◆ SpookStack

| ~ DE WESKLY | SIWSUKLY.COLL | INCWS . POAC Fm Luty ws Lraun menses BUA SA ae Zee intrusion and drug use, but substances that disassociate you from your senses have played a big part in my life,* Lamo says. “The point, with substances, has always been to show myself where I can go without them. Drugs are not an indispensable part of my life. But there are times when I'd rather stay up until the next bus comes. instead of curling up and finding my backpack gone when I wake. There are times I don’t want to feel the pain." He pauses, stops on a comer of the sidewalk in the Financial District, and waves his hand toward the nearest storefront. "This is my historic Kinko's," he says. "A great many of my compromises occurred here. I belleve it's still 24-hours ..." Peering at the sign on the door, he steps back, aghast. “Goddamn It, it's not! How could they do this to me?” He shakes his head, then slips back into his role as tour guide. “It does not have a restroom but it has a vending machine, so I can keep the Code Red coming. So much miscellaneous stuff has happened from this Kinko's, from that far desk over there. Most of the exploration for the WorldCom intrusion happened here." Before he penetrated the New York Times, Lamo's incursion into the troubled telecom giant WorldCom was perhaps his greatest coup. It was vintage Lamo: He was drifting around the company's site, with no preformed pians to hack it, when one thing led to another, Over a handful of all-day sprees -- "whenever I'd get bored and remember WorldCom," as he puts it -- Lamo got access to the company's internal system via open proxy servers, dedicated machines that act as a go-between for employees’ computers and the Internet. This, too, is his trademark, Whereas most hackers obsess over known software vulnerabilities, endlessly scanning a company’s security applications in the hopes of finding a random glitch, Lamo sneaks through these more nebuious, less intentionally geeky, holes. When brought online, proxy servers are often misconfigured, both accepting and forwarding connections from the outside as well as the inside, and Lamo can change his browser's preferences to match those of the proxy server. Open proxy servers don't require a username or password, and once inside a company's system, Lamo hunts down passwords that enable him to view other pages on the company's own intranet. And this is one of Lamo's fundamental! gripes: When you put a network, any network, online, you accept the responsibility for securing it, he says. And spending millions of dollars on front-door security software doesn't mean anything if the back door is wide open. Lamo broke the news of his intrusion into WorldCom through the Web site SecurityFocus.com, and officials at the telecom company said they appreciated Lamo's help in drawing attention to the problems with their system. (It took a weekend of Lamo's assistance to close the holes.) "All these companies T've compromised, they've never had a clue until I told them," says Lamo, who has a computer screen-shot of WorldCom's stock falling the day he disclosed his hack. “To an extent, it’s because of my approach. Classic intrusion software looks for an attack -- nothing I do looks like an attack. It's the same stuff a user would do, and you can't determine what the intent of a user is." http://www.sfweekly.com/issues/2003-04-16/feature.html/2/index.html FBI(19-cv-1495)-141 6/20/2003