Confessions of a hacker

[InfoSec News <isn () c4i org>]

http://www.startribune.com/stories/789/4135449.html

Eric Wieffering
Star Tribune
October 5, 2003

By the age of 20, Benjamin Breuninger's life was a mess. Estranged
from his mother and stepfather, a dropout with no job and months
behind on his rent, he often went a day or more without eating.

Online, he had a different life. There, he was Konceptor, a skilled
hacker who broke into computer networks, defaced Web sites and
strutted in online newsgroups such as alt.2600, where he closed his
frequent postings with this warning: "The Keystroke is mightier than
the Pen. And this is My GAME."

In 2 1/2 years in the late 1990s, Breuninger hacked into dozens of
computer systems. He peeked at the payroll of a nearby Taco Bell, left
messages supporting Jesse Ventura on the St. Paul Public Library and
KSTP radio Web sites and stole thousands of Internet e-mail accounts
and passwords.

Breuninger's online exploits ended when the FBI arrested him at his
Bloomington apartment Sept. 11, 2000, for hacking into and downloading
files from the Lawrence Livermore National Laboratory in California.

Because his crime involved one computer system instead of thousands,
Breuninger's arrest didn't generate the attention that greeted the
August arrest of Jeffrey Parson, the Hopkins High School student
accused of infecting 7,000 computers with a version of the Blaster
computer worm. But security experts say Breuninger's hacking is more
typical of the kind that is occurring daily.

Often undetected or unreported, it originates in the bed rooms of
teenage boys armed with sophisticated automated programs that can scan
the Internet around the clock, probing for soft spots.

An annual survey of 500 business, government and academic
organizations by the FBI and the Computer Security Institute found
that 56 percent of the respondents experienced unauthorized access to
their computer networks this year, with estimated losses of $200
million.

Virus attacks are also surging. In 1996, one in 100 computers
experienced a virus attack. By 2002, the figure was 10.5 per 100
computers had been attacked, an increase of 950 percent.

The most serious computer crimes -- extortion, theft of money or
confidential trade secrets -- remain for the most part the work of
disgruntled current and former employees and organized crime.  
Breuninger, who began hacking at 18 and claims he never intentionally
damaged a system he entered, didn't even bother to read the documents
he downloaded from Lawrence Livermore.

"The challenge was getting in and then letting them know I'd been
there," he said.

But others in his age bracket had more on their minds than just
showing they could break in somewhere.

Thomas Pae, 20, of Los Angeles, who was sentenced to 33 months in
prison in August for hacking and fraud, cooked up his scheme while
still in high school. "Mafia Boy," whose attacks on eBay, Amazon.com
and other Web sites cost an estimated $1.7 billion in 1999, was a
16-year-old Canadian high school student.

The server that Breuninger and other Twin Cities hackers used --
hellfire.damnation.net -- was operated by an Eden Prairie high school
student.

"For the current generation of kids, hacking into other people's
computers is the video game of this decade," said Alan Paller,
research director of the SANS Institute, a Maryland organization that
studies computer security issues and provides training. "It's those
attacks that companies spend most of their time and money protecting
themselves against."

Arrests for computer attacks are rare and convictions rarer still. The
authors of the Code Red, Nimda and Slammer worms, which caused an
estimated $5 billion in damage in the past two years, have never been
caught.

The FBI estimates that only 30 percent of computer crime victims even
bother to report security breaches.

The term hacker first appeared in the late 1950s and early 1960s to
describe skilled computer programmers or engineers who tested the
outer limits of software to make it better. Those who still adhere to
that philosophy look down at the younger generation of "script
kiddies," hackers who use automated programs to break into systems and
virus writers who set out to damage computer systems.

"They have a whole different attitude," said Todd, a 28-year-old Ham
Lake resident who spoke on the condition of anonymity because he runs
the Minnesota chapter of Defcon, a hackers group. "They don't want to
learn how to write code. They want to find a quick way in."

> From the beginning, the hacker culture, with its underground,
anti-authority ethos and its celebration of technical mastery over
education, has appealed to teenagers and young men.

"For people who are no longer kids but not quite adults, hacking is an
empowering concept," said Mark Rasch, former head of the Justice
Department's computer crime unit and now a senior executive with
Solutionary Inc., a Virginia computer security firm. "Imagine what it
must feel like to say, 'I can take down the Department of Defense from
my living room in Minneapolis.' "

Most teenagers don't try to profit from their exploits, Rasch said,
and get caught only because their immaturity leads to recklessness.

Breuninger said he never tried to steal credit card numbers or poach
Social Security numbers, though he had plenty of opportunity. On
hacker newsgroups. he blasted "lamers" looking for easy ways to steal
financial or personal information.

"A true hacker plays the game to exploit systems," he wrote in one
posting. "Sometimes the knowledge he gains can be severely damaging to
the company, agency, etc. that he hacked. Would he give you, the
lamer, the key to cripple the users of the computer system? I think
not."

A common bond

No one groomed Breuninger to be a cyberpunk. He didn't even own a
computer until 1997.

In an interview, he describes an unhappy childhood on a farm in
Cambridge, where his stepfather made him clean horse barns, dig
fence-post holes and pull tree stumps. His closest companion in high
school? His horse, Joey.

Breuninger's first job was welding heavy machinery. He didn't get a
computer until he enrolled in a computer-aided design program at
Dunwoody Institute in Minneapolis.

Within a year, Breuninger dropped out of Dunwoody, taught himself
programming and immersed himself in Minnesota's hacking scene. At one
point, he hacked into U.S. Internet Group, a Twin Cities Internet
service provider, and stole 25,000 account user names and passwords.

"That provided all the Internet access I needed," he said.

An executive with U.S. Internet disputes the number of accounts but
acknowledged that the company didn't learn about the breach until
after Breuninger was arrested.

As Konceptor, Breuninger rarely set out to hack a particular site. His
greatest exploit, and the one that landed him a felony conviction, was
chosen at random.

A program he designed scanned the Internet for unprotected computers,
and one at Lawrence Livermore popped up. Once in, Breuninger
understood the gravity of hacking a government site, he said. But that
didn't stop him from guessing the password of a system administrator's
account, establishing an account for himself and leaving software on
the system that ensured continued access.

Breuninger was a regular at the Mall of America meetings of the hacker
group 2600, where up to a dozen people between the ages of 14 and 30
would gather monthly to swap stories and tips. He joined in late-night
dumpster dives outside computer stores and office buildings in search
of discarded parts. In the summer of 1999, he hitchhiked to and from
Las Vegas for the annual Defcon hacker convention.

"A lot of us wanted to belong to something," Breuninger said. "Our
common bond was technology."

Konceptor's postings got the attention of Paller, who invited
Breuninger via an e-mail to that screen name to attend a computer
security conference in Florida in October 1998. There, Breuninger
played the "black hat" in a demonstration between a hacker and a
computer security expert.

Attendees remember a nice kid, more naive than malicious in describing
his hacking.

"What I remember most about him is that it was his [Breuninger's]
first trip on an airplane, and he was clearly in awe of the
experience," said Rob Kolstad, a systems administrator based in
Colorado Springs who attended the conference and was introduced to
Breuninger.

By his 20th birthday in April 1999, Breuninger's hacking had become
all-consuming. It was the height of the technology boom and companies
were paying exorbitant salaries to people with his technical skills.  
Breuninger had no clue and worked a series of temp jobs because they
allowed him time to hack.

When his father showed up at his apartment one day late in the summer
of 1999, he was shocked by the sight of his son.

"He was filthy, looked skinny, looked like he hadn't slept in days and
was confused," Mark Breuninger wrote in a letter to the court after
his son's arrest. "He had nowhere to go, no job, no car. His only
thing was to be online."

Mark Breuninger took his son to the Hennepin County Medical Center. He
was put on medication for depression and began seeing a psychologist
to treat what was described as an addiction to hacking and the
Internet. He moved in with his father, who set strict limits on his
computer time.

Slowly, Breuninger began to rebuild his life. By February 2000 he had
a new apartment, a new full-time job with Digi International in
Minnetonka and his first girlfriend. He had stopped attending meetings
of 2600 and no longer posted on newsgroups.

"I dropped out completely," he said.

By that time an employee at Conference Plus Inc. near Chicago had
alerted the FBI that documents from Lawrence Livermore had been stored
on its computer. During the summer of 2000, federal agents raided the
house of the high school student who hosted hellfire.damnation.net.  
Breuninger knew he was the real target. He called the FBI and, in a
meeting a few days later, confessed.

After his arrest, a member of 2600 tried to start a Konceptor legal
fund. Breuninger begged him to quit.

"I knew that what I was doing was illegal," he said.

'Get a job'

The black electronic bracelet on his right ankle is the only clue that
Breuninger, now 24 and living in Mound, is a felon.

"He struck me as a very intelligent, pleasant young man," said John
Reichmuth, an assistant federal public defender in Oakland. "There are
malignant hackers and benign hackers. This is not a person who was
trying to do any harm to any of the systems that he worked with."

Breuninger was sentenced to six months of home detention and four
years' probation, and he was ordered to pay $20,000 in restitution.  
His computer use is monitored, but he says going online no longer has
any appeal.

Breuninger lost his job at Digi a year after he was arrested and now
installs and repairs computers and networks, getting paid by the job.

Most people never see the monitoring device he wears, which is about
as big as a chronograph watch and usually obscured by his trousers.  
Still, Breuninger finds himself counting the days until Oct. 7, when
the bracelet, and restrictions on his movement, come off.

He'll probably have a beer, his first in more than six months. He may
go rock climbing in California.

He's not sure how to prevent others from repeating his mistakes, but
he can offer a retrospective self-prescription.

"I wish someone had made me get a job, get a girlfriend and get out of
the house. If they had, I might not have gotten into trouble."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.