With a cheap home computer and a telephone, half a dozen or so clever young "hackers" here reached out electronically this summer from the solitude of their bedrooms and their dens to invade--and sometimes damage--more than 60 data banks from Los Angeles to New York and from Los Alamos to Montreal.
The loosely confederated computer enthusiasts, who now are the target of a criminal investigation by the FBI, made an instant national reputation as "whiz kids" capable of frightening technological virtuosity.
They are not.
Friends, teachers and associates in the Milwaukee computer community said that the young computer raiders, aged 15 to 22, are above-average but not exceptional programmers who used generally unsophisticated break-in methods and who foolishly failed to anticipate the means by which they were caught.
They said that any bright teen-ager with a few hundred dollars worth of ordinary home computer hardware could commit similar acts of electronic trespass--and that, at one time or another, a good many do.
"They're not whiz kids," said Douglas Harris, who is chairman of the Marquette University department of mathematics, statistics, and computer science. "I don't think they were doing anything very technologically complex."
All of this has sounded renewed alarms about the vulnerability of even sophisticated business and military computers to invasion and vandalism by outsiders with common tools and skills. It also has drawn attention to a subculture in which young computer jockeys "meet," make conversation, and exchange tips on the illicit use of computers, all without leaving their home keyboards.
The Milwaukee raiders number anywhere from seven to 10, depending on whom you count.
They did most of their communicating--and some of them first met, if that is the word--using "electronic bulletin boards" and "electronic mail."
An electronic bulletin board serves much the same purpose as a slab of cork on a wall, except that the "board" is a computer, and the messages on it can be read without being in the same room.
The bulletin board favored by the raiders is called SUE, for Serious Users Exchange. SUE is a small computer located in southern Milwaukee and attached to a "modem," a device which converts electronic signals into sounds and allows SUE to talk with other computers by telephone.
To "read" this bulletin board, a computer owner dials SUE's telephone number, cradles the phone in his own modem, and turns on his home computer. Within seconds, the two computers are in contact, and the caller can read or write messages which are accessible, as on a corkboard, to anyone who looks for them. Callers also can send or receive "electronic mail" targeted to a specific reader.
Computer hobbyists use the bulletin boards to make queries and suggestions, to buy and sell equipment, to exchange programs, to make dates and to talk about the weather.
"Some of these people seem to be more comfortable communicating with electronic mail than face to face," said Glenn Wanek, the systems programmer for the Milwaukee school district, who knows most of the raiders. "They say things over a computer screen that they would not say in person."
Such as: how to invade protected computers by telephone.
Several of the young computer devotees, widely dispersed around the city, found that they had a common interest in computer-raiding and began a regular electronic correspondence about a year ago. Now and then they would meet in the evening at a centrally located Pizza Hut. Sooner or later, all of them joined a local Explorer post sponsored by IBM to foster interest in computers.
Eventually, someone suggested that they call themselves "the 4-1-4s," after Milwaukee's area code, in a parody of the tough street gangs that take their names from Milwaukee's numbered streets. If they were going to be a "gang," they said, they might as well sound like one.
Free long-distance telephone calls were their first order of business.
Before that, Neal Patrick, 17, an honor student and the only member of the 4-1-4s with immunity from prosecution, said he racked up a $300 phone bill the first month he used his new modem to read computer bulletin boards around the country. His father, Richard Patrick, who pays the bills for the phone, the modem, and the Radio Shack TRS-80 model II computer, told his son that the long-distance calling was through.
Other 4-1-4s had similar problems.
They solved them, associates said, by billing their calls to other people's credit card numbers and to random Sprint or MCI long-distance accounts. These numbers are routinely available on some bulletin boards.
"They get on these boards and say, 'Hey everybody, this is a good way to break into Sprint,' " said Dennis Hill, director of academic computer services at the Milwaukee School of Engineering, where computer files were damaged in one of the first raids by a member of the 4-1-4s.
Even without the bulletin boards, every one of the 4-1-4s had the skills and equipment to find "valid" access numbers for free long-distance calls.
All they had to do was write a simple program for a modem-equipped computer, telling it to dial the local number of one of the alternative long-distance telephone companies, and then to try a random 5-digit or 6-digit access code.
The computer would know to wait momentarily, hang up, redial, and then try another, slightly altered access code. Each time, it would record the results: either the code worked or it didn't.
Computers don't mind doing repetitive tasks for long periods. Anyone who starts a program like that before going to bed at night, Milwaukee computer experts said, will find a log of working access codes waiting in the morning.
With these codes, the 4-1-4s could use long-distance bulletin boards as much as they liked--with predictable results.
"I got bored," Patrick said.
Harris, who has seen a lot of young "hackers" go through a similar cycle, said it works like this:
"You and your friends get personal computers and you go through the obligatory phase of playing games, and then you get tired of that. Then you talk to one another on your modems and then you get tired of that. Then you start looking for a way to talk to people farther away and you start looking for a way not to pay the long-distance charges. And then you get tired of that."
The final step began in May.
The 4-1-4s still wanted to "add another dimension," Patrick said, and they decided to start breaking into "mainframes," powerful computers the size of cars and trucks which are used by universities, banks, hospitals, corporations and governments.
"The step that took me from bulletin boards to mainframes was curiosity," Patrick said. "That's all it was. Just curiosity."
Like the others, Patrick worked alone in his home with growing excitement, staring long hours into a glowing screen which, if he could manage it, would open a window into faraway machines and a faraway environment.
It was the same screen that displayed spaceship games, homework, accounting records from his father's business. Patrick, although he was familiar with Wisconsin's strict computer crime law, said he found it hard to imagine that he was doing anything wrong.
"The general feeling," he said, "was that if you did do damage it was immoral, but that the mere accessing was not bad. Now with this whole mess, everyone understands that was wrong."
The reason that Patrick and his friends could "access" distant mainframes by telephone is that these powerful computers, like electronic bulletin boards, are designed with telephone access in mind.
The difference is that bulletin boards are for everyone and private mainframes are for employes or paying customers only. News media computers, for example, typically allow telephone access so that reporters in the field with portable computers can transmit and receive stories.
Most of the computers that were invaded by the 4-1-4s were part of a telephone network operated by GTE Telenet Communications Corp., which allows "remote" users to log on to the central computer with a local call.
One day, in what he said was a typical instance, Patrick broke past computer security at the Security Pacific National Bank in Los Angeles.
Patrick did not intend to crack that particular computer.
"It was all pure chance," he said. "There was no real attack on any single computer. There's no way to tell what computer you're accessing until after you access it."
The break-in worked like this.
Patrick called Telenet, hooked the phone to his modem, and waited for a connection. Then he typed a six-digit code of letters and numbers into his computer.
The first digit was the letter "C." This told Telenet that he wanted to make his call collect. He wanted the computer he was calling to accept the charges. Some do, some do not.
Patrick knew from other raiders that the next three digits of the Telenet code should be the area code of the computer he wanted to reach. Having no computer in mind, he entered an area code at random. That day he chose 213, which serves Los Angeles.
The last two digits identify the computer desired within that area code. Patrick again typed in numbers at random until he reached a computer that would accept his collect call.
Eventually, a sign-on message flashed onto his screen asking Patrick for his account name and password.
At this point, sitting in the solitude of his den, Patrick had reached the electronic outer wall of a computer at the Security Pacific National Bank.
Basic computer security is of two types: the kind that keeps unauthorized users out of the system entirely, and the kind that keeps authorized users from roaming around parts of the system where they do not belong.
Both "walls" were pretty flimsy.
Patrick knew, as any computer buff knows, that most computers come equipped from the factory with "system accounts," which allow installers and repairmen easy access to the entire electronic system.
These accounts come with "default passwords," a password that will continue to work unless the new owner changes them. Many don't bother.
For a computer raider, these accounts are a double blessing. If the raider guesses the password, he not only is past the outer defensive "wall," but he also has free access throughout the system, because installers and repairmen need to have the most "privileged" accounts.
Patrick did not have to spend too much time at trial and error.
The account name which got him into the Security Pacific National Bank computer was "SYSTEM." The password was "SYSTEM."
Other passwords used successfully by the raiders included "TEST," "MAINTENANCE," and "DEMO."
Once inside, Patrick said he snooped around, exploring the environment and seeing where various accounts might lead him. On a later visit inside the bank computer, Patrick found and played a game of "Star Trek."
Of all the data banks raided by the 4-1-4s, Patrick said on NBC's Today Show recently, Security Pacific's "could have proven to be the most important and the most disastrous."
"If that had been our purpose," he said, "a lot of data could have been destroyed or harmed."
Susan Taha, a bank spokesman, said, "Was it serious? Yes."
But Taha emphasized that the computer that Patrick invaded "was not a computer that contained any records of funds or customer transactions."
Other computer raids went similarly.
Patrick and his friends used generally similar tactics to tap into an unclassified computer at the Los Alamos government nuclear laboratory, a medical computer at the Memorial Sloan-Kettering Cancer Center in New York, and other computers at Gaffney-Cline Associates in Dallas and Canada Cement LaFarge Ltd. of Montreal.
At least twice--at Sloan-Kettering and at the Milwaukee School of Engineering--raiders destroyed files in the invaded computers. At Sloan-Kettering, the deleted file was a user log which the center would have used to bill customers for about $1,500 in computer services. At the engineering school, dozens of files were deleted apparently at random.
Sometimes the raiders could not discover a password quickly, and then some of them would program their home computers to try a long list of common passwords--including common names, colors, and car models--on the system being probed.
Some Milwaukee computer specialists believe that this repetition led to their undoing.
Many computer systems, even systems without much security, are designed to notice an unusual number of access attempts or other unusual patterns of use.
Paul Piaskoski, Patrick's lawyer, said that both the Los Angeles bank and the Sloan-Kettering center detected the raiders' intrusions and set up "trap systems," which are programs designed to keep an invader harmlessly busy in a sealed-off segment of the computer while his telephone call is traced.
Patrick's "Star Trek" game, it turned out, was one of these traps.
Late in July, the FBI began knocking at the doors of 4-1-4 members.
It was the first brush with the law for most of the 4-1-4s, who are mostly above-average students from middle-class homes, the sons of blue-collar and middle-level white collar families.
Patrick, whom school officials call the brightest of the 4-1-4s, is a top student at Rufus King Senior High School, a Milwaukee magnet school for the college-bound, and who promises to lead a strong King contingent to the national "academic decathlon" competition. His parents sell paper accounting products and live in an unpretentious maroon-and-white frame house.
The FBI attention has panicked the 4-1-4s, most of whom refused to be interviewed.
For a time, counting on their own computer privacy, they talked freely about the case via electronic mail, as in the following message, sent Aug. 10 from the girlfriend of one 4-1-4 to another member: "they might be headed in your direction, you live in the area of a prime suspect and they wer sic asking about you. don't say ANYTHING. and don't call me and discuss this matter."
FBI spokesman Gary Hart would provide no details of the investigation, but he discounted early news reports that the 4-1-4s were unlikely to be prosecuted.
"If that type of decision had been made," he said, "we would not be still involved."
Said Harris, the Marquette professor: "These kids had to be awfully stupid if they didn't know that once someone decides he wants to stop this, he can." CAPTION: Picture, Neal Patrick, 17, with the home computer that enabled him to break into numerous other larger computers around the country, and which got him into hot water. Patrick was one of a group of Milwaukee computer raiders called the 4-1-4s.
Copyright (c) Michael Vollan