simple cheap ones that really didn’t mean anything, extremely expensive ones that purported to mean more. No one really understood it. The libraries from the likes of SPYRUS were horrible spaghetti code and cost an arm and a leg. The whole concept of Certification Authorities and trust chaining tried to create an elite group of suppliers who could charge an arm and a leg, much of which went straight into reserves for tort lawsuits. Encrypted email that used certs for key exchange never caught on because no one could figure out how to get certs that provided “enough” security, and how to get the cert to the receiver. PGP was too hard for people to understand. I could go on about PGP, but I’ve probably said enough.

  2. I should mention that Mark Shuttleworth, who started the Thawte certification authority got rich enough off that to take a trip to the International Space Station. He made it big by not needing to have the tort lawsuit set-aside since his company operated out of South Africa.

  3. The cert. issue has been solved, Bob. Voltage, PGP Universal, Proofpoint are all great enterprise solutions that handle auto-cert registration and expiration quite easily. I am sure there are a couple of other products that I am forgetting now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s