[This article appeared in the Chicago Tribune in early 1981.]
Teen computer whizzes shut off DePaul system
CHICAGO (UPI) - A high school student's prank that sabotaged a
university computer has banks and other businesses worried about
the security of their own computer systems.
"There's quite a bit of concern," Douglas Ellis, a police investigator,
said Tuesday. "If someone of this age has the ability to get into a
computer system which an institution feels is relatively secure, that
in turn would make other institutions who have compatible systems take
a look at that security."
Two youths, both high school computer science students, gained
access to the computer at DePaul University by telephone and shut down
the entire system. It cost DePaul $22,252 to purge the system and
find and correct the security breach.
"These kids are exceptionally bright," Ellis said of Brian Catlin, 17,
and a juvenile whose name was not released. "Someone said that it
couldn't be done, and they spent approximately a year proving that they
could do it. And they did."
The juniors, in their class at Fremd High School in Palatine, were
using a computer terminal hooked up to DePaul's computer system by
telephone. All they had to do was dial the computer number on the phone.
During the week of September 17, the two high school students "broke
into the DePaul University Hewlett Packard 2000 computer system and
caused a complete shutdown of the university's computer," Ellis said.
"Once they gained access and were able to log onto the computer, they
altered the programs and created their own programs."
Computer courses were shut down, research data could not be retrieved,
and student tuition payments and account activities were not picked up
in the computer.
The computer was shut down Sept. 17-19. After partial services were
restored, authorities said, the culprits threatened to shut down the
Both teenagers were charged with theft of services. Catlin was to
appear in Misdemeanor Court Jan 13. His friend, who is now 17 but
was 16 at the time, was scheduled to appear in Juvenile Court Friday.
But even more important than the DePaul shutdown, investigators said,
was the question of what the computer whizzes would do next.
"What they consider nothing but child's mischief could result into a
bigger problem for someone else," said Ellis.
He said the youths could be sentenced to jail terms, but probably will
not receive anything more than supervision.
[This is exerpted from an article that ran in The Daily Northwestern
in November 1983.]
The inadequate security of one campus computer made headlines
in September 1980 at DePaul University in Chicago. The school's
registration week was thrown into confusion when two 17-year-old
high school students, using home computers connected to phone lines,
held the university computer hostage for several days.
The students shut the system down and held control, communicating
with DePaul officials via computer. They demanded expensive
computer software as ransom.
The youths were tracked down and apprehended, but the siege cost
DePaul more than $22,000. It also raises discussion on how colleges
can protect themselves against such crime.
Some background information on Fremd and the HP-2000.
High School District 211 co-purchased the HP-2000 with Harper Junior College.
The district had 12 dial-up ports, and the college had 12 hard-wired
ports. I can't say what the other schools in the district had (Conant,
Palatine, Hoffman Estates, Schaumburg), but at Fremd we had the ASR-33,
and a Digital Decwriter. I think it was an LS-120, but I could be a
little off on the model number.
Aside from the machine at DePaul, the only other HP-2000 we knew about
was in a neighboring High School district (District 215, if memory serves).
I think we knew about them via the grape vine: friend of a friend,
some traded logins, etc. I suspect the two targetted DePaul because it
seemed a better target. That, and we already had a stolen account to the
District 215 system, and there wasn't anything at all interesting there.
Anytime a vulnerability within the HP2000 was found, it seemed to spread
like wildfire throughout the other schools in the district, so the
admins at Harper did a pretty good job of keeping the system patched.
Other admins weren't quite so proactive. Many of the things we found
would either bring the machine to a grinding halt, or would crash it
entirely, requiring a very manual restart. DePaul's computer wasn't
adequately patched, and that's how the two got the attention of the
Toward the end of my tenure at Fremd, they started teaching computers
a little bit. It was a three or four week segment in one of the math
classes. We had an HP card reader, and the students would write their
programs on cards, using a #2 pencil instead of card punch. By that
time in school, I was a regular fixture in the computer room (which was
adjacent to the math office), so all the math teachers knew me, and I
got to sit out that part of the math class. Instead, I got to submit
and run everyone's homework.
There's more, but I'll have to write that later.
Does anyone happen to know where Brian Catlin might be these days?
Also, does anyone know who the other perpetrator was?
I received the following update regarding this event:
I was a classmate of Brian and... the other guy's name escapes me (it's
been more than 25 years, gimme a break!) I was Fremd HS class of 79,
and I suppose it's dumb luck I didn't get involved in anything like
Brian and "the other guy" used a Commodore C64 with an acoustic coupled
modem in their break-in. The DePaul security was weak, the password to
the A000 account was ^A^N^T, so it was fairly easy for their brute force
cracker to find it. DePaul discovered someone had gained unauthorized
access to the system, so they changed the password to ^B^A^T. Again, it
was fairly easy to break. The problem they ran into though, was that when
using an acoustic coupler, they had to dial the phone manually. And the
log in process would only allow 3 (or 5? I can't recall) attempts before
it would disconnect, and they'd have to hang up and manually redial.
The DePaul system had a remote job entry mechanism for the university's
IBM 360, and that's what the expense was about: the university took the
'360 down for a couple of days to run a complete process audit to ensure
the two hadn't planted anything malicious on it.
They based their C64 program on that of one written by another student
that was class of 78, if I recall. That program ran on the HP2000, and
spit out the HEL-A000<cr><password> string to the paper tape punch on the
Teletype Model 33 we had in the terminal room. Of course, by 78 or 79,
the school had installed locks on the rotary phones we used to dial the
machine the high school district shared with the local junior college.
The last I saw/heard of Brian was spring of 1981. He told me he had a
job offer from TRW right out of high school, and they were sending him
to UCLA first. He said that with all the press attention (it was on
local and national TV), he had all sorts of job offers rolling in.
I'll see what I can do to dig up the other guy's name. He was in the
electronics club, and I think he might have been in the drama club -
tech crew as well.
The name of the other guy was Chris Adams. I was also a nerdy at Fremd
at the time and was interviewed by the FBI when they were trying to
track down who the perpetrators were. The last I saw of Brian was on a news
show like 20/20 (early 90's, maybe). He had become a computer security
expert and was living in California.
Brian Catlin is co-owner and Vice President of Azius LLC. He started
building and programming 8-bit microprocessors in 1977, switched to
VAX/VMS in 1982 where he specialized in device drivers, and finally to
Windows NT in 1992, specializing in device drivers and internals. Brian
got into device drivers because he likes to write software that interacts
with the real world; writing business software is his definition of
torture. Brian also spent a great deal of time in the aerospace/ defense
world designing command centers, where he learned the discipline of
specification writing and project management. Brian offers consulting
services through his company,