http://www.startribune.com/stories/789/4135449.html Eric Wieffering Star Tribune October 5, 2003 By the age of 20, Benjamin Breuninger's life was a mess. Estranged from his mother and stepfather, a dropout with no job and months behind on his rent, he often went a day or more without eating. Online, he had a different life. There, he was Konceptor, a skilled hacker who broke into computer networks, defaced Web sites and strutted in online newsgroups such as alt.2600, where he closed his frequent postings with this warning: "The Keystroke is mightier than the Pen. And this is My GAME." In 2 1/2 years in the late 1990s, Breuninger hacked into dozens of computer systems. He peeked at the payroll of a nearby Taco Bell, left messages supporting Jesse Ventura on the St. Paul Public Library and KSTP radio Web sites and stole thousands of Internet e-mail accounts and passwords. Breuninger's online exploits ended when the FBI arrested him at his Bloomington apartment Sept. 11, 2000, for hacking into and downloading files from the Lawrence Livermore National Laboratory in California. Because his crime involved one computer system instead of thousands, Breuninger's arrest didn't generate the attention that greeted the August arrest of Jeffrey Parson, the Hopkins High School student accused of infecting 7,000 computers with a version of the Blaster computer worm. But security experts say Breuninger's hacking is more typical of the kind that is occurring daily. Often undetected or unreported, it originates in the bed rooms of teenage boys armed with sophisticated automated programs that can scan the Internet around the clock, probing for soft spots. An annual survey of 500 business, government and academic organizations by the FBI and the Computer Security Institute found that 56 percent of the respondents experienced unauthorized access to their computer networks this year, with estimated losses of $200 million. Virus attacks are also surging. In 1996, one in 100 computers experienced a virus attack. By 2002, the figure was 10.5 per 100 computers had been attacked, an increase of 950 percent. The most serious computer crimes -- extortion, theft of money or confidential trade secrets -- remain for the most part the work of disgruntled current and former employees and organized crime. Breuninger, who began hacking at 18 and claims he never intentionally damaged a system he entered, didn't even bother to read the documents he downloaded from Lawrence Livermore. "The challenge was getting in and then letting them know I'd been there," he said. But others in his age bracket had more on their minds than just showing they could break in somewhere. Thomas Pae, 20, of Los Angeles, who was sentenced to 33 months in prison in August for hacking and fraud, cooked up his scheme while still in high school. "Mafia Boy," whose attacks on eBay, Amazon.com and other Web sites cost an estimated $1.7 billion in 1999, was a 16-year-old Canadian high school student. The server that Breuninger and other Twin Cities hackers used -- hellfire.damnation.net -- was operated by an Eden Prairie high school student. "For the current generation of kids, hacking into other people's computers is the video game of this decade," said Alan Paller, research director of the SANS Institute, a Maryland organization that studies computer security issues and provides training. "It's those attacks that companies spend most of their time and money protecting themselves against." Arrests for computer attacks are rare and convictions rarer still. The authors of the Code Red, Nimda and Slammer worms, which caused an estimated $5 billion in damage in the past two years, have never been caught. The FBI estimates that only 30 percent of computer crime victims even bother to report security breaches. The term hacker first appeared in the late 1950s and early 1960s to describe skilled computer programmers or engineers who tested the outer limits of software to make it better. Those who still adhere to that philosophy look down at the younger generation of "script kiddies," hackers who use automated programs to break into systems and virus writers who set out to damage computer systems. "They have a whole different attitude," said Todd, a 28-year-old Ham Lake resident who spoke on the condition of anonymity because he runs the Minnesota chapter of Defcon, a hackers group. "They don't want to learn how to write code. They want to find a quick way in." >From the beginning, the hacker culture, with its underground, anti-authority ethos and its celebration of technical mastery over education, has appealed to teenagers and young men. "For people who are no longer kids but not quite adults, hacking is an empowering concept," said Mark Rasch, former head of the Justice Department's computer crime unit and now a senior executive with Solutionary Inc., a Virginia computer security firm. "Imagine what it must feel like to say, 'I can take down the Department of Defense from my living room in Minneapolis.' " Most teenagers don't try to profit from their exploits, Rasch said, and get caught only because their immaturity leads to recklessness. Breuninger said he never tried to steal credit card numbers or poach Social Security numbers, though he had plenty of opportunity. On hacker newsgroups. he blasted "lamers" looking for easy ways to steal financial or personal information. "A true hacker plays the game to exploit systems," he wrote in one posting. "Sometimes the knowledge he gains can be severely damaging to the company, agency, etc. that he hacked. Would he give you, the lamer, the key to cripple the users of the computer system? I think not." A common bond No one groomed Breuninger to be a cyberpunk. He didn't even own a computer until 1997. In an interview, he describes an unhappy childhood on a farm in Cambridge, where his stepfather made him clean horse barns, dig fence-post holes and pull tree stumps. His closest companion in high school? His horse, Joey. Breuninger's first job was welding heavy machinery. He didn't get a computer until he enrolled in a computer-aided design program at Dunwoody Institute in Minneapolis. Within a year, Breuninger dropped out of Dunwoody, taught himself programming and immersed himself in Minnesota's hacking scene. At one point, he hacked into U.S. Internet Group, a Twin Cities Internet service provider, and stole 25,000 account user names and passwords. "That provided all the Internet access I needed," he said. An executive with U.S. Internet disputes the number of accounts but acknowledged that the company didn't learn about the breach until after Breuninger was arrested. As Konceptor, Breuninger rarely set out to hack a particular site. His greatest exploit, and the one that landed him a felony conviction, was chosen at random. A program he designed scanned the Internet for unprotected computers, and one at Lawrence Livermore popped up. Once in, Breuninger understood the gravity of hacking a government site, he said. But that didn't stop him from guessing the password of a system administrator's account, establishing an account for himself and leaving software on the system that ensured continued access. Breuninger was a regular at the Mall of America meetings of the hacker group 2600, where up to a dozen people between the ages of 14 and 30 would gather monthly to swap stories and tips. He joined in late-night dumpster dives outside computer stores and office buildings in search of discarded parts. In the summer of 1999, he hitchhiked to and from Las Vegas for the annual Defcon hacker convention. "A lot of us wanted to belong to something," Breuninger said. "Our common bond was technology." Konceptor's postings got the attention of Paller, who invited Breuninger via an e-mail to that screen name to attend a computer security conference in Florida in October 1998. There, Breuninger played the "black hat" in a demonstration between a hacker and a computer security expert. Attendees remember a nice kid, more naive than malicious in describing his hacking. "What I remember most about him is that it was his [Breuninger's] first trip on an airplane, and he was clearly in awe of the experience," said Rob Kolstad, a systems administrator based in Colorado Springs who attended the conference and was introduced to Breuninger. By his 20th birthday in April 1999, Breuninger's hacking had become all-consuming. It was the height of the technology boom and companies were paying exorbitant salaries to people with his technical skills. Breuninger had no clue and worked a series of temp jobs because they allowed him time to hack. When his father showed up at his apartment one day late in the summer of 1999, he was shocked by the sight of his son. "He was filthy, looked skinny, looked like he hadn't slept in days and was confused," Mark Breuninger wrote in a letter to the court after his son's arrest. "He had nowhere to go, no job, no car. His only thing was to be online." Mark Breuninger took his son to the Hennepin County Medical Center. He was put on medication for depression and began seeing a psychologist to treat what was described as an addiction to hacking and the Internet. He moved in with his father, who set strict limits on his computer time. Slowly, Breuninger began to rebuild his life. By February 2000 he had a new apartment, a new full-time job with Digi International in Minnetonka and his first girlfriend. He had stopped attending meetings of 2600 and no longer posted on newsgroups. "I dropped out completely," he said. By that time an employee at Conference Plus Inc. near Chicago had alerted the FBI that documents from Lawrence Livermore had been stored on its computer. During the summer of 2000, federal agents raided the house of the high school student who hosted hellfire.damnation.net. Breuninger knew he was the real target. He called the FBI and, in a meeting a few days later, confessed. After his arrest, a member of 2600 tried to start a Konceptor legal fund. Breuninger begged him to quit. "I knew that what I was doing was illegal," he said. 'Get a job' The black electronic bracelet on his right ankle is the only clue that Breuninger, now 24 and living in Mound, is a felon. "He struck me as a very intelligent, pleasant young man," said John Reichmuth, an assistant federal public defender in Oakland. "There are malignant hackers and benign hackers. This is not a person who was trying to do any harm to any of the systems that he worked with." Breuninger was sentenced to six months of home detention and four years' probation, and he was ordered to pay $20,000 in restitution. His computer use is monitored, but he says going online no longer has any appeal. Breuninger lost his job at Digi a year after he was arrested and now installs and repairs computers and networks, getting paid by the job. Most people never see the monitoring device he wears, which is about as big as a chronograph watch and usually obscured by his trousers. Still, Breuninger finds himself counting the days until Oct. 7, when the bracelet, and restrictions on his movement, come off. He'll probably have a beer, his first in more than six months. He may go rock climbing in California. He's not sure how to prevent others from repeating his mistakes, but he can offer a retrospective self-prescription. "I wish someone had made me get a job, get a girlfriend and get out of the house. If they had, I might not have gotten into trouble." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 02:14:52 PDT