The Official Phreaker's Manual The Official Phreaker's Manual V1.1 Updated 2/14/87 Compiled, Wordprocessed, and Distributed by: The Jammer and Jack the Ripper Page 1 The Official Phreaker's Manual Introduction What precedes this introduction is what I have termed "The Official Phreakers Manual", while it may not be. Many times I have been on a BBS, which has files claiming to have summed up all the ways to phreak in the U.S. and abroad, well those were pretty lame and a couple pages long. Now after many relentless hours of work, I have done it. This is an informative file and the authors of this and the authors from which I have gathered information, take absolutely NO responsibility and are not liable for, under any circumstances for damage, direct, indirect, incidental, or consequential. Warning: Use of this material may shorten your life in the free world! Ok enough of the bullshit, I readily admit that this is mainly a compilation of available phreak material and public resources. What I have done is to gather it all together and edit, compile, check for errors, put in a readable form, and finally to write what I know without echoing what others have said. I have set this up that it is good for all levels of phreaks, going from novice to advanced, and references and tables for easy reference in the back. This manual is constantly being updated! If you have any contributions or corrections or comments, please leave messages to me (Jack the Ripper) on any BBS's I am on (probably where you got it). Thanks! Page 2 The Official Phreaker's Manual ********************************************************************** Table of Contents ********************************************************************** I....... 005 Chapter 1 I.1..... 006 Glossary of Phreaking terms I.2..... 010 Glossary of Phreaking terms cont. I.3..... 017 Boxes and Electronic Toll Fraud I.4..... 020 How to be a Real Phreak I.5..... 026 Basic Telecommunications I, A Phreaks guide II...... 031 Chapter 2 II.1.... 033 Secrets of the Little Blue Box. Part 1 II.2.... 041 Secrets of the Little Blue Box. Part 2 II.3.... 050 Secrets of the Little Blue Box. Part 3 II.4.... 058 Secrets of the Little Blue Box. Part 4 II.5.... 062 The History of ESS II.6.... 064 History of British Phreaking II.7.... 067 Bad as Shit, an adventure story III..... 069 Chapter 3 III.1... 070 Phreaking Cosmos III.2... 072 Cosmos Revamped III.3... 073 Telenet III.4... 075 Phreaking AT&T Cards III.5... 076 AT&T Forgery III.6... 078 Dealing with Operators III.7... 079 How to set up a Conference Call III.8... 081 Fone tapping III.9... 083 Fone tapping cont. III.10.. 085 Tracing, how dangerous is it III.11.. 086 How to avenge yourself III.12.. 088 Interesting things to do on Step lines III.13.. 089 Busted, An account of the Private Sector bust IV...... 092 Chapter 4 IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani IV.2.... 101 Basic Telecommunications III, Direct Dialing, International IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics IV.5.... 120 Basic Telecommunications VI, Fortress fones V....... 123 Chapter 5 V.1..... 124 Basic Telecommunications VII, Blue Boxing V.2..... 132 Better Homes & Blue Boxing, Part 1 V.3..... 136 Better Homes & Blue Boxing, Part 2 V.4..... 141 Better Homes & Blue Boxing, Part 3 V.5..... 145 More on Blue Boxing by Fred Stienbeck V.6..... 146 Verification, Remob, etc., Is it possible? V.7..... 148 Equal Access and the American Dream, Another great article V.8..... 160 Equal access and Autodialing Modems V.9..... 161 ISDN, it will change telecommunications for ever V.10.... 163 ISDN, an article from Proto V.11.... 165 MCI Services what they are and how they are useful Page 3 The Official Phreaker's Manual ********************************************************************** Appendixes ********************************************************************** Appendix I...... 170 Reference tables and access lists Appendix I.1.... 171 Country Codes Appendix I.2.... 173 Country Codes cont. Appendix I.3.... 176 Country Codes cont. Appendix I.4.... 181 Max Access ports (Dialups) Appendix I.5.... 182 Metro Fone Access ports Appendix I.6.... 183 Area Codes Appendix I.7.... 185 Tac Dialups around the country Appendix I.8.... 193 Test numbers around the country Appendix I.9.... 196 What a TSPS operators console looks like Appendix II..... 197 Box plans Appendix II.1... 198 How to make an Infinity transmitter Appendix II.2... 203 How to make a silver box 204 Protection Page Page 4 The Official Phreaker's Manual Chapter 1 Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly long list, though not totally complete. After the vocab, will be some of the general rules for phreaking. Most of the rules are protection from the police and AT&T, but others are grammatical rules. These are not as important to your freedom, but many a phreak will think you are a twelve year old if you start talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some soft/docs. Checkul8r". Well you get the point, here's your vocab list... Page 5 The Official Phreaker's Manual ...................................................................... ...................................................................... . The Bell Glossary - .. . by .. . /\<\ /\<\ .. . \>ad \>arvin .. ...................................................................... ...................................................................... ACD: Automatic Call Distributor - A system that automatically distributes calls to operator pools (providing services such as intercept and directory assistance), to airline ticket agents, etc. Administration: The tasks of record-keeping, monitoring, rearranging, prediction need for growth, etc. AIS: Automatic Intercept System - A system employing an audio-response unit under control of a processor to automatically provide pertinent info to callers routed to intercept. Alert: To indicate the existence of an incoming call, (ringing). ANI: Automatic Number Identification - Often pronounced "Annie," a facility for automatically identify the number of the calling party for charging purposes. Appearance: A connection upon a network terminal, as in "the line has two network appearances." Attend: The operation of monitoring a line or an incoming trunk for off-hook or seizure, respectively. Audible: The subdued "image" of ringing transmitted to the calling party during ringing; not derived from the actual ringing signal in later systems. Backbone Route: The route made up of final-group trunks between end offices in different regional center areas. BHC: Busy Hour Calls - The number of calls placed in the busy hour. Blocking: The ratio of unsuccessful to total attempts to use a facility; expresses as a probability when computed a priority. Blocking Network: A network that, under certain conditions, may be unable to form a transmission path from one end of the network to the other. In general, all networks used within the Bell Systems are of the blocking type. Blue Box: Equipment used fraudulently to synthesize signals, gaining access to the toll network for the placement of calls without charge. BORSCHT Circuit: A name for the line circuit in the central office. It functions as a mnemonic for the functions that must be performed by the circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and Testing. Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, comprises 480hz and 620hz interrupted at 60IPM. Bylink: A special high-speed means used in crossbar equipment for routing calls Page 6 The Official Phreaker's Manual incoming from a step-by-step office. Trunks from such offices are often referred to as "bylink" trunks even when incoming to noncrossbar offices; they are more properly referred to as "dc incoming trunks." Such high-speed means are necessary to assure that the first incoming pulse is not lost. Cable Vault: The point which phone cable enters the Central Office building. CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. CCIS: Common Channel Interoffice Signaling - Signaling information for trunk connections over a separate, nonspeech data link rather that over the trunks themselves. CCITT: International Telegraph and Telephone Consultative Committee- An International committee that formulates plans and sets standards for intercountry communication means. CDO: Community Dial Office - A small usually rural office typically served by step-by-step equipment. CO: Central Office - Comprises a switching network and its control and support equipment. Occasionally improperly used to mean "office code." Centrex: A service comparable in features to PBX service but implemented with some (Centrex CU) or all (Centrex CO) of the control in the central office. In the later case, each station's loop connects to the central office. Customer Loop: The wire pair connecting a customer's station to the central office. DDD: Direct Distance Dialing - Dialing without operator assistance over the nationwide intertoll network. Direct Trunk Group: A trunk group that is a direct connection between a given originating and a given terminating office. EOTT: End Office Toll Trunking - Trunking between end offices in different toll center areas. ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" emergency calls are routed. ESS: Electronic Switching System - A generic term used to identify as a class, stored-program switching systems such as the Bell System's No.1 No.2, No.3, No.4, or No.5. ETS: Electronic Translation Systems - An electronic replacement for the card translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. False Start: An aborted dialing attempt. Fast Busy: (often called reorder) - An audible busy signal interrupted at twice the rate of the normal busy signal; sent to the originating station to indicate that the call blocked due to busy equipment. Final Trunk Group: The trunk group to which calls are routed when available high-usage trunks overflow; these groups generally "home" on an office next highest in the hierarchy. Page 7 The Official Phreaker's Manual Full Group: A trunk group that does not permit rerouting off-contingent foreign traffic; there are seven such offices. Glare: The situation that occurs when a two-way trunk is seized more or less simultaneously at both ends. High Usage Trunk Group: The appellation for a trunk group that has alternate routes via other similar groups, and ultimately via a final trunk group to a higher ranking office. Intercept: The agency (usually an operator) to which calls are routed when made to a line recently removed from a service, or in some other category requiring explanation. Automated versions (ASI) with automatic voiceresponse units are growing in use. Interrupt: The interruption on a phone line to disconnect and connect with another station, such as an Emergence Interrupt. Junctor: A wire or circuit connection between networks in the same office. The functional equivalent to an intraoffice trunk. MF: Multifrequency - The method of signaling over a trunk making use of the simultaneous application of two out of six possible frequencies. NPA: Numbering Plan Area. ONI: Operator Number Identification - The use of an operator in a CAMA office to verbally obtain the calling number of a call originating in an office not equipped with ANI. PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An telephone office serving a private customer, Typically , access to the outside telephone network is provided. Permanent Signal: A sustained off-hook condition without activity (no dialing or ringing or completed connection); such a condition tends to tie up equipment, especially in earlier systems. Usually accidental, but sometimes used intentionally by customers in high-crime-rate areas to thwart off burglars. POTS: Plain Old Telephone Service - Basic service with no extra "frills". ROTL: Remote Office Test Line - A means for remotely testing trunks. RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its services to be provided up to 200 miles from the TSPS site. SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon idle trunks. Supervise: To monitor the status of a call. SxS: (Step-by-Step or Strowger switch) - An electromechanical office type utilizing a gross-motion stepping switch as a combination network and distributed control. Talkoff: The phenomenon of accidental synthesis of a machine-intelligible Page 8 The Official Phreaker's Manual signal by human voice causing an unintended response. "whistling a tone". Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire for intertoll. TSPS: Traffic Service Position System - A system that provides, under stored- program control, efficient operator assistance for toll calls. It does not switch the customer, but provides a bridge connection to the operator. X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" coordinate switch and a multiplicity of central controls (called markers). There are four varieties: No.1 Crossbar: Used in large urban office application; (1938) No 3 Crossbar: A small system started in (1974). No.4A/4M Crossbar: A 4-wire toll machine; (1943). No.5 Crossbar: A machine originally intended for relatively small suburban applications; (1948) Crossbar Tandem: A machine used for interlocal office switching. Page 9 The Official Phreaker's Manual ============================================================ _ _ _______ | \/ | / _____/ |_||_|etal / /hop __________/ / /___________/ (314) 432-0756 Proudly Presents The MCI Telecommunications Glossary Part I Volume I (A - D) Typed by Knight Lightning ============================================================ - A - A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire pairs comprising a 4-wire circuit. ABBREVIATED DIALING: The ability of a telephone user to reach frequently called numbers by using less than seven digits. Synonym: Speed Dialing ACCESS CHARGE: A fee paid for the use of local lines. ACCESS CODE: A digit or number of digits required to be connected to a private line arranged for dial access. ACCESS LINE: A telephone circuit which connects a customer location to a network switching center. AIRLINE MILEAGE: Calculated point-to-point mileage between terminal facilities. ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per minute) rate to indicate all lines or trunks in a routing group are busy. ALTERNATE ROUTE: A secondary communications path used to reach a destination if the primary path is unavailable. ALTERNATE USE: The ability to switch communications facilities from one type of service to another, i.e., voice to data, etc. ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used for either voice or data. AMERICAN STANDARD CODE FOR INFORMATION INTERCHANGE (ASCII): An 8 level code developed for the interchange of information between data processing and communications systems. ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, e.g., voltage which reflects variations in some quantity, e.g., loudness in the human voice. Page 10 The Official Phreaker's Manual ANNUNICATOR: An audible intercept device that states the condition or restrictions associated with circuits or procedures. ANSWER BACK: An electrical and/or visual indication to the calling or sending end that the called or received station is on the line. ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a switched connection when the called party answers. AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying more than 150 geographic areas of the United States and Canada which permits direct distance dialing on the telephone system. A similar global numbering plan has been established for international subscriber dialing. ATTENDANT POSITION: A telephone switchboard operator's position. It provides either automatic (cordless) or manual (plug and jack) operator controls for incoming and/or outgoing telephone calls. ATTENUATION: A general term used to denote the decrease in power between that transmitted and that received due to loss through equipment, lines, or other transmission devices. It is usually expressed as a ration in db (decibel). AUDIBLE RINGING TONE: An audible signal heard by the calling party during the ringing-interval. AUTHORIZATION CODE: An identification number that the caller enters when placing a call which is used for billing purposes. AUTHORIZED USER: A person, firm, organization, corporation or any other entity authorized by the customer to send or receive communications over a specific communications network. AUTO ANSWER: A machine feature that allows a transmission control unit or station to automatically respond to a call that it receives. AUTOMATIC CALL DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a large volume of incoming calls to a group of attendants to the next available "answering" position. AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined set of dialing digits. AUTOMATIC IDENTIFICATION OF OUTWARD DIALING (AIOD): A computer generated report showing all long distance calls placed over AT&T's toll network. AUTOMATIC NUMBER IDENTIFICATION (ANI): Automatic equipment at a local dial office used on customer dialed calls to identify the calling-station. AUTOMATIC ROUTE SELECTION (ARS): Least cost routing via AT&T CENTREX system. - B - Page 11 The Official Phreaker's Manual BAND: (1) The range of frequencies between two defined limits. (2) In reference to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: BANDWIDTH. BANDWIDTH: See BAND. BASEBAND: The total frequency band occupied by the aggregate of all the voice and data signals used to modulate a radio carrier. BAUD: A unit of signaling speed. The speed in baud is the number of discrete conditions conditions or signal elements per second. If each signal event represents only one bit condition, then Baud is the same as bits per second. When each signal event represents other than one bit, Baud does not equal bits per second. BELL OPERATING COMPANY (BOC) /BELL SYSTEMS OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing local service. BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long Lines, Western Electric, and Bell Labs. BILLING NUMBER: The MCI term for the number which identifies a customer on a billing location level, assigned to Network Service Customer (by COMS). Assigned for each unique customer name and billing location. For internal use only. BINARY: A number system that uses only two characters ("0" and "1"). BIT: A binary digit. The smallest unit of coded information. BITS PER SECOND (BPS): The rate at which data transmission is measured. BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to the central offices are in use; or (2) all connecting connecting paths through the PBX/switch are in use. BLOCKED ANI: ANI prohibited from completing a call over the MCI network. BREAK: A means of interrupting transmission, a momentary interruption of a circuit. BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. BUS: A heavy conductor, or group of conductors, to which several units of the same type of equipment may be connected. BUSY: The condition in which facilities over which a call is to be connected are already in use. BUSY HOUR: The time of day when phone lines are most in demand. BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to indicate that the terminal point of a call is already in use. BYTE: A group of binary digits that are processed by a computer as a unit. Page 12 The Official Phreaker's Manual - C - CARRIER: High frequency current that can be modulated with voice or digital signals for bulk transmission via cable or radio circuits. CARRIER SYSTEM: A system for providing several communications channels over a single path. CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output from a computer. CELLULAR MOBILE RADIO: A system providing exchange telephone service to a station located in an auto or other mobile vehicle, using radio circuits to a base radio station which covers a specific geographical area and as the vehicle moves from one area to another, different base radio stations handle the call. CENTRAL OFFICE (CO): A telephone switching center that provides local access to the public network. Sometimes referred to as: Class 5 office, end office, or Local Dial Office. CENTREX, CO: PBX Service provided by a switch located at the telephone company central office. CENTREX, CU: A variation on Centrex CO provided by a telephone company maintained "Central Office" type switch located at the customer's premises. CENTRAL PROCESSING UNIT (CPU): The control unit within a computer which handles all the intelligent functions of the systems. In a telephone switch, directs all potions of the system to carry out their appropriate functions. Synonym: Common Control. CHANNEL: A communication path via a carrier or microwave radio. CHARACTER: Any letter, digit, or special symbol. In data transmission would be represented by a specific code made up of a group of binary digits. CIRCUIT: A path for the transmission of electromagnetic signals to include all conditioning and signaling equipment. Synonym: Facility CIRCUIT SWITCHING: A switching system that completes a dedicated transmission path from sender to receiver at the time of transmission. CLASS OF SERVICE/CLASS MARK (COS): A subgrouping of telephone customers or users for the sake of rate distinction or limitation of service. COAXIAL CABLE: A cable having several coaxial lines under a single protective sheath. Usually used as a high capacity carrier in urban areas between interexchange and toll offices. CODEC: Coder-Decoder. Used to convert analog signals to digital form for transmission over a digital median and back again to the original analog form. COMMON CARRIER: A government regulated private company that provides the general public with telecommunications services and facilities. Page 13 The Official Phreaker's Manual COMMON CHANNEL INTEROFFICE SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated Services Digital Network. It uses a separate data line to route interoffice signals to provide faster call set-up and more efficient use of trunks. COMMON CONTROL SWITCHING ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which common controlled switching machines are used to route traffic over network routes and access lines. The switching machine may be shared with other users and is maintained by the telephone company. COMPUTER PORT/TKI PORT: The interface through which the computer connects to the communications circuit. CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to match transmission levels and impedances and which equalizes transmission and delay to bring circuit losses, levels, and distortion within established standards. CONFIGURATION: The combination of long-distance services and/or equipment that make up a communications system. CONTROL UNIT (CU): The central processor of a telephone switching device. CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on a corporate level. (Not all MCI customers have this). COST COMPONENT: The price of each type of long distance service and/or equipment that constitutes a configuration. COST PER HOUR (CPH): Total cost of different services divided by total holding time (in minutes). CROSS CONNECTION: The wire connections running between terminals on the two sides of a distribution frame, or between binding posts in a terminal. CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit to another circuit. CUSTOMER OWNED AND MAINTAINED (COAM): Customer provided communications apparatus, and their associated wiring. CUSTOMER PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located within the customer's part of a building. CUT: To transfer a service from one facility to another. CUT THROUGH: The establishment of a complete path for signaling and/or audio communications. - D - DATA: Any representation, such as characters to which a meaning is assigned. Page 14 The Official Phreaker's Manual DATA COMMUNICATIONS: The movement of coded information by means of electronic transmission systems. DATA SET: A device which converts data into signals suitable for transmission over communications lines. DATA TERMINAL: A station in a system capable of sending and/or receiving data signals. DECIBEL (db): A unit of measurement represented as a ratio of two voltages, currents or powers and is used to measure transmission loss or gain. DELAY DIAL: A dialing configuration whereby local dial equipment will wait until it receives the entire telephone number before seizing a circuit to transmit the call. DELTA MODULATION (DM): A variant of pulse code modulation whereby a code representing the difference between the amplitude of a sample and t~he amplitude of a previous one is sent. Operates well in the presence of noise, but requires a wide frequency band. DEMODULATION: The process of retrieving data from a modulated signal. DIAL LEVEL: The selection of stations or services associated with a PBX using a one to four digit code (e.g., dialing 9 for access to outside dial tone). DIAL PULSING: The transmitting of telephone address signals by momentarily opening a DC circuit a number of times corresponding to the decimal digit which is dialed. DIAL REPEATING TIE LINE/ DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station calling without use of the attendant. DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is selected by a prearranged dialing code. DIAL TONE: A tone indicating that automatic switching equipment is ready to receive dial signals. DIALING PLAN: A description of the dialing arrangements for customer use on a networks. DIGITAL: Referring to the use of digits to formulate and solve problems, or to encode information. DIMENSION CUSTOM TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station sets which use special buttons to access PBX features. DIRECT DISTANCE DIALING (DDD): A toll service that permits customers to dial their own long distance call without the aid of an operator. DIRECT INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside the system to directly dial a station within the system. Page 15 The Official Phreaker's Manual DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to gain direct access to an exchange network. DROP: That direction of a circuit which looks towards the local operator. DRY CIRCUIT: A circuit which transmits voice signals and carries no direct current. DUAL TONE MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which emits two distinct frequencies for each indicated digit. DUPLEX: Simultaneous two-way independent transmission. DX SIGNALING: A long-range bidirectional signaling method using paths derived from transmission cable pairs. It is based on a balanced and symmetrical circuit that is identical at both ends. This circuit presents an E&M lead interface to connecting circuits. ============================================================ This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for more G-philes from The MCI School of Telecommunications Management Reference Guide coming soon. This has been a 2600 Club production Thanx to Taran King ============================================================ Page 16 The Official Phreaker's Manual $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ _______________________________ $ $ | | $ $ | ELECTRONIC TOLL FRAUD DEVICES | $ $ |_______________________________| $ $ $ $ $ $ TYPED AND UPLOADED BY: $ $ $ $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ $ $ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD DEVICES. (FOR OFFICIAL USE ONLY). THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. *BLUE BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL (LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE DISCUSSED IN MORE DETAIL BELOW. TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY FOR HIS TELEPHONE NUMBER. THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING (AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY Page 17 The Official Phreaker's Manual OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: (A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY SF" BLUE BOX. (B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. (C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A 3 MINUTE CALL. (D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. (E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN LIEU OF A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE MAGNETIC TAPE. ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: (A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. (B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING TO THE CALLED PHONE #. Page 18 The Official Phreaker's Manual (C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED BY A COMBINATION OF 700HZ AND 1100HZ. (D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. *BLACK BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING *TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. *CHEESE BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) *RED BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED WITHOUT THE ACTUAL DEPOSIT OF COINS. Page 19 The Official Phreaker's Manual /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ /-/ /-/ Phreaker's /-/ /-/ PhunHouse /-/ /-/ /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ By: /-/ /-/ The Traveler /-/ /-/ /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ /-/ /-/ Call: /-/ /-/ Brainstorm BBS /-/ /-/ 612/345-2815 (300/1200) /-/ /-/ /-/ /-/ Little America /-/ /-/ 507/289-8211 (300) /-/ /-/ /-/ /-/ Tell 'em Traveler sent ya /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ The long awaited prequil to Phreaker's Guide has finally arrived. Conceived from the boredom and loneliness that could only be derived from: The Traveler! But now, he has returned in full strength (after a small vacation) and is here to 'World Premiere' the new files everywhere. Stay cool. This is the prequil to the first one, so just relax. This is not made to be an exclusive ultra elite file, so kinda calm down and watch in the background if you are too cool for it... /-/ Phreak Dictionary /-/ Here you will find some of the basic but necessary terms that should be known by any phreak who wants to be respected at all... Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways in order to not pay for some sort of telecommunications bill, order, transfer, or other service. It often involves usage of highly illegal boxes and machines in order to defeat the security that is set up to avoid this sort of happening. [fr'eaking]. v. 2. A person who uses the above methods of destruction and chaos in order to make a better life for all. A true phreaker will not not go against his fellows or narc on people who have ragged on him or do anything termed to be dishonorable to phreaks. [fr'eek]. n. 3. A certain code or dialup useful in the action of being a phreak. (Example: "I hacked a new metro phreak last night.") Switching System [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed in the US, and a few other systems will be mentioned as background. A) SxS: This system was invented in 1918 and was employed in over half of the country until 1978. It is a very basic system that is a general waste of energy and hard work on the linesman. A good way to identify this is that it requires a coin in the phone booth before it will give you a dial tone, or that no call waiting, call forwarding, or any other such service is available. Stands for: Step by Step B) XB: This switching system was first employed in 1978 in order to take care of most of the faults of SxS switching. Not only is it more efficient, but it Page 20 The Official Phreaker's Manual also can support different services in various forms. XB1 is Crossbar Version 1. That is very limited and is hard to distinguish from SxS except by direct view of the wiring involved. Next up was XB4, Crossbar Version 4. With this system, some of the basic things like DTMF that were not available with SxS can be accomplished. For the final stroke of XB, XB5 was created. This is a service that can allow DTMF plus most 800 type services (which were not always available...) Stands for: Crossbar. C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to have to stand up to. It is quite simple to identify. Dialing 911 for emergencies, and ANI [see ANI below] are the most common facets of the dread system. ESS has the capability to list in a person's caller log what number was called, how long the call took, and even the status of the conversation (modem or otherwise.) Since ESS has been employed, which has been very recently, it has gone through many kinds of revisions. The latest system to date is ESS 11a, that is employed in Washington D.C. for security reasons. ESS is truly trouble for any phreak, because it is 'smarter' than the other systems. For instance, if on your caller log they saw 50 calls to 1-800-421-9438, they would be able to do a CN/A [see Loopholes below] on your number and determine whether you are subscribed to that service or not. This makes most calls a hazard, because although 800 numbers appear to be free, they are recorded on your caller log and then right before you receive your bill it deletes the billings for them. But before that they are open to inspection, which is one reason why extended use of any code is dangerous under ESS. Some of the boxes [see Boxing below] are unable to function in ESS. It is generally a menace to the true phreak. Stands For: Electronic Switching System. because they could appear on a filter somewhere or maybe it is just nice to know them any ways. A) SSS: Strowger Switching System. First non-operator system available. B) WES: Western Electronics Switching. Used about 40 years ago with some minor places out west. Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or cancel electronical impulses that allow simpler acting while phreaking. Through the use of separate boxes, you can accomplish most feats possible with or without the control of an operator. 2) Some boxes and their functions are listed below. Ones marked with '*' indicate that they are not operatable in ESS. *Black Box: Makes it seem to the phone company that the phone was never picked up. Blue Box: Emits a 2600hz tone that allows you to do such things as stack a trunk line, kick the operator off line, and others. Red Box: Simulates the noise of a quarter, nickel, or dime being dropped into a payphone. Cheese Box: Turns your home phone into a pay phone to throw off traces (a red box is usually needed in order to call out.) *Clear Box: Gives you a dial tone on some of the old SxS payphones without putting in a coin. Beige Box: A simpler produced linesman's handset that allows you to tap into phone lines and extract by eavesdropping, or crossing wires, etc. Purple Box: Makes all calls made out from your house seem to be local calls. ANI [ANI]: 1) Automatic Number Identification. A service available on ESS that allows a phone service [see Dialups below] to record the number that any certain code was dialed from along with the number that was called and print Page 21 The Official Phreaker's Manual both of these on the customer bill. 950 dialups [see Dialups below] are all designed just to use ANI. Some of the services do not have the proper equipment to read the ANI impulses yet, but it is impossible to see which is which without being busted or not busted first. Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to any service such as MCI, Sprint, or AT&T that from there can be used by handpicking or using a program to reveal other peoples codes which can then be used moderately until they find out about it and you must switch to another code (preferably before they find out about it.) 2) Dialups are extremely common on both senses. Some dialups reveal the company that operates them as soon as you hear the tone. Others are much harder and some you may never be able to identify. A small list of dialups: 1-800-421-9438 (5 digit codes) 1-800-547-6754 (6 digit codes) 1-800-345-0008 (6 digit codes) 1-800-734-3478 (6 digit codes) 1-800-222-2255 (5 digit codes) 3) Codes: Codes are very easily accessed procedures when you call a dialup. They will give you some sort of tone. If the tone does not end in 3 seconds, then punch in the code and immediately following the code, the number you are dialing but strike the '1' in the beginning out first. If the tone does end, then punch in the code when the tone ends. Then, it will give you another tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and the tone stops, then you messed up a little. If you punch in a tone and the tone continues, then simply dial then number you are calling without the '1'. 4) All codes are not universal. The only type that I know of that is truly universal is Metrophone. Almost every major city has a local Metro dialup (for Philadelphia, (215)351-0100/0126) and since the codes are universal, almost every phreak has used them once or twice. They do not employ ANI in any outlets that I know of, so feel free to check through your books and call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use your own code. That way, if they check up on you due to your caller log, they can usually find out that you are subscribed. Not only that but you could set a phreak hacker around that area and just let it hack away, since they usually group them, and, as a bonus, you will have their local dialup. 5) 950's. They seem like a perfectly cool phreakers dream. They are free from your house, from payphones, from everywhere, and they host all of the major long distance companies (950-1044 , 950-1077 , 950-1088 , 950-1033 .) Well, they aren't. They were designed for ANI. That is the point, end of discussion. A phreak dictionary. If you remember all of the things contained on that file up there, you may have a better chance of doing whatever it is you do. This next section is maybe a little more interesting... Blue Box Plans: --------------- These are some blue box plans, but first, be warned, there have been 2600hz tone detectors out on operator trunk lines since XB4. The idea behind it is to use a 2600hz tone for a few very naughty functions that can really make your day lighten up. But first, here are the plans, or the heart of the file: ============================================== 700 : 1 : 2 : 4 : 7 : 11 : 900 : + : 3 : 5 : 8 : 12 : Page 22 The Official Phreaker's Manual 1100 : + : + : 6 : 9 : KP : 1300 : + : + : + : 10 : KP2 : 1500 : + : + : + : + : ST : : 700 : 900 :1100 :1300 :1500 : ============================================== Stop! Before you diehard users start piecing those little tone tidbits together, there is a simpler method. If you have an Apple-Cat with a program like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial section. So if you have that I will assume you can boot it up and it works, and I'll do you the favor of telling you and the other users what to do with the blue box now that you have somehow constructed it. The connection to an operator is one of the most well known and used ways of having fun with your blue box. You simply dial a TSPS (Traffic Service Positioning Station, or the operator you get when you dial '0') and blow a 2600hz tone through the line. Watch out! Do not dial this direct! After you have done that, it is quite simple to have fun with it. Blow a KP tone to start a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have connected to it, here are some fun numbers to call with it: 0-700-456-1000 Teleconference (free, because you are the operator!) (Area code)-101 Toll Switching (Area code)-121 Local Operator (hehe) (Area code)-131 Information (Area code)-141 Rate & Route (Area code)-181 Coin Refund Operator (Area code)-11511 Conference operator (when you dial 800-544-6363) Well, those were the tone matrix controllers for the blue box and some other helpful stuff to help you to start out with. But those are only the functions with the operator. There are other k-fun things you can do with it... More advanced Blue Box Stuff: Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone pair out for up to 1/10 of a second with another 1/10 second for silence between the digits. KP tones should be sent for 2/10 of a second. One way to confuse the 2600hz traps is to send pink noise over the channel (for all of you that have decent BSR equalizers, there is major pink noise in there...) Using the operator functions is the use of the 'inward' trunk line. That is working it from the inside. From the 'outward' trunk, you can do such things as make emergency breakthrough calls, tap into lines, busy all of the lines in any trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a systems you can even re-route calls to anywhere. All right. The one thing that every complete phreak guide should not be without is blue box plans, since they were once a vital part of phreaking. Another thing that every complete file needs is a complete listing of all of the 800 numbers around so you can have some more fun. /-/ 800 Dialup Listings /-/ 1-800-345-0008 (6) 1-800-547-6754 (6) 1-800-245-4890 (4) 1-800-327-9136 (4) 1-800-526-5305 (8) 1-800-858-9000 (3) 1-800-437-9895 (7) 1-800-245-7508 (5) 1-800-343-1844 (4) 1-800-322-1415 (6) 1-800-437-3478 (6) 1-800-325-7222 (6) Page 23 The Official Phreaker's Manual All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That is enough with 800 codes, by the time this gets around to you I dunno what state those codes will be in, but try them all out anyways and see what you get. On some 800 services now, they have an operator who will answer and ask you for your code, and then your name. Some will switch back and forth between voice and tone verification, you can never be quite sure which you will be up against. Armed with this knowledge you should be having a pretty good time phreaking now. But class isn't over yet, there are still a couple important rules that you should know. If you hear continual clicking on the line, then you should assume that an operator is messing with something, maybe even listening in on you. It is a good idea to call someone back when the phone starts doing that. If you were using a code, use a different code and/or service to call him back. A good way to detect if a code has gone bad or not is to listen when the number has been dialed. If the code is bad you will probably hear the phone ringing more clearly and more quickly than if you were using a different code. If someone answers voice to it then you can immediately assume that it is an operative for whatever company you are using. The famed '311311' code for Metro is one of those. You would have to be quite stupid to actually respond, because whoever you ask for the operator will always say 'He's not in right now, can I have him call you back?' and then they will ask for your name and phone number. Some of the more sophisticated companies will actually give you a carrier on a line that is supposed to give you a carrier and then just have garbage flow across the screen like it would with a bad connection. That is a feeble effort to make you think that the code is still working and maybe get you to dial someone's voice... a good test for the carrier trick is to dial a number that will give you a carrier that you have never dialed with that code before, that will allow you to determine whether the code is good or not. For our next section, a lighter look at some of the things that a phreak should not be without. A vocabulary. A few months ago, it was a quite strange world for the modem people out there. But now, a phreaker's vocabulary is essential if you wanna make a good impression on people when you post what you know about certain subjects. /-/ Vocabulary /-/ - Do not misspell except certain exceptions: phone -> fone freak -> phreak - Never substitute 'z's for 's's. (i.e. codez -> codes) - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) - Do not abbreviate. (I got lotsa wares w/ docs) - Never substitute '0' for 'o' (r0dent, l0zer). - Forget about ye old upper case, it looks ruggyish. All right, that was to relieve the tension of what is being drilled into your minds at the moment.. now, however, back to the teaching course. Here are some things you should know about phones and billings for phones, etc. LATA: Local Access Transference Area. Some people who live in large cities or areas may be plagued by this problem. For instance, let's say you live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If you went to dial in a basic Metro code from that area, for instance, 351-0100, that might not be counted under unlimited local calling because it is out of your LATA. For some LATA's, you have to dial a '1' without the area code before you can dial the phone number. That could prove a hassle for us all if you didn't Page 24 The Official Phreaker's Manual realize you would be billed for that sort of call. In that way, sometimes, it is better to be safe than sorry and phreak. The Caller Log: In ESS regions, for every household around, the phone company has something on you called a Caller Log. This shows every single number that you dialed, and things can be arranged so it showed every number that was calling to you. That's one main disadvantage of ESS, it is mostly computerized so a number scan could be done like that quite easily. Using a dialup is an easy way to screw that, and is something worth remembering. Anyways, with the caller log, they check up and see what you dialed. Hmm... you dialed 15 different 800 numbers that month. Soon they find that you are subscribed to none of those companies. But that is not the only thing. Most people would imagine "But wait! 800 numbers don't show up on my phone bill!". To those people, it is a nice thought, but 800 numbers are picked up on the caller log until right before they are sent off to you. So they can check right up on you before they send it away and can note the fact that you fucked up slightly and called one too many 800 lines. Right now, after all of that, you should have a pretty good idea of how to grow up as a good phreak. Follow these guidelines, don't show off, and don't take unnecessary risks when phreaking or hacking. File Level:5 /-/ Credits /-/ To The Videosmith- for setting me straight on some shit. To The Linesman- for telling me to upload it to his AE line. To Modern Mutant- for making me into a phreaking freak. To Jack the Nibbler- for the basis of the blue box plans. By using your new k-koool (hehe) phreaking knowledge, call a couple of these BBS's around the country: /---------------------------------\ | Bulletin Board List | | --------------------- | | 215/844-8836 | | 7 Cities of Gold (3/12) 10megs | | 307/382-4006 | | Brainstorm BBS (3/12) | | 612/345-2815 | | Metal Shop (3/12) | | 314/432-0756 | \---------------------------------/ Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be a nice BBS that Ace of Spades and I will run. You will be the first to find out about it, trust me... Later, The Traveler Zer0-g Page 25 The Official Phreaker's Manual ************ << BIOC AGENT 003'S COURSE IN >> ************ * * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * %$ BASIC TELECOMMUNICATIONS $% * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * PART I * * * ********************************************************** HOW TO BE A REAL PHREAK <><><><><><><><><><><><><><><><><><><><><><><><><><><><><> IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS ACTIVITIES." THE PHONE PHREAK'S TEN COMMANDMENTS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY 10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD YOU ABOUT IT.) I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO USE THINE OWN SELF AS A SACRIFICIAL LAMB. V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG FOR THIS WORLD. VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS NOTICEABLE THOU ART, THE BETTER. Page 26 The Official Phreaker's Manual IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK WILL BE FAR MORE LIMITED. CN/A NUMBERS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: "HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE CUSTOMERS NAME AT (123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & 914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE IT!!!!!!! AT&T NEWSLINES <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. HERE ARE A FEW OF THE NUMBERS: *(201) 483-3800 NJ (518) 471-2272 NY (203) 771-4920 CN (717) 255-5555 PA (212) 393-2151 NY (717) 787-1031 PA (516) 234-9941 NY *(914) 948-8100 NY SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. * THESE NUMBERS ARE NOT ALWAYS UP! NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. ANI NUMBERS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL 1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF Page 27 The Official Phreaker's Manual ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. PHREAK NEWSLETTER <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS $1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL (ARTICLES), MONEY, AND VOLUNTEERS. TAP ROOM 603 147 WEST 42ND STREET NEW YORK, NY 10036 BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... BLACK BOX <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO CALL. YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE FREE. WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE Page 28 The Official Phreaker's Manual FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND SWITCH TO FREE. WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! _____________________________________ | | ---BLUE WIRE-->>F< | | | | | --WHITE WIRE---/ | | | | | | RESISTOR | | | | | | | | >RR<-------SWITCH--\ | | | | ----GREEN WIRE--------------------/ | | | |_____________________________________| DIAL LOCKS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE KNOWLEDGE! THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES ADVANTAGE OF TELEPHONE ELECTRONICS. TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A SECOND OR IT'LL HANG-UP! FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE ASSHOLE WHO PUT THE LOCK ON IT! EXCHANGE SCANNING <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR EXCHANGE AND YOU MAY BECOME LUCKY! HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: Page 29 The Official Phreaker's Manual 9900 - ANI (SEE SEPARATE BULLETIN) 9901 - ANI (SEE SEPARATE BULLETIN) 9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) 9936 - VOICE # TO THE TELCO CENTRAL OFFICE 9937 - VOICE # TO THE TELCO CENTRAL OFFICE 9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) 9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES 9961 - NO RESPONSE (OTHER END OF LOOP?) 9962 - NO RESPONSE (OTHER END OF LOOP?) 9963 - NO RESPONSE (OTHER END OF LOOP?) 9966 - COMPUTER (SEE 9941) 9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, PLEASE?" OPERATOR. HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! TOUCH-TONE & FREE CALLS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY PHONE. THEY ARE: 1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) 521-8400. AS OF WRITING THIS, A CODE WAS 00717865. A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) 2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. (NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE CASE.) SUCH AS RADIO SHACK'S 43-138. OTHER ALTERNATIVES <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> 4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). 5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. Page 30 The Official Phreaker's Manual Chapter 2 Well now we know a little vocabulary, and now its into history, Phreak history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, who was extremely interested in the telephone. Before entering MIT, he had built autodialers, cheese boxes, and many more gadgets. But when he came to MIT he became even more interested in "fone-hacking" as they called it. After a little while he naturally started using the PDP-1, the schools computer at that time, and from there he decided that it would be interesting to see whether the computer could generate the frequencies required for blue boxing. The hackers at MIT were not interested in ripping off Ma Bell, but just exploring the telephone network. Stew (as he was called) wrote a program to generate all the tones and set off into the vast network. Now there were more people phreaking than the ones at MIT. Most people have heard of Captain Crunch (No not the cereal), he also discovered how to take rides through the fone system, with the aid of a small whistle found in a cereal box (can we guess which one?). By blowing this whistle, he generated the magical 2600hz and into the mouthpiece it sailed, giving him complete control over the system. I have heard rumors that at one time he made about 1/4 of the calls coming out of San Francisco. He got famous fast. He made the cover of people magazine and was interviewed several times (as you'll soon see). Well he finally got caught after a long adventurous career. After he was caught he was put in jail and was beaten up quite badly because he would not teach other inmates how to box calls. After getting out, he joined Apple computer and is still out there somewhere. Then there was Joe the Whistler, blind form the day he was born. He could whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune their boxes. Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly done by college students, businessmen and anyone who knew enough about electronics and the fone company to make a 555 Ic to generate those magic tones. Businessmen and a few college students mainly just blue box to get free calls. The others were still there, exploring 800#'s and the new ESS systems. ESS posed a big problem for phreaks then and even a bigger one now. ESS was not widespread, but where it was, blue boxing was next to impossible except for the most experienced phreak. Today ESS is installed in almost all major cities and blue boxing is getting harder and harder. 1978 marked a change in phreaking, the Apple ][, now a computer that was affordable, could be programmed, and could save all that precious work on a cassette. Then just a short while later came the Apple Cat modem. With this modem, generating all blue box tones was easy as writing a program to count form one to ten (a little exaggerated). Pretty soon programs that could imitate an operator just as good as the real thing were hitting the community, TSPS and Cat's Meow, are the standard now and are the best. 1982-1986: LD services were starting to appear in mass numbers. People now had programs to hack LD services, telephone exchanges, and even passwords. By now many phreaks were getting extremely good and BBS's started to spring up everywhere, each having many documentations on phreaking for the novice. Then it happened, the movie War Games was released and mass numbers of sixth grade to all ages flocked to see it. The problem wasn't that the movie was bad, it was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such mass numbers, that bulletin boards started to be busy 24 hours a day. To this day, they still have not recovered. Other problems started to occur, novices guessed easy passwords on large government computers and started to play around... Well it wasn't long before they were caught, I think that many people remember the 414-hackers. They were so stupid as to say "yes" when the computer asked them whether they'd like to play games. Well at least it takes the heat off the real phreaks/hacker/krackers. Page 31 The Official Phreaker's Manual After a little history, how about a little thrill? I don't know if this story is true but it sure is as bad as shit! Page 32 The Official Phreaker's Manual ***** The AAG Proudly Presents The AAG Proudly Presents ***** * * * +----------------------------------------------+ * * * * Secrets of the Little Blue Box * * * * by Ron Rosenbaum * * Typed by One Farad Cap/AAG * * * * -A story so incredible it may even make you * * feel sorry for the phone company- * * * * (First of four files) * * * * +----------------------------------------------+ * * * ***** The AAG Proudly Presents The AAG Proudly Presents ***** Dudes... These four files contain the story, "Secrets of the Little Blue Box", by Ron Rosenbaum. -A story so incredible it may even make you feel sorry for the phone company- Printed in the October 1971 issue of Esquire Magazine. If you happen to be in a library and come across a collection of Esquire magazines, the October 1971 issue is the first issue printed in the smaller format. The story begins on page 116 with a picture of a blue box. --One Farad Cap, Atlantic Anarchist Guild The Blue Box Is Introduced: Its Qualities Are Remarked I am in the expensively furnished living room of Al Gilbertson (His real name has been changed.), the creator of the "blue box." Gilbertson is holding one of his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, pointing out the thirteen little red push buttons sticking up from the console. He is dancing his fingers over the buttons, tapping out discordant beeping electronic jingles. He is trying to explain to me how his little blue box does nothing less than place the entire telephone system of the world, satellites, cables and all, at the service of the blue-box operator, free of charge. "That's what it does. Essentially it gives you the power of a super operator. You seize a tandem with this top button," he presses the top button with his index finger and the blue box emits a high-pitched cheep, "and like that" -- cheep goes the blue box again -- "you control the phone company's long-distance switching systems from your cute little Princes phone or any old pay phone. And you've got anonymity. An operator has to operate from a definite location: the phone company knows where she is and what she's doing. But with your beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) number, they don't know where you are, or where you're coming from, they don't know how you slipped into their lines and popped up in that 800 number. They don't even know anything illegal is going on. And you can obscure your origins through as many levels as you like. You can call next door by way of White Plains, then over to Liverpool by cable, and then back here by satellite. You can call yourself from one pay phone all the way around the world to a pay phone next to you. And you get your dime back too." "And they can't trace the calls? They can't charge you?" Page 33 The Official Phreaker's Manual "Not if you do it the right way. But you'll find that the free-call thing isn't really as exciting at first as the feeling of power you get from having one of these babies in your hand. I've watched people when they first get hold of one of these things and start using it, and discover they can make connections, set up crisscross and zigzag switching patterns back and forth across the world. They hardly talk to the people they finally reach. They say hello and start thinking of what kind of call to make next. They go a little crazy." He looks down at the neat little package in his palm. His fingers are still dancing, tapping out beeper patterns. "I think it's something to do with how small my models are. There are lots of blue boxes around, but mine are the smallest and most sophisticated electronically. I wish I could show you the prototype we made for our big syndicate order." He sighs. "We had this order for a thousand beeper boxes from a syndicate front man in Las Vegas. They use them to place bets coast to coast, keep lines open for hours, all of which can get expensive if you have to pay. The deal was a thousand blue boxes for $300 apiece. Before then we retailed them for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a manufacturing deal worked out in the Philippines. Everything ready to go. Anyway, the model I had ready for limited mass production was small enough to fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, rather than these unsightly buttons, sticking out. Looked just like a tiny portable radio. In fact, I had designed it with a tiny transistor receiver to get one AM channel, so in case the law became suspicious the owner could switch on the radio part, start snapping his fingers, and no one could tell anything illegal was going on. I thought of everything for this model -- I had it lined with a band of thermite which could be ignited by radio signal from a tiny button transmitter on your belt, so it could be burned to ashes instantly in case of a bust. It was beautiful. A beautiful little machine. You should have seen the faces on these syndicate guys when they came back after trying it out. They'd hold it in their palm like they never wanted to let it go, and they'd say, 'I can't believe it. I can't believe it.' You probably won't believe it until you try it." The Blue Box Is Tested: Certain Connections Are Made About eleven o'clock two nights later Fraser Lucey has a blue box in the palm of his left hand and a phone in the palm of his right. He is standing inside a phone booth next to an isolated shut-down motel off Highway 1. I am standing outside the phone booth. Fraser likes to show off his blue box for people. Until a few weeks ago when Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring his blue box (This particular blue box, like most blue boxes, is not blue. Blue boxes have come to be called "blue boxes" either because 1) The first blue box ever confiscated by phone-company security men happened to be blue, or 2) To distinguish them from "black boxes." Black boxes are devices, usually a resistor in series, which, when attached to home phones, allow all incoming calls to be made without charge to one's caller.) to parties. It never failed: a few cheeps from his device and Fraser became the center of attention at the very hippest of gatherings, playing phone tricks and doing request numbers for hours. He began to take orders for his manufacturer in Mexico. He became a dealer. Fraser is cautious now about where he shows off his blue box. But he never Page 34 The Official Phreaker's Manual gets tired of playing with it. "It's like the first time every time," he tells me. Fraser puts a dime in the slot. He listens for a tone and holds the receiver up to my ear. I hear the tone. Fraser begins describing, with a certain practiced air, what he does while he does it. "I'm dialing an 800 number now. Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, you hear it? Now watch." He places the blue box over the mouthpiece of the phone so that the one silver and twelve black push buttons are facing up toward me. He presses the silver button -- the one at the top -- and I hear that high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. "Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. The line gives a slight hiccough, there is a sharp buzz, and then nothing but soft white noise. "We're home free now," Lucey tells me, taking back the phone and applying the blue box to its mouthpiece once again. "We're up on a tandem, into a long-lines trunk. Once you're up on a tandem, you can send yourself anywhere you want to go." He decides to check out London first. He chooses a certain pay phone located in Waterloo Station. This particular pay phone is popular with the phone-phreaks network because there are usually people walking by at all hours who will pick it up and talk for a while. He presses the lower left-hand corner button which is marked "KP" on the face of the box. "That's Key Pulse. It tells the tandem we're ready to give it instructions. First I'll punch out KP 182 START, which will slide us into the overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll head over to England by satellite. Cable is actually faster and the connection is somewhat better, but I like going by satellite. So I just punch out KP Zero 44. The Zero is supposed to guarantee a satellite connection and 44 is the country code for England. Okay... we're there. In Liverpool actually. Now all I have to do is punch out the London area code which is 1, and dial up the pay phone. Here, listen, I've got a ring now." I hear the soft quick purr-purr of a London ring. Then someone picks up the phone. "Hello," says the London voice. "Hello. Who's this?" Fraser asks. "Hello. There's actually nobody here. I just picked this up while I was passing by. This is a public phone. There's no one here to answer actually." "Hello. Don't hang up. I'm calling from the United States." "Oh. What is the purpose of the call? This is a public phone you know." "Oh. You know. To check out, uh, to find out what's going on in London. How is it there?" "Its five o'clock in the morning. It's raining now." "Oh. Who are you?" The London passerby turns out to be an R.A.F. enlistee on his way back to the base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. Page 35 The Official Phreaker's Manual He and Fraser talk about the rain. They agree that it's nicer when it's not raining. They say good-bye and Fraser hangs up. His dime returns with a nice clink. "Isn't that far out," he says grinning at me. "London, like that." Fraser squeezes the little blue box affectionately in his palm. "I told ya this thing is for real. Listen, if you don't mind I'm gonna try this girl I know in Paris. I usually give her a call around this time. It freaks her out. This time I'll use the ------ (a different rent-a-car company) 800 number and we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking to at this time?" A state police car cruises slowly by the motel. The car does not stop, but Fraser gets nervous. We hop back into his car and drive ten miles in the opposite direction until we reach a Texaco station locked up for the night. We pull up to a phone booth by the tire pump. Fraser dashes inside and tries the Paris number. It is busy again. "I don't understand who she could be talking to. The circuits may be busy. It's too bad I haven't learned how to tap into lines overseas with this thing yet." Fraser begins to phreak around, as the phone phreaks say. He dials a leading nationwide charge card's 800 number and punches out the tones that bring him the time recording in Sydney, Australia. He beeps up the weather recording in Rome, in Italian of course. He calls a friend in Boston and talks about a certain over-the-counter stock they are into heavily. He finds the Paris number busy again. He calls up "Dial a Disc" in London, and we listen to Double Barrel by David and Ansil Collins, the number-one hit of the week in London. He calls up a dealer of another sort and talks in code. He calls up Joe Engressia, the original blind phone-phreak genius, and pays his respects. There are other calls. Finally Fraser gets through to his young lady in Paris. They both agree the circuits must have been busy, and criticize the Paris telephone system. At two-thirty in the morning Fraser hangs up, pockets his dime, and drives off, steering with one hand, holding what he calls his "lovely little blue box" in the other. You Can Call Long Distance For Less Than You Think "You see, a few years ago the phone company made one big mistake," Gilbertson explains two days later in his apartment. "They were careless enough to let some technical journal publish the actual frequencies used to create all their multi-frequency tones. Just a theoretical article some Bell Telephone Laboratories engineer was doing about switching theory, and he listed the tones in passing. At ----- (a well-known technical school) I had been fooling around with phones for several years before I came across a copy of the journal in the engineering library. I ran back to the lab and it took maybe twelve hours from the time I saw that article to put together the first working blue box. It was bigger and clumsier than this little baby, but it worked." It's all there on public record in that technical journal written mainly by Bell Lab people for other telephone engineers. Or at least it was public. "Just try and get a copy of that issue at some engineering-school library now. Bell has had them all red-tagged and withdrawn from circulation," Gilbertson Page 36 The Official Phreaker's Manual tells me. "But it's too late. It's all public now. And once they became public the technology needed to create your own beeper device is within the range of any twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he can do it in less than the twelve hours it took us. Blind kids do it all the time. They can't build anything as precise and compact as my beeper box, but theirs can do anything mine can do." "How?" "Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to operate its entire long-distance switching system on twelve electronically generated combinations of twelve master tones. Those are the tones you sometimes hear in the background after you've dialed a long-distance number. They decided to use some very simple tones -- the tone for each number is just two fixed single-frequency tones played simultaneously to create a certain beat frequency. Like 1300 cycles per second and 900 cycles per second played together give you the tone for digit 5. Now, what some of these phone phreaks have done is get themselves access to an electric organ. Any cheap family home-entertainment organ. Since the frequencies are public knowledge now -- one blind phone phreak has even had them recorded in one of the talking books for the blind -- they just have to find the musical notes on the organ which correspond to the phone tones. Then they tape them. For instance, to get Ma Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and 700 cycles per second) at the same time. To produce the tone for 2 it's F~5 and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of notes so there's no trial and error anymore." He shows me a list of the rest of the phone numbers and the two electric organ keys that produce them. "Actually, you have to record these notes at 3 3/4 inches-per-second tape speed and double it to 7 1/2 inches-per-second when you play them back, to get the proper tones," he adds. "So once you have all the tones recorded, how do you plug them into the phone system?" "Well, they take their organ and their cassette recorder, and start banging out entire phone numbers in tones on the organ, including country codes, routing instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone in the phone-phreak network sends them a cassette with all the tones recorded, with a voice saying 'Number one,' then you have the tone, 'Number two,' then the tone and so on. So with two cassette recorders they can put together a series of phone numbers by switching back and forth from number to number. Any idiot in the country with a cheap cassette recorder can make all the free calls he wants." "You mean you just hold the cassette recorder up the mouthpiece and switch in a series of beeps you've recorded? The phone thinks that anything that makes these tones must be its own equipment?" "Right. As long as you get the frequency within thirty cycles per second of the phone company's tones, the phone equipment thinks it hears its own voice talking to it. The original granddaddy phone phreak was this blind kid with perfect pitch, Joe Engressia, who used to whistle into the phone. An operator could tell the difference between his whistle and the phone company's Page 37 The Official Phreaker's Manual electronic tone generator, but the phone company's switching circuit can't tell them apart. The bigger the phone company gets and the further away from human operators it gets, the more vulnerable it becomes to all sorts of phone phreaking." A Guide for the Perplexed "But wait a minute," I stop Gilbertson. "If everything you do sounds like phone-company equipment, why doesn't the phone company charge you for the call the way it charges its own equipment?" "Okay. That's where the 2600-cycle tone comes in. I better start from the beginning." The beginning he describes for me is a vision of the phone system of the continent as thousands of webs, of long-line trunks radiating from each of the hundreds of toll switching offices to the other toll switching offices. Each toll switching office is a hive compacted of thousands of long-distance tandems constantly whistling and beeping to tandems in far-off toll switching offices. The tandem is the key to the whole system. Each tandem is a line with some relays with the capability of signalling any other tandem in any other toll switching office on the continent, either directly one-to-one or by programming a roundabout route through several other tandems if all the direct routes are busy. For instance, if you want to call from New York to Los Angeles and traffic is heavy on all direct trunks between the two cities, your tandem in New York is programmed to try the next best route, which may send you down to a tandem in New Orleans, then up to San Francisco, or down to a New Orleans tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up to Los Angeles. When a tandem is not being used, when it's sitting there waiting for someone to make a long-distance call, it whistles. One side of the tandem, the side "facing" your home phone, whistles at 2600 cycles per second toward all the home phones serviced by the exchange, telling them it is at their service, should they be interested in making a long-distance call. The other side of the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, telling the rest of the phone system that it is neither sending nor receiving a call through that trunk at the moment, that it has no use for that trunk at the moment. "When you dial a long-distance number the first thing that happens is that you are hooked into a tandem. A register comes up to the side of the tandem facing away from you and presents that side with the number you dialed. This sending side of the tandem stops whistling 2600 into its trunk line. When a tandem stops the 2600 tone it has been sending through a trunk, the trunk is said to be "seized," and is now ready to carry the number you have dialed -- converted into multi-frequency beep tones -- to a tandem in the area code and central office you want. Now when a blue-box operator wants to make a call from New Orleans to New York he starts by dialing the 800 number of a company which might happen to have its headquarters in Los Angeles. The sending side of the New Orleans tandem stops sending 2600 out over the trunk to the central office in Los Angeles, thereby seizing the trunk. Your New Orleans tandem begins sending beep tones to a tandem it has discovered idly whistling 2600 cycles in Los Angeles. The receiving end of that L.A. tandem is seized, stops whistling 2600, listens to the beep tones which tell it which L.A. phone to ring, and starts ringing the Page 38 The Official Phreaker's Manual 800 number. Meanwhile a mark made in the New Orleans office accounting tape notes that a call from your New Orleans phone to the 800 number in L.A. has been initiated and gives the call a code number. Everything is routine so far. But then the phone phreak presses his blue box to the mouthpiece and pushes the 2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. tandem. The L.A. tandem notices 2600 cycles are coming over the line again and assumes that New Orleans has hung up because the trunk is whistling as if idle. The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as the phreak takes his finger off the 2600 button, the L.A. tandem assumes the trunk is once again being used because the 2600 is gone, so it listens for a new series of digit tones - to find out where it must send the call. Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. which is waiting like an obedient genie to be told what to do next. The blue-box owner then beeps out the ten digits of the New York number which tell the L.A. tandem to relay a call to New York City. Which it promptly does. As soon as your party picks up the phone in New York, the side of the New Orleans tandem facing you stops sending 2600 cycles to you and stars carrying his voice to you by way of the L.A. tandem. A notation is made on the accounting tape that the connection has been made on the 800 call which had been initiated and noted earlier. When you stop talking to New York a notation is made that the 800 call has ended. At three the next morning, when the phone company's accounting computer starts reading back over the master accounting tape for the past day, it records that a call of a certain length of time was made from your New Orleans home to an L.A. 800 number and, of course, the accounting computer has been trained to ignore those toll-free 800 calls when compiling your monthly bill. "All they can prove is that you made an 800 toll-free call," Gilbertson the inventor concludes. "Of course, if you're foolish enough to talk for two hours on an 800 call, and they've installed one of their special anti-fraud computer programs to watch out for such things, they may spot you and ask why you took two hours talking to Army Recruiting's 800 number when you're 4-F. But if you do it from a pay phone, they may discover something peculiar the next day -- if they've got a blue-box hunting program in their computer -- but you'll be a long time gone from the pay phone by then. Using a pay phone is almost guaranteed safe." "What about the recent series of blue-box arrests all across the country -- New York, Cleveland, and so on?" I asked. "How were they caught so easily?" "From what I can tell, they made one big mistake: they were seizing trunks using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to detect because when you send multi-frequency beep tones of 555 you get a charge for it on your tape and the accounting computer knows there's something wrong when it tries to bill you for a two-hour call to Akron, Ohio, information, and it drops a trouble card which goes right into the hands of the security agent if they're looking for blue-box user. "Whoever sold those guys their blue boxes didn't tell them how to use them properly, which is fairly irresponsible. And they were fairly stupid to use them at home all the time. "But what those arrests really mean is than an awful lot of blue boxes are flooding into the country and that people are finding them so easy to make that Page 39 The Official Phreaker's Manual they know how to make them before they know how to use them. Ma Bell is in trouble." And if a blue-box operator or a cassette-recorder phone phreak sticks to pay phones and 800 numbers, the phone company can't stop them? "Not unless they change their entire nationwide long-lines technology, which will take them a few billion dollars and twenty years. Right now they can't do a thing. They're screwed." +-- End first file of four --+ Page 40 The Official Phreaker's Manual ***** The AAG Proudly Presents The AAG Proudly Presents ***** * * * +----------------------------------------------+ * * * * Secrets of the Little Blue Box * * * * by Ron Rosenbaum * * Typed by One Farad Cap/AAG * * * * -A story so incredible it may even make you * * feel sorry for the phone company- * * * * (Second of four files) * * * * +----------------------------------------------+ * * * ***** The AAG Proudly Presents The AAG Proudly Presents ***** Captain Crunch Demonstrates His Famous Unit There is an underground telephone network in this country. Gilbertson discovered it the very day news of his activities hit the papers. That evening his phone began ringing. Phone phreaks from Seattle, from Florida, from New York, from San Jose, and from Los Angeles began calling him and telling him about the phone-phreak network. He'd get a call from a phone phreak who'd say nothing but, "Hang up and call this number." When he dialed the number he'd find himself tied into a conference of a dozen phone phreaks arranged through a quirky switching station in British Columbia. They identified themselves as phone phreaks, they demonstrated their homemade blue boxes which they called "M-Fers" (for "multi-frequency," among other things) for him, they talked shop about phone-phreak devices. They let him in on their secrets on the theory that if the phone company was after him he must be trustworthy. And, Gilbertson recalls, they stunned him with their technical sophistication. I ask him how to get in touch with the phone-phreak network. He digs around through a file of old schematics and comes up with about a dozen numbers in three widely separated area codes. "Those are the centers," he tells me. Alongside some of the numbers he writes in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson (also a code word for a free call), Marty Freeman (code word for M-F device), Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks alongside the names of those among these top twelve who are blind. There are five checks. I ask him who this Captain Crunch person is. "Oh. The Captain. He's probably the most legendary phone phreak. He calls himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." (Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch set. Somehow a phone phreak discovered that the toy whistle just happened to produce a perfect 2600-cycle tone. When the man who calls himself Captain Crunch was transferred overseas to England with his Air Force unit, he would receive scores of calls from his friends and "mute" them -- make them free of charge to them -- by blowing his Cap'n Crunch whistle into his end.) Page 41 The Official Phreaker's Manual "Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's an engineer who once got in a little trouble for fooling around with the phone, but he can't stop. Well, they guy drives across country in a Volkswagen van with an entire switchboard and a computerized super-sophisticated M-F-er in the back. He'll pull up to a phone booth on a lonely highway somewhere, snake a cable out of his bus, hook it onto the phone and sit for hours, days sometimes, sending calls zipping back and forth across the country, all over the world...." Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked for G---- T-----, his real name, or at least the name he uses when he's not dashing into a phone booth beeping out M-F tones faster than a speeding bullet and zipping phantomlike through the phone company's long-distance lines. When G---- T----- answered the phone and I told him I was preparing a story for Esquire about phone phreaks, he became very indignant. "I don't do that. I don't do that anymore at all. And if I do it, I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer." A tone of tightly restrained excitement enters the Captain's voice when he starts talking about systems. He begins to pronounce each syllable with the hushed deliberation of an obscene caller. "Ma Bell is a system I want to explore. It's a beautiful system, you know, but Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls. I wasn't interested in free calls. But when these blind kids told me I could make calls into a computer, my eyes lit up. I wanted to learn about computers. I wanted to learn about Ma Bell's computers. So I build the little device, but I built it wrong and Ma Bell found out. Ma Bell can detect things like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. Except for learning purposes." He pauses. "So you want to write an article. Are you paying for this call? Hang up and call this number." He gives me a number in a area code a thousand miles away of his own. I dial the number. "Hello again. This is Captain Crunch. You are speaking to me on a toll-free loop-around in Portland, Oregon. Do you know what a toll-free loop around is? I'll tell you. He explains to me that almost every exchange in the country has open test numbers which allow other exchanges to test their connections with it. Most of these numbers occur in consecutive pairs, such as 302 956-0041 and 302 956-0042. Well, certain phone phreaks discovered that if two people from anywhere in the country dial the two consecutive numbers they can talk together just as if one had called the other's number, with no charge to either of them, of course. "Now our voice is looping around in a 4A switching machine up there in Canada, zipping back down to me," the Captain tells me. "My voice is looping around up there and back down to you. And it can't ever cost anyone money. The phone phreaks and I have compiled a list of many many of these numbers. You would be surprised if you saw the list. I could show it to you. But I won't. I'm out Page 42 The Official Phreaker's Manual of that now. I'm not out to screw Ma Bell. I know better. If I do anything it's for the pure knowledge of the System. You can learn to do fantastic things. Have you ever heard eight tandems stacked up? Do you know the sound of tandems stacking and unstacking? Give me your phone number. Okay. Hang up now and wait a minute." Slightly less than a minute later the phone rang and the Captain was on the line, his voice sounding far more excited, almost aroused. "I wanted to show you what it's like to stack up tandems. To stack up tandems." (Whenever the Captain says "stack up" it sounds as if he is licking his lips.) "How do you like the connection you're on now?" the Captain asks me. "It's a raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going to show you what it's like to stack up. Blow off. Land in a far away place. To stack that tandem up, whip back and forth across the country a few times, then shoot on up to Moscow. "Listen," Captain Crunch continues. "Listen. I've got line tie on my switchboard here, and I'm gonna let you hear me stack and unstack tandems. Listen to this. It's gonna blow your mind." First I hear a super rapid-fire pulsing of the flutelike phone tones, then a pause, then another popping burst of tones, then another, then another. Each burst is followed by a beep-kachink sound. "We have now stacked up four tandems," said Captain Crunch, sounding somewhat remote. "That's four tandems stacked up. Do you know what that means? That means I'm whipping back and forth, back and forth twice, across the country, before coming to you. I've been known to stack up twenty tandems at a time. Now, just like I said, I'm going to shoot up to Moscow." There is a new, longer series of beeper pulses over the line, a brief silence, then a ring. "Hello," answers a far-off voice. "Hello. Is this the American Embassy Moscow?" "Yes, sir. Who is this calling?" says the voice. "Yes. This is test board here in New York. We're calling to check out the circuits, see what kind of lines you've got. Everything okay there in Moscow?" "Okay?" "Well, yes, how are things there?" "Oh. Well, everything okay, I guess." "Okay. Thank you." They hang up, leaving a confused series of beep-kachink sounds hanging in mid-ether in the wake of the call before dissolving away. The Captain is pleased. "You believe me now, don't you? Do you know what I'd Page 43 The Official Phreaker's Manual like to do? I'd just like to call up your editor at Esquire and show him just what it sounds like to stack and unstack tandems. I'll give him a show that will blow his mind. What's his number? I ask the Captain what kind of device he was using to accomplish all his feats. The Captain is pleased at the question. "You could tell it was special, couldn't you?" Ten pulses per second. That's faster than the phone company's equipment. Believe me, this unit is the most famous unit in the country. There is no other unit like it. Believe me." "Yes, I've heard about it. Some other phone phreaks have told me about it." "They have been referring to my, ahem, unit? What is it they said? Just out of curiosity, did they tell you it was a highly sophisticated computer-operated unit, with acoustical coupling for receiving outputs and a switch-board with multiple-line-tie capability? Did they tell you that the frequency tolerance is guaranteed to be not more than .05 percent? The amplitude tolerance less than .01 decibel? Those pulses you heard were perfect. They just come faster than the phone company. Those were high-precision op-amps. Op-amps are instrumentation amplifiers designed for ultra-stable amplification, super-low distortion and accurate frequency response. Did they tell you it can operate in temperatures from -55 degrees C to +125 degrees C?" I admit that they did not tell me all that. "I built it myself," the Captain goes on. "If you were to go out and buy the components from an industrial wholesaler it would cost you at least $1500. I once worked for a semiconductor company and all this didn't cost me a cent. Do you know what I mean? Did they tell you about how I put a call completely around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who connected me to India, India connected me to Greece, Greece connected me to Pretoria, South Africa, South Africa connected me to South America, I went from South America to London, I had a London operator connect me to a New York operator, I had New York connect me to a California operator who rang the phone next to me. Needless to say I had to shout to hear myself. But the echo was far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear myself talk to myself." "You mean you were speaking into the mouthpiece of one phone sending your voice around the world into your ear through a phone on the other side of your head?" I asked the Captain. I had a vision of something vaguely autoerotic going on, in a complex electronic way. "That's right," said the Captain. "I've also sent my voice around the world one way, going east on one phone, and going west on the other, going through cable one way, satellite the other, coming back together at the same time, ringing the two phones simultaneously and picking them up and whipping my voice both ways around the world back to me. Wow. That was a mind blower." "You mean you sit there with both phones on your ear and talk to yourself around the world," I said incredulously. "Yeah. Um hum. That's what I do. I connect the phone together and sit there and talk." "What do you say? What do you say to yourself when you're connected?" Page 44 The Official Phreaker's Manual "Oh, you know. Hello test one two three," he says in a low-pitched voice. "Hello test one two three," he replied to himself in a high-pitched voice. "Hello test one two three," he repeats again, low-pitched. "Hello test one two three," he replies, high-pitched. "I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and breaks into laughter. Why Captain Crunch Hardly Ever Taps Phones Anymore Using internal phone-company codes, phone phreaks have learned a simple method for tapping phones. Phone-company operators have in front of them a board that holds verification jacks. It allows them to plug into conversations in case of emergency, to listen in to a line to determine if the line is busy or the circuits are busy. Phone phreaks have learned to beep out the codes which lead them to a verification operator, tell the verification operator they are switchmen from some other area code testing out verification trunks. Once the operator hooks them into the verification trunk, they disappear into the board for all practical purposes, slip unnoticed into any one of the 10,000 to 100,000 numbers in that central office without the verification operator knowing what they're doing, and of course without the two parties to the connection knowing there is a phantom listener present on their line. Toward the end of my hour-long first conversation with him, I asked the Captain if he ever tapped phones. "Oh no. I don't do that. I don't think it's right," he told me firmly. "I have the power to do it but I don't... Well one time, just one time, I have to admit that I did. There was this girl, Linda, and I wanted to find out... you know. I tried to call her up for a date. I had a date with her the last weekend and I thought she liked me. I called her up, man, and her line was busy, and I kept calling and it was still busy. Well, I had just learned about this system of jumping into lines and I said to myself, 'Hmmm. Why not just see if it works. It'll surprise her if all of a sudden I should pop up on her line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed into the line. My M-F-er is powerful enough when patched directly into the mouthpiece to trigger a verification trunk without using an operator the way the other phone phreaks have to. "I slipped into the line and there she was talking to another boyfriend. Making sweet talk to him. I didn't make a sound because I was so disgusted. So I waited there for her to hang up, listening to her making sweet talk to the other guy. You know. So as soon as she hung up I instantly M-F-ed her up and all I said was, 'Linda, we're through.' And I hung up. And it blew her head off. She couldn't figure out what the hell happened. "But that was the only time. I did it thinking I would surprise her, impress her. Those were all my intentions were, and well, it really kind of hurt me pretty badly, and... and ever since then I don't go into verification trunks." Moments later my first conversation with the Captain comes to a close. "Listen," he says, his spirits somewhat cheered, "listen. What you are going to hear when I hang up is the sound of tandems unstacking. Layer after layer of tandems unstacking until there's nothing left of the stack, until it melts away Page 45 The Official Phreaker's Manual into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending to a whisper with each cheep. He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink cheep kachink cheep kachink cheep, and the complex connection has wiped itself out like the Cheshire cat's smile. The MF Boogie Blues The next number I choose from the select list of phone-phreak alumni, prepared for me by the blue-box inventor, is a Memphis number. It is the number of Joe Engressia, the first and still perhaps the most accomplished blind phone phreak. Three years ago Engressia was a nine-day wonder in newspapers and magazines all over America because he had been discovered whistling free long-distance connections for fellow students at the University of South Florida. Engressia was born with perfect pitch: he could whistle phone tones better than the phone-company's equipment. Engressia might have gone on whistling in the dark for a few friends for the rest of his life if the phone company hadn't decided to expose him. He was warned, disciplined by the college, and the whole case became public. In the months following media reports of his talent, Engressia began receiving strange calls. There were calls from a group of kids in Los Angeles who could do some very strange things with the quirky General Telephone and Electronics circuitry in L.A. suburbs. There were calls from a group of mostly blind kids in ----, California, who had been doing some interesting experiments with Cap'n Crunch whistles and test loops. There was a group in Seattle, a group in Cambridge, Massachusetts, a few from New York, a few scattered across the country. Some of them had already equipped themselves with cassette and electronic M-F devices. For some of these groups, it was the first time they knew of the others. The exposure of Engressia was the catalyst that linked the separate phone-phreak centers together. They all called Engressia. They talked to him about what he was doing and what they were doing. And then he told them -- the scattered regional centers and lonely independent phone phreakers -- about each other, gave them each other's numbers to call, and within a year the scattered phone-phreak centers had grown into a nationwide underground. Joe Engressia is only twenty-two years old now, but along the phone-phreak network he is "the old man," accorded by phone phreaks something of the reverence the phone company bestows on Alexander Graham Bell. He seldom needs to make calls anymore. The phone phreaks all call him and let him know what new tricks, new codes, new techniques they have learned. Every night he sits like a sightless spider in his little apartment receiving messages from every tendril of his web. It is almost a point of pride with Joe that they call him. But when I reached him in his Memphis apartment that night, Joe Engressia was lonely, jumpy and upset. "God, I'm glad somebody called. I don't know why tonight of all nights I don't get any calls. This guy around here got drunk again tonight and propositioned me again. I keep telling him we'll never see eye to eye on this subject, if you know what I mean. I try to make light of it, you know, but he doesn't get it. I can head him out there getting drunker and I don't know what he'll do Page 46 The Official Phreaker's Manual next. It's just that I'm really all alone here, just moved to Memphis, it's the first time I'm living on my own, and I'd hate for it to all collapse now. But I won't go to bed with him. I'm just not very interested in sex and even if I can't see him I know he's ugly. "Did you hear that? That's him banging a bottle against the wall outside. He's nice. Well forget about it. You're doing a story on phone phreaks? Listen to this. It's the MF Boogie Blues. Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, each note one of those long-distance phone tones. The music stops. A huge roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" The roar ceases. A high-pitched operator-type voice replaces it. "This is Southern Braille Tel. & Tel. Have tone, will phone." This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep reassuring voice: "If you need home care, call the visiting-nurses association. First National time in Honolulu is 4:32 p.m." Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes manages to keep Joe's mind off his tormentor only as long as it lasts. "The reason I'm in Memphis, the reason I have to depend on that homosexual guy, is that this is the first time I've been able to live on my own and make phone trips on my own. I've been banned from all central offices around home in Florida, they knew me too well, and at the University some of my fellow scholars were always harassing me because I was on the dorm pay phone all the time and making fun of me because of my fat ass, which of course I do have, it's my physical fatness program, but I don't like to hear it every day, and if I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've been devoting three quarters of my life to it. "I moved to Memphis because I wanted to be on my own as well as because it has a Number 5 crossbar switching system and some interesting little independent phone-company districts nearby and so far they don't seem to know who I am so I can go on phone tripping, and for me phone tripping is just as important as phone phreaking." Phone tripping, Joe explains, begins with calling up a central-office switch room. He tells the switchman in a polite earnest voice that he's a blind college student interested in telephones, and could he perhaps have a guided tour of the switching station? Each step of the tour Joe likes to touch and feel relays, caress switching circuits, switchboards, crossbar arrangements. So when Joe Engressia phone phreaks he feels his way through the circuitry of the country garden of forking paths, he feels switches shift, relays shunt, crossbars swivel, tandems engage and disengage even as he hears -- with perfect pitch -- his M-F pulses make the entire Bell system dance to his tune. Just one month ago Joe took all his savings out of his bank and left home, over the emotional protests of his mother. "I ran away from home almost," he likes to say. Joe found a small apartment house on Union Avenue and began making phone trips. He'd take a bus a hundred miles south in Mississippi to see some Page 47 The Official Phreaker's Manual old-fashioned Bell equipment still in use in several states, which had been puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to look at some brand-new experimental equipment. He hired a taxi to drive him twelve miles to a suburb to tour the office of a small phone company with some interesting idiosyncrasies in its routing system. He was having the time of his life, he said, the most freedom and pleasure he had known. In that month he had done very little long-distance phone phreaking from his own phone. He had begun to apply for a job with the phone company, he told me, and he wanted to stay away from anything illegal. "Any kind of job will do, anything as menial as the most lowly operator. That's probably all they'd give me because I'm blind. Even though I probably know more than most switchmen. But that's okay. I want to work for Ma Bell. I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's something beautiful about the system when you know it intimately the way I do. But I don't know how much they know about me here. I have a very intuitive feel for the condition of the line I'm on, and I think they're monitoring me off and on lately, but I haven't been doing much illegal. I have to make a few calls to switchmen once in a while which aren't strictly legal, and once I took an acid trip and was having these auditory hallucinations as if I were trapped and these planes were dive-bombing me, and all of sudden I had to phone phreak out of there. For some reason I had to call Kansas City, but that's all." A Warning Is Delivered At this point -- one o'clock in my time zone -- a loud knock on my motel-room door interrupts our conversation. Outside the door I find a uniformed security guard who informs me that there has been an "emergency phone call" for me while I have been on the line and that the front desk has sent him up to let me know. Two seconds after I say good-bye to Joe and hang up, the phone rings. "Who were you talking to?" the agitated voice demands. The voice belongs to Captain Crunch. "I called because I decided to warn you of something. I decided to warn you to be careful. I don't want this information you get to get to the radical underground. I don't want it to get into the wrong hands. What would you say if I told you it's possible for three phone phreaks to saturate the phone system of the nation. Saturate it. Busy it out. All of it. I know how to do this. I'm not gonna tell. A friend of mine has already saturated the trunks between Seattle and New York. He did it with a computerized M-F-er hitched into a special Manitoba exchange. But there are other, easier ways to do it." Just three people? I ask. How is that possible? "Have you ever heard of the long-lines guard frequency? Do you know about stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. I'm not gonna tell you. But whatever you do, don't let this get into the hands of the radical underground." (Later Gilbertson, the inventor, confessed that while he had always been skeptical about the Captain's claim of the sabotage potential of trunk-tying phone phreaks, he had recently heard certain demonstrations which convinced him the Captain was not speaking idly. "I think it might take more than three people, depending on how many machines like Captain Crunch's were available. Page 48 The Official Phreaker's Manual But even though the Captain sounds a little weird, he generally turns out to know what he's talking about.") "You know," Captain Crunch continues in his admonitory tone, "you know the younger phone phreaks call Moscow all the time. Suppose everybody were to call Moscow. I'm no right-winger. But I value my life. I don't want the Commies coming over and dropping a bomb on my head. That's why I say you've got to be careful about who gets this information." The Captain suddenly shifts into a diatribe against those phone phreaks who don't like the phone company. "They don't understand, but Ma Bell knows everything they do. Ma Bell knows. Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but I can detect things like that. Well, even if it is, they know that I know that they know that I have a bulk eraser. I'm very clean." The Captain pauses, evidently torn between wanting to prove to the phone-company monitors that he does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma Bell knows how good I am. And I am quite good. I can detect reversals, tandem switching, everything that goes on on a line. I have relative pitch now. Do you know what that means? My ears are a $20,000 piece of equipment. With my ears I can detect things they can't hear with their equipment. I've had employment problems. I've lost jobs. But I want to show Ma Bell how good I am. I don't want to screw her, I want to work for her. I want to do good for her. I want to help her get rid of her flaws and become perfect. That's my number-one goal in life now." The Captain concludes his warnings and tells me he has to be going. "I've got a little action lined up for tonight," he explains and hangs up. Before I hang up for the night, I call Joe Engressia back. He reports that his tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I get, ahem, yes; but you might say he's in a drunken stupor." I make a date to visit Joe in Memphis in two days. +-- End second file of four --+ Page 49 The Official Phreaker's Manual ***** The AAG Proudly Presents The AAG Proudly Presents ***** * * * +----------------------------------------------+ * * * * Secrets of the Little Blue Box * * * * by Ron Rosenbaum * * Typed by One Farad Cap/AAG * * * * -A story so incredible it may even make you * * feel sorry for the phone company- * * * * (Third of four files) * * * * +----------------------------------------------+ * * * ***** The AAG Proudly Presents The AAG Proudly Presents ***** A Phone Phreak Call Takes Care of Business The next morning I attend a gathering of four phone phreaks in ----- (a California suburb). The gathering takes place in a comfortable split-level home in an upper-middle-class subdivision. Heaped on the kitchen table are the portable cassette recorders, M-F cassettes, phone patches, and line ties of the four phone phreaks present. On the kitchen counter next to the telephone is a shoe-box-size blue box with thirteen large toggle switches for the tones. The parents of the host phone phreak, Ralph, who is blind, stay in the living room with their sighted children. They are not sure exactly what Ralph and his friends do with the phone or if it's strictly legal, but he is blind and they are pleased he has a hobby which keeps him busy. The group has been working at reestablishing the historic "2111" conference, reopening some toll-free loops, and trying to discover the dimensions of what seem to be new initiatives against phone phreaks by phone-company security agents. It is not long before I get a chance to see, to hear, Randy at work. Randy is known among the phone phreaks as perhaps the finest con man in the game. Randy is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly nylon white sport shirt, pushes his head forward from hunched shoulders somewhat like a turtle inching out of its shell. His eyes wander, crossing and recrossing, and his forehead is somewhat pimply. He is only sixteen years old. But when Randy starts speaking into a telephone mouthpiece his voice becomes so stunningly authoritative it is necessary to look again to convince yourself it comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the voice of a brilliant performance-fund gunslinger explaining how he beats the Dow Jones by thirty percent. Then imagine a voice that could make those two sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. He is speaking to a switchman in Detroit. The phone company in Detroit had closed up two toll-free loop pairs for no apparent reason, although heavy use by phone phreaks all over the country may have been detected. Randy is telling the switchman how to open up the loop and make it free again: "How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and Page 50 The Official Phreaker's Manual we've been trying to run some tests on your loop-arounds and we find'em busied out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, can you drop cards on 'em? Do you have 08 on your number group? Oh that's okay, we've had this trouble before, we may have to go after the circuit. Here lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, yeah, we'd like to clear that busy out. Right. All you have to do is look for your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that happened, but we've been having trouble with that one. Okay. Thanks a lot fella. Be seein' ya." Randy hangs up, reports that the switchman was a little inexperienced with the loop-around circuits on the miscellaneous trunk frame, but that the loop has been returned to its free-call status. Delighted, phone phreak Ed returns the pair of numbers to the active-status column in his directory. Ed is a superb and painstaking researcher. With almost Talmudic thoroughness he will trace tendrils of hints through soft-wired mazes of intervening phone-company circuitry back through complex linkages of switching relays to find the location and identity of just one toll-free loop. He spends hours and hours, every day, doing this sort of thing. He has somehow compiled a directory of eight hundred "Band-six in-WATS numbers" located in over forty states. Band-six in-WATS numbers are the big 800 numbers -- the ones that can be dialed into free from anywhere in the country. Ed the researcher, a nineteen-year-old engineering student, is also a superb technician. He put together his own working blue box from scratch at age seventeen. (He is sighted.) This evening after distributing the latest issue of his in-WATS directory (which has been typed into Braille for the blind phone phreaks), he announces he has made a major new breakthrough: "I finally tested it and it works, perfectly. I've got this switching matrix which converts any touch-tone phone into an M-F-er." The tones you hear in touch-tone phones are not the M-F tones that operate the long-distance switching system. Phone phreaks believe A.T.&T. had deliberately equipped touch tones with a different set of frequencies to avoid putting the six master M-F tones in the hands of every touch-tone owner. Ed's complex switching matrix puts the six master tones, in effect put a blue box, in the hands of every touch-tone owner. Ed shows me pages of schematics, specifications and parts lists. "It's not easy to build, but everything here is in the Heathkit catalog." Ed asks Ralph what progress he has made in his attempts to reestablish a long-term open conference line for phone phreaks. The last big conference -- the historic "2111" conference -- had been arranged through an unused Telex test-board trunk somewhere in the innards of a 4A switching machine in Vancouver, Canada. For months phone phreaks could M-F their way into Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the internal phone-company code for Telex testing), and find themselves at any time, day or night, on an open wire talking with an array of phone phreaks from coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak sympathizers, and miscellaneous guests and technical experts. The conference was a massive exchange of information. Phone phreaks picked each other's brains clean, then developed new ways to pick the phone company's brains clean. Ralph gave M F Boogies concerts with his home-entertainment-type electric Page 51 The Official Phreaker's Manual organ, Captain Crunch demonstrated his round-the-world prowess with his notorious computerized unit and dropped leering hints of the "action" he was getting with his girl friends. (The Captain lives out or pretends to live out several kinds of fantasies to the gossipy delight of the blind phone phreaks who urge him on to further triumphs on behalf of all of them.) The somewhat rowdy Northwest phone-phreak crowd let their bitter internal feud spill over into the peaceable conference line, escalating shortly into guerrilla warfare; Carl the East Coast international tone relations expert demonstrated newly opened direct M-F routes to central offices on the island of Bahrein in the Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and explained the technical operation of the new Oakland-to Vietnam linkages. (Many phone phreaks pick up spending money by M-F-ing calls from relatives to Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) Day and night the conference line was never dead. Blind phone phreaks all over the country, lonely and isolated in homes filled with active sighted brothers and sisters, or trapped with slow and unimaginative blind kids in straitjacket schools for the blind, knew that no matter how late it got they could dial up the conference and find instant electronic communion with two or three other blind kids awake over on the other side of America. Talking together on a phone hookup, the blind phone phreaks say, is not much different from being there together. Physically, there was nothing more than a two-inch-square wafer of titanium inside a vast machine on Vancouver Island. For the blind kids >there< meant an exhilarating feeling of being in touch, through a kind of skill and magic which was peculiarly their own. Last April 1, however, the long Vancouver Conference was shut off. The phone phreaks knew it was coming. Vancouver was in the process of converting from a step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped out in the process. The phone phreaks learned the actual day on which the conference would be erased about a week ahead of time over the phone company's internal-news-and-shop-talk recording. For the next frantic seven days every phone phreak in America was on and off the 2111 conference twenty-four hours a day. Phone phreaks who were just learning the game or didn't have M-F capability were boosted up to the conference by more experienced phreaks so they could get a glimpse of what it was like before it disappeared. Top phone phreaks searched distant area codes for new conference possibilities without success. Finally in the early morning of April 1, the end came. "I could feel it coming a couple hours before midnight," Ralph remembers. "You could feel something going on in the lines. Some static began showing up, then some whistling wheezing sound. Then there were breaks. Some people got cut off and called right back in, but after a while some people were finding they were cut off and couldn't get back in at all. It was terrible. I lost it about one a.m., but managed to slip in again and stay on until the thing died... I think it was about four in the morning. There were four of us still hanging on when the conference disappeared into nowhere for good. We all tried to M-F up to it again of course, but we got silent termination. There was nothing there." The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" Mark Bernay. I had come across that name before. It was on Gilbertson's select list of phone phreaks. The California phone phreaks had spoken of a mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West Coast. And in fact almost every phone phreak in the West can trace his origins Page 52 The Official Phreaker's Manual either directly to Mark Bernay or to a disciple of Mark Bernay. It seems that five years ago this Mark Bernay (a pseudonym he chose for himself) began traveling up and down the West Coast pasting tiny stickers in phone books all along his way. The stickers read something like "Want to hear an interesting tape recording? Call these numbers." The numbers that followed were toll-free loop-around pairs. When one of the curious called one of the numbers he would hear a tape recording pre-hooked into the loop by Bernay which explained the use of loop-around pairs, gave the numbers of several more, and ended by telling the caller, "At six o'clock tonight this recording will stop and you and your friends can try it out. Have fun." "I was disappointed by the response at first," Bernay told me, when I finally reached him at one of his many numbers and he had dispensed with the usual "I never do anything illegal" formalities which experienced phone phreaks open most conversations. "I went all over the coast with these stickers not only on pay phones, but I'd throw them in front of high schools in the middle of the night, I'd leave them unobtrusively in candy stores, scatter them on main streets of small towns. At first hardly anyone bothered to try it out. I would listen in for hours and hours after six o'clock and no one came on. I couldn't figure out why people wouldn't be interested. Finally these two girls in Oregon tried it out and told all their friends and suddenly it began to spread." Before his Johny Appleseed trip Bernay had already gathered a sizable group of early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. Bernay does not claim credit for the original discovery of the loop-around numbers. He attributes the discovery to an eighteen-year-old reform school kid in Long Beach whose name he forgets and who, he says, "just disappeared one day." When Bernay himself discovered loop-arounds independently, from clues in his readings in old issues of the Automatic Electric Technical Journal, he found dozens of the reform-school kid's friends already using them. However, it was one of Bernay's disciples in Seattle that introduced phone phreaking to blind kids. The Seattle kid who learned about loops through Bernay's recording told a blind friend, the blind kid taught the secret to his friends at a winter camp for blind kids in Los Angeles. When the camp session was over these kids took the secret back to towns all over the West. This is how the original blind kids became phone phreaks. For them, for most phone phreaks in general, it was the discovery of the possibilities of loop-arounds which led them on to far more serious and sophisticated phone-phreak methods, and which gave them a medium for sharing their discoveries. A year later a blind kid who moved back east brought the technique to a blind kids' summer camp in Vermont, which spread it along the East Coast. All from a Mark Bernay sticker. Bernay, who is nearly thirty years old now, got his start when he was fifteen and his family moved into an L.A. suburb serviced by General Telephone and Electronics equipment. He became fascinated with the differences between Bell and G.T.&E. equipment. He learned he could make interesting things happen by carefully timed clicks with the disengage button. He learned to interpret subtle differences in the array of clicks, whirrs and kachinks he could hear on his lines. He learned he could shift himself around the switching relays of the L.A. area code in a not-too-predictable fashion by interspersing his own hook-switch clicks with the clicks within the line. (Independent phone companies -- there are nineteen hundred of them still left, most of them tiny island principalities in Ma Bell's vast empire -- have always been favorites Page 53 The Official Phreaker's Manual with phone phreaks, first as learning tools, then as Archimedes platforms from which to manipulate the huge Bell system. A phone phreak in Bell territory will often M-F himself into an independent's switching system, with switching idiosyncrasies which can give him marvelous leverage over the Bell System. "I have a real affection for Automatic Electric Equipment," Bernay told me. "There are a lot of things you can play with. Things break down in interesting ways." Shortly after Bernay graduated from college (with a double major in chemistry and philosophy), he graduated from phreaking around with G.T.&E. to the Bell System itself, and made his legendary sticker-pasting journey north along the coast, settling finally in Northwest Pacific Bell territory. He discovered that if Bell does not break down as interestingly as G.T.&E., it nevertheless offers a lot of "things to play with." Bernay learned to play with blue boxes. He established his own personal switchboard and phone-phreak research laboratory complex. He continued his phone-phreak evangelism with ongoing sticker campaigns. He set up two recording numbers, one with instructions for beginning phone phreaks, the other with latest news and technical developments (along with some advanced instruction) gathered from sources all over the country. These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately I've been enjoying playing with computers more than playing with phones. My personal thing in computers is just like with phones, I guess -- the kick is in finding out how to beat the system, how to get at things I'm not supposed to know about, how to do things with the system that I'm not supposed to be able to do." As a matter of fact, Bernay told me, he had just been fired from his computer-programming job for doing things he was not supposed to be able to do. he had been working with a huge time-sharing computer owned by a large corporation but shared by many others. Access to the computer was limited to those programmers and corporations that had been assigned certain passwords. And each password restricted its user to access to only the one section of the computer cordoned off from its own information storager. The password system prevented companies and individuals from stealing each other's information. "I figured out how to write a program that would let me read everyone else's password," Bernay reports. "I began playing around with passwords. I began letting the people who used the computer know, in subtle ways, that I knew their passwords. I began dropping notes to the computer supervisors with hints that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting cleverer and cleverer with my messages and devising ways of showing them what I could do. I'm sure they couldn't imagine I could do the things I was showing them. But they never responded to me. Every once in a while they'd change the passwords, but I found out how to discover what the new ones were, and I let them know. But they never responded directly to the Midnight Skulker. I even finally designed a program which they could use to prevent my program from finding out what it did. In effect I told them how to wipe me out, The Midnight Skulker. It was a very clever program. I started leaving clues about myself. I wanted them to try and use it and then try to come up with something to get around that and reappear again. But they wouldn't play. I wanted to get caught. I mean I didn't want to get caught personally, but I wanted them to notice me and admit that they noticed me. I wanted them to attempt to respond, maybe in some interesting way." Page 54 The Official Phreaker's Manual Finally the computer managers became concerned enough about the threat of information-stealing to respond. However, instead of using The Midnight Skulker's own elegant self-destruct program, they called in their security personnel, interrogated everyone, found an informer to identify Bernay as The Midnight Skulker, and fired him. "At first the security people advised the company to hire me full-time to search out other flaws and discover other computer freaks. I might have liked that. But I probably would have turned into a double double agent rather than the double agent they wanted. I might have resurrected The Midnight Skulker and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole idea down." You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own Home, Perhaps Computer freaking may be the wave of the future. It suits the phone-phreak sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone phreak, has also gone on from phone-phreaking to computer-freaking. Before he got into the blue-box business Gilbertson, who is a highly skilled programmer, devised programs for international currency arbitrage. But he began playing with computers in earnest when he learned he could use his blue box in tandem with the computer terminal installed in his apartment by the instrumentation firm he worked for. The print-out terminal and keyboard was equipped with acoustical coupling, so that by coupling his little ivory Princess phone to the terminal and then coupling his blue box on that, he could M-F his way into other computers with complete anonymity, and without charge; program and re-program them at will; feed them false or misleading information; tap and steal from them. He explained to me that he taps computers by busying out all the lines, then going into a verification trunk, listening into the passwords and instructions one of the time sharers uses, and them M-F-ing in and imitating them. He believes it would not be impossible to creep into the F.B.I's crime control computer through a local police computer terminal and phreak around with the F.B.I.'s memory banks. He claims he has succeeded in re-programming a certain huge institutional computer in such a way that it has cordoned off an entire section of its circuitry for his personal use, and at the same time conceals that arrangement from anyone else's notice. I have been unable to verify this claim. Like Captain Crunch, like Alexander Graham Bell (pseudonym of a disgruntled-looking East Coast engineer who claims to have invented the black box and now sells black and blue boxes to gamblers and radical heavies), like most phone phreaks, Gilbertson began his career trying to rip off pay phones as a teenager. Figure them out, then rip them off. Getting his dime back from the pay phone is the phone phreak's first thrilling rite of passage. After learning the usual eighteen different ways of getting his dime back, Gilbertson learned how to make master keys to coin-phone cash boxes, and get everyone else's dimes back. He stole some phone-company equipment and put together his own home switchboard with it. He learned to make a simple "bread-box" device, of the kind used by bookies in the Thirties (bookie gives a number to his betting clients; the phone with that number is installed in some widow lady's apartment, but is rigged to ring in the bookie's shop across town, cops trace big betting number and find nothing but the widow). Not long after that afternoon in 1968 when, deep in the stacks of an engineering library, he came across a technical journal with the phone tone frequencies and rushed off to make his first blue box, not long after that Page 55 The Official Phreaker's Manual Gilbertson abandoned a very promising career in physical chemistry and began selling blue boxes for $1,500 apiece. "I had to leave physical chemistry. I just ran out of interesting things to learn," he told me one evening. We had been talking in the apartment of the man who served as the link between Gilbertson and the syndicate in arranging the big $300,000 blue-box deal which fell through because of legal trouble. There has been some smoking. "No more interesting things to learn," he continues. "Physical chemistry turns out to be a sick subject when you take it to its highest level. I don't know. I don't think I could explain to you how it's sick. You have to be there. But you get, I don't know, a false feeling of omnipotence. I suppose it's like phone-phreaking that way. This huge thing is there. This whole system. And there are holes in it and you slip into them like Alice and you're pretending you're doing something you're actually not, or at least it's no longer you that's doing what you thought you were doing. It's all Lewis Carroll. Physical chemistry and phone-phreaking. That's why you have these phone-phreak pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's something about phone-phreaking that you don't find in physical chemistry." He looks up at me: "Did you ever steal anything?" "Well yes, I..." "Then you know! You know the rush you get. It's not just knowledge, like physical chemistry. It's forbidden knowledge. You know. You can learn about anything under the sun and be bored to death with it. But the idea that it's illegal. Look: you can be small and mobile and smart and you're ripping off somebody large and powerful and very dangerous." People like Gilbertson and Alexander Graham Bell are always talking about ripping off the phone company and screwing Ma Bell. But if they were shown a single button and told that by pushing it they could turn the entire circuitry of A.T.&T. into molten puddles, they probably wouldn't push it. The disgruntled-inventor phone phreak needs the phone system the way the lapsed Catholic needs the Church, the way Satan needs a God, the way The Midnight Skulker needed, more than anything else, response. Later that evening Gilbertson finished telling me how delighted he was at the flood of blue boxes spreading throughout the country, how delighted he was to know that "this time they're really screwed." He suddenly shifted gears. "Of course. I do have this love/hate thing about Ma Bell. In a way I almost like the phone company. I guess I'd be very sad if they were to disintegrate. In a way it's just that after having been so good they turn out to have these things wrong with them. It's those flaws that allow me to get in and mess with them, but I don't know. There's something about it that gets to you and makes you want to get to it, you know." I ask him what happens when he runs out of interesting, forbidden things to learn about the phone system. "I don't know, maybe I'd go to work for them for a while." "In security even?" Page 56 The Official Phreaker's Manual "I'd do it, sure. I just as soon play -- I'd just as soon work on either side." "Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's game." "Yes, that might be interesting. Yes, I could figure out how to outwit the phone phreaks. Of course if I got too good at it, it might become boring again. Then I'd have to hope the phone phreaks got much better and outsmarted me for a while. That would move the quality of the game up one level. I might even have to help them out, you know, 'Well, kids, I wouldn't want this to get around but did you ever think of -- ?' I could keep it going at higher and higher levels forever." The dealer speaks up for the first time. He has been staring at the soft blinking patterns of light and colors on the translucent tiled wall facing him. (Actually there are no patterns: the color and illumination of every tile is determined by a computerized random-number generator designed by Gilbertson which insures that there can be no meaning to any sequence of events in the tiles.) "Those are nice games you're talking about," says the dealer to his friend. "But I wouldn't mind seeing them screwed. A telephone isn't private anymore. You can't say anything you really want to say on a telephone or you have to go through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, people are going to start putting together their own private telephone companies if they want to really talk. And you know what else. You don't hear silences on the phone anymore. They've got this time-sharing thing on long-distance lines where you make a pause and they snip out that piece of time and use it to carry part of somebody else's conversation. Instead of a pause, where somebody's maybe breathing or sighing, you get this blank hole and you only start hearing again when someone says a word and even the beginning of the word is clipped off. Silences don't count -- you're paying for them, but they take them away from you. It's not cool to talk and you can't hear someone when they don't talk. What the hell good is the phone? I wouldn't mind seeing them totally screwed." +-- End third file of four --+ Page 57 The Official Phreaker's Manual ***** The AAG Proudly Presents The AAG Proudly Presents ***** * * * +----------------------------------------------+ * * * * Secrets of the Little Blue Box * * * * by Ron Rosenbaum * * Typed by One Farad Cap/AAG * * * * -A story so incredible it may even make you * * feel sorry for the phone company- * * * * (Fourth of four files) * * * * +----------------------------------------------+ * * * ***** The AAG Proudly Presents The AAG Proudly Presents ***** The Big Memphis Bust Joe Engressia never wanted to screw Ma Bell. His dream had always been to work for her. The day I visited Joe in his small apartment on Union Avenue in Memphis, he was upset about another setback in his application for a telephone job. "They're stalling on it. I got a letter today telling me they'd have to postpone the interview I requested again. My landlord read it for me. They gave me some runaround about wanting papers on my rehabilitation status but I think there's something else going on." When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when he has guests -- it looked as if there was enough telephone hardware to start a small phone company of his own. There is one phone on top of his desk, one phone sitting in an open drawer beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F device with big toggle switches, and next to that is some kind of switching and coupling device with jacks and alligator plugs hanging loose. Next to that is a Braille typewriter. On the floor next to the desk, lying upside down like a dead tortoise, is the half-gutted body of an old black standard phone. Across the room on a torn and dusty couch are two more phones, one of them a touch-tone model; two tape recorders; a heap of phone patches and cassettes, and a life-size toy telephone. Our conversation is interrupted every ten minutes by phone phreaks from all over the country ringing Joe on just about every piece of equipment but the toy phone and the Braille typewriter. One fourteen-year-old blind kid from Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to Joe about girl friends. Joe says they'll talk later in the evening when they can be alone on the line. Joe draws a deep breath, whistles him off the air with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he looked worried and preoccupied that evening, his brow constantly furrowed over his dark wandering eyes. In addition to the phone-company stall, he has just learned that his apartment house is due to be demolished in sixty days for urban renewal. For all its shabbiness, the Union Avenue apartment house has been Joe's first home-of-his-own and he's worried that he may not find another before this one is demolished. Page 58 The Official Phreaker's Manual But what really bothers Joe is that switchmen haven't been listening to him. "I've been doing some checking on 800 numbers lately, and I've discovered that certain 800 numbers in New Hampshire couldn't be reached from Missouri and Kansas. Now it may sound like a small thing, but I don't like to see sloppy work; it makes me feel bad about the lines. So I've been calling up switching offices and reporting it, but they haven't corrected it. I called them up for the third time today and instead of checking they just got mad. Well, that gets me mad. I mean, I do try to help them. There's something about them I can't understand -- you want to help them and they just try to say you're defrauding them." It is Sunday evening and Joe invites me to join him for dinner at a Holiday Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a favorite for Joe ever since he made his first solo phone trip to a Bell switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. He likes to stay at Holiday Inns, he explains, because they represent freedom to him and because the rooms are arranged the same all over the country so he knows that any Holiday Inn room is familiar territory to him. Just like any telephone.) Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone phreak. At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of listening to little Joe play with the phone as he always did, constantly, put a lock on the phone dial. "I got so mad. When there's a phone sitting there and I can't use it... so I started getting mad and banging the receiver up and down. I noticed I banged it once and it dialed one. Well, then I tried banging it twice...." In a few minutes Joe learned how to dial by pressing the hook switch at the right time. "I was so excited I remember going 'whoo whoo' and beat a box down on the floor." At age eight Joe learned about whistling. "I was listening to some intercept non working-number recording in L.A.- I was calling L.A. as far back as that, but I'd mainly dial non working numbers because there was no charge, and I'd listen to these recordings all day. Well, I was whistling 'cause listening to these recordings can be boring after a while even if they are from L.A., and all of a sudden, in the middle of whistling, the recording clicked off. I fiddled around whistling some more, and the same thing happened. So I called up the switch room and said, 'I'm Joe. I'm eight years old and I want to know why when I whistle this tune the line clicks off.' He tried to explain it to me, but it was a little too technical at the time. I went on learning. That was a thing nobody was going to stop me from doing. The phones were my life, and I was going to pay any price to keep on learning. I knew I could go to jail. But I had to do what I had to do to keep on learning." The phone is ringing when we walk back into Joe's apartment on Union Avenue. It is Captain Crunch. The Captain has been following me around by phone, calling up everywhere I go with additional bits of advice and explanation for me and whatever phone phreak I happen to be visiting. This time the Captain reports he is calling from what he describes as "my hideaway high up in the Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to "go out and get a little action tonight. Do some phreaking of another kind, if you know what I mean." Joe chuckles. Page 59 The Official Phreaker's Manual The Captain then tells me to make sure I understand that what he told me about tying up the nation's phone lines was true, but that he and the phone phreaks he knew never used the technique for sabotage. They only learned the technique to help the phone company. "We do a lot of troubleshooting for them. Like this New Hampshire/Missouri WATS-line flaw I've been screaming about. We help them more than they know." After we say good-bye to the Captain and Joe whistles him off the line, Joe tells me about a disturbing dream he had the night before: "I had been caught and they were taking me to a prison. It was a long trip. They were taking me to a prison a long long way away. And we stopped at a Holiday Inn and it was my last night ever using the phone and I was crying and crying, and the lady at the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. You should always be happy here. Especially since it's your last night.' And that just made it worse and I was sobbing so much I couldn't stand it." Two weeks after I left Joe Engressia's apartment, phone-company security agents and Memphis police broke into it. Armed with a warrant, which they left pinned to a wall, they confiscated every piece of equipment in the room, including his toy telephone. Joe was placed under arrest and taken to the city jail where he was forced to spend the night since he had no money and knew no one in Memphis to call. It is not clear who told Joe what that night, but someone told him that the phone company had an open-and-shut case against him because of revelations of illegal activity he had made to a phone-company undercover agent. By morning Joe had become convinced that the reporter from Esquire, with whom he had spoken two weeks ago, was the undercover agent. He probably had ugly thoughts about someone he couldn't see gaining his confidence, listening to him talk about his personal obsessions and dreams, while planning all the while to lock him up. "I really thought he was a reporter," Engressia told the Memphis Press-Seminar. "I told him everything...." Feeling betrayed, Joe proceeded to confess everything to the press and police. As it turns out, the phone company did use an undercover agent to trap Joe, although it was not the Esquire reporter. Ironically, security agents were alerted and began to compile a case against Joe because of one of his acts of love for the system: Joe had called an internal service department to report that he had located a group of defective long-distance trunks, and to complain again about the New Hampshire/Missouri WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A suspicious switchman reported Joe to the security agents who discovered that Joe had never had a long-distance call charged to his name. Then the security agents learned that Joe was planning one of his phone trips to a local switching office. The security people planted one of their agents in the switching office. He posed as a student switchman and followed Joe around on a tour. He was extremely friendly and helpful to Joe, leading him around the office by the arm. When the tour was over he offered Joe a ride back to his apartment house. On the way he asked Joe -- one tech man to another -- about "those blue boxers" he'd heard about. Joe talked about them freely, talked about his blue box freely, and about all the other things he could do Page 60 The Official Phreaker's Manual with the phones. The next day the phone-company security agents slapped a monitoring tape on Joe's line, which eventually picked up an illegal call. Then they applied for the search warrant and broke in. In court Joe pleaded not guilty to possession of a blue box and theft of service. A sympathetic judge reduced the charges to malicious mischief and found him guilty on that count, sentenced him to two thirty-day sentences to be served concurrently and then suspended the sentence on condition that Joe promise never to play with phones again. Joe promised, but the phone company refused to restore his service. For two weeks after the trial Joe could not be reached except through the pay phone at his apartment house, and the landlord screened all calls for him. Phone-phreak Carl managed to get through to Joe after the trial, and reported that Joe sounded crushed by the whole affair. "What I'm worried about," Carl told me, "is that Joe means it this time. The promise. That he'll never phone-phreak again. That's what he told me, that he's given up phone-phreaking for good. I mean his entire life. He says he knows they're going to be watching him so closely for the rest of his life he'll never be able to make a move without going straight to jail. He sounded very broken up by the whole experience of being in jail. It was awful to hear him talk that way. I don't know. I hope maybe he had to sound that way. Over the phone, you know." He reports that the entire phone-phreak underground is up in arms over the phone company's treatment of Joe. "All the while Joe had his hopes pinned on his application for a phone-company job, they were stringing him along getting ready to bust him. That gets me mad. Joe spent most of his time helping them out. The bastards. They think they can use him as an example. All of sudden they're harassing us on the coast. Agents are jumping up on our lines. They just busted ------'s mute yesterday and ripped out his lines. But no matter what Joe does, I don't think we're going to take this lying down." Two weeks later my phone rings and about eight phone phreaks in succession say hello from about eight different places in the country, among them Carl, Ed, and Captain Crunch. A nationwide phone-phreak conference line has been reestablished through a switching machine in --------, with the cooperation of a disgruntled switchman. "We have a special guest with us today," Carl tells me. The next voice I hear is Joe's. He reports happily that he has just moved to a place called Millington, Tennessee, fifteen miles outside of Memphis, where he has been hired as a telephone-set repairman by a small independent phone company. Someday he hopes to be an equipment troubleshooter. "It's the kind of job I dreamed about. They found out about me from the publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. I'll have telephones in my hands all day long." "You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked me. "Well, I think they're going to be very sorry about what they did to Joe and what they're trying to do to us." +-- End fourth file of four --+ Page 61 The Official Phreaker's Manual $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ THE HISTORY OF ESS $ $ --- ------- -- --- $ $ $ $ $ $ Another original phile by: $ $ $ $ $ $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Of all the new 1960s wonders of telephone technology - satellites, ultra modern Traffic Service Positions (TSPS) for operators, the picturephone, and so on - the one that gave Bell Labs the most trouble, and unexpectedly became the greatest development effort in Bell System's history, was the perfection of an electronic switching system, or ESS. It may be recalled that such a system was the specific end in view when the project that had culminated in the invention of the transistor had been launched back in the 1930s. After successful accomplishment of that planned miracle in 1947-48, further delays were brought about by financial stringency and the need for further development of the transistor itself. In the early 1950s, a Labs team began serious work on electronic switching. As early as 1955, Western Electric became involved when five engineers from the Hawthorne works were assigned to collaborate with the Labs on the project. The president of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new electronic switching system is going full speed ahead. We are sure this will lead to many improvements in service and also to greater efficiency. The first service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel said that the cost of the whole project would probably be $45 million. But it gradually became apparent that the development of a commercially usable electronic switching system -in effect, a computerized telephone exchange - presented vastly greater technical problems than had been anticipated, and that, accordingly, Bell Labs had vastly underestimated both the time and the investment needed to do the job. The year 1959 passed without the promised first trial at Morris, Illinois; it was finally made in November 1960, and quickly showed how much more work remained to be done. As time dragged on and costs mounted, there was a concern at AT&T and some-thing approaching panic at Bell Labs. But the project had to go forward; by this time the investment was too great to be sacrificed, and in any case, forward projections of increased demand for telephone service indicated that within a phew years a time would come when, without the quantum leap in speed and flexibility that electronic switching would provide, the national network would be unable to meet the demand. In November 1963, an all-electronic switching system went into use at the Brown Engineering Company at Cocoa Beach, Florida. But this was a small installation, essentially another test installation, serving only a single company. Kappel's tone on the subject in the 1964 annual report was, for him, an almost apologetic: "Electronic switching equipment must be manufactured in volume to unprecedented standards of reliability.... To turn out the equipment economically and with good speed, mass production methods must be developed; but, at the same time, there can be no loss of precision..." Another year and millions of dollars later, on May 30, 1965, the first commercial electric central office was put into service at Succasunna, New Jersey. Page 62 The Official Phreaker's Manual Even at Succasunna, only 200 of the town's 4,300 subscribers initially had the benefit of electronic switching's added speed and additional services, such as provision for three party conversations and automatic transfer of incoming calls. But after that, ESS was on its way. In January 1966, the second commercial installation, this one serving 2,900 telephones, went into service in Chase, Maryland. By the end of 1967 there were additional ESS offices in California, Connecticut, Minnesota, Georgia, New York, Florida, and Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million customers; and by 1974 there were 475 offices serving 5.6 million customers. The difference between conventional switching and electronic switching is the difference between "hardware" and "software"; in the former case, maintenance is done on the spot, with screwdriver and pliers, while in the case of electronic switching, it can be done remotely, by computer, from a central point, making it possible to have only one or two technicians on duty at a time at each switching center. The development program, when the final figures were added up, was found to have required a staggering four thousand man-years of work at Bell Labs and to have cost not $45 million but $500 million! Page 63 The Official Phreaker's Manual $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ THE HISTORY OF BRITISH PHREAKING $ $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ $ $ $ THE SECOND IN A SERIES OF $ $ THE HISTORY OF.....PHILES $ $ $ $ WRITTEN AND UPLOADED BY: $ $ $ $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ $ AND $ $ THE LEGION OF DOOM! $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF 'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE "INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY TIMES (15 OCT. 1972). THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE FREQUENCIES. IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE "TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE Page 64 The Official Phreaker's Manual LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE SUBSCRIBERS LINE. THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST OFFICE ENGINEERS. WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S (NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS Page 65 The Official Phreaker's Manual DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES TO USE FROM HIS LOCAL EXCHANGE!!! # $-THE END-$ Page 66 The Official Phreaker's Manual Bad as Shit Recently, a telephone fanatic in the northwest made an interesting discovery. He was exploring the 804 area code (Virginia) and found out that the 840 exchange did something strange. In the vast majority of cases, in fact in all of the cases except one, he would get a recording as if the exchange didn't exist. However, if he dialed 804-840 and four rather predictable numbers, he got a ring! After one or two rings, somebody picked up. Being experienced at this kind of thing, he could tell that the call didn't "supe", that is, no charges were being incurred for calling this number. (Calls that get you to an error message, or a special operator, generally don't supervise.) A female voice, with a hint of a Southern accent said, "Operator, can I help you?" "Yes," he said, "What number have I reached?" "What number did you dial, sir?" He made up a number that was similar. "I'm sorry that is not the number you reached." Click. He was fascinated. What in the world was this? He knew he was going to call back, but before he did, he tried some more experiments. He tried the 840 exchange in several other area codes. In some, it came up as a valid exchange. In others, exactly the same thing happened -- the same last four digits, the same Southern belle. Oddly enough, he later noticed, the areas worked in seemed to travel in a beeline from Washington DC to Pittsburgh, PA. He called back from a payphone. "Operator, can I help you?" "Yes, this is the phone company. I'm testing this line and we don't seem to have an identification on your circuit. What office is this, please?" "What number are you trying to reach?" "I'm not trying to reach any number. I'm trying to identify this circuit." "I'm sorry, I can't help you." "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We show no record of it here." "Hold on a moment, sir." After about a minute, she came back. "Sir, I can have someone speak to you. Would you give me your number, please?" He had anticipated this and he had the payphone number ready. After he gave it, she said, "Mr. XXX will get right back to you." "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he thought, "They weren't asking for my number -- they were confirming it!" "Hello," he said, trying to sound authoritative. Page 67 The Official Phreaker's Manual "This is Mr. XXX. Did you just make an inquiry to my office concerning a phone number?" "Yes. I need an identi--" "What you need is advice. Don't ever call that number again. Forget you ever knew it." At this point our friend got so nervous he just hung up. He expected to hear the phone ring again but it didn't. Over the next few days he racked his brains trying to figure out what the number was. He knew it was something big -- that was pretty certain at this point. It was so big that the number was programmed into every central office in the country. He knew this because if he tried to dial any other number in that exchange, he'd get a local error message from his CO, as if the exchange didn't exist. It finally came to him. He had an uncle who worked in a federal agency. He had a feeling that this was government related and if it was, his uncle could probably find out what it was. He asked the next day and his uncle promised to look into the matter. The next time he saw his uncle, he noticed a big change in his manner. He was trembling. "Where did you get that number?!" he shouted. "Do you know I almost got fired for asking about it?!? They kept wanting to know where I got it." Our friend couldn't contain his excitement. "What is it?" he pleaded. "What's the number?!" "IT'S THE PRESIDENT'S BOMB SHELTER!" He never called the number after that. He knew that he could probably cause quite a bit of excitement by calling the number and saying something like, "The weather's not good in Washington. We're coming over for a visit." But our friend was smart. he knew that there were some things that were better off unsaid and undone. <> Page 68 The Official Phreaker's Manual Chapter 3 This chapter is really just a bunch of FACS (pun intended). Here is where random facts that really have something to do with everything else but nothing to do with anything else, are presented. They cover various topics such as: Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool the Mother Fuckers). The aspects covered here are very brief and could easily be covered much more thoroughly, but it is no problem since they are not very important topics. Something that would make a very nice gift is covered in the article AT&T forgery. Just make up stationary with AT&T letter head and give it as a present to your phriends who would appreciate it. Page 69 The Official Phreaker's Manual Phreaking COSMOS =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- COSMOS is Bell's computer for handling information on customer lines, special services on lines, and orders to change line equipment, disconnect lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It is based on the UNIX operating system and, depending upon the COSMOS and upon your access, has some, many, or no UNIX standard commands. COSMOS is powerful, but there is no reason to be afraid of it. This article will give some of the basic, pertinent info on how users get in, account format, and a few other goodies. Password Identification =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To get onto COSMOS you need a dialup, account, password, and wire center (WC). Wire centers are two letter codes that tell what section of the COSMOS you are in. There are different WC's f or different areas and groups of exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that have no password; obviously such accounts are the easiest to hack. Checking It Out =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Let's suppose you have a COSMOS number which you obtained one way or another. The first thing to do would be to make sure it is really a COSMOS system, not some other Bell or AT&T computer. To do this, you would call it and connect your modem,, then hit some returns until you got a response. It should say: ';LOGIN:' or 'NAME:'. If you enter some garbage it should say: 'PASSWORD:'. If you hit a return and it says 'WC?', it is a COSMOS system. If it says something like 'TA%' then you're in business. If it doesn't do any of the above, then it is either some other kind of system, or, if you're not getting anything at all, the dialup has probably gone bad. Getting In =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- COSMOS has certain accounts that are usually on the system, one of which might not have a password. They consist of ROOT (most powerful and almost always on the system), SYS (second most powerful, still many privileges), BIN (a little less power), PREOP (a little less), and COSMOS (hardly any privileges, like a normal user). The way to tell if they have passwords is by entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight to 'WC?', all you need is a WC to get in. But suppose all of the accounts have passwords? You have two choices. You can try to hack the password and WC to one of the above accounts. I won't deal with this method, as is self-explanatory. Or you can do something I find much easier...call the COSMOS during business hours and hope that someone forgot to log off. Keep calling until when you connect and hit return until you get a 'WC%' prompt. 'WC' is the WC that the account you found is currently in. You are now in! What to Do while on-line =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Page 70 The Official Phreaker's Manual The first thing you want to do is write down the WC you are in. Only on our first login it is a good idea to print everything or dump everything to a buffer. Commands =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 'WCFLDS'(!) : Should list all WC's. 'WHO' : Should print everyone currently logged on the system, giving some accounts. 'TTY' : Tells what terminal port you are on. 'WHERE' : Should tell the location of the COSMOS installation. 'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it is. 'LS *' : Prints all the files you have access to. 'CD /dir' : Connects you to the directory '/dir'. 'CAT filename ' : Prints the file 'filename'. 'Q' : Quits the editor. CTRL- Y. : Logs off 'TAT' : Sometimes prints a little help file. 'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' prompt. Then type. 'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number you are interested in. 'CAT /ETC/PASSWD': Prints out the password file, if you have access. The passwords are almost always encrypted, but you get a list of all the accounts. If you are lucky, one of the lines will have two colons after the account name. This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you enter that account. To run a file just type the name followed by a return. When the system gives you a '-', you type a '.', and it will type all kinds of info on the phone number you entered (in Bell abbreviations, of course). If it is not a good exchange, it will say something to that effect. You type a period to end the ISH. If you wish to learn more information about COSMOS, find yourself a COSMOS manual or look at future issues of 2600. A UNIX manual would also be helpful for standard UNIX commands. Page 71 The Official Phreaker's Manual FACS FACTS A LOOK AT THE NEW FACS SYSTEMS BY SHARP RAZOR BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR AIDING THE AT&T LINEMEN. THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS THE "MESSENGER AND STABILIZER" OF THE SYSTEM. THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: COSMOS: 22-WECO. 3B-20S MINI COMPS. WM: 6-WECO. 3B-20S MINI COMPS. SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. BANCS 2 THP CYBER 1000 PROCESSORS. THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH AT&T! ..LATER.. ..SHARP RAZOR>> THE LEGION OF DOOM! (NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN ST.LOUIS MISSOURI) Page 72 The Official Phreaker's Manual Telenet It seems that not many of you know that Telenet is connected to about 80 computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with thousands of unprotected computers. When you call your local Telenet- gateway, you can only call those computers which accept reverse-charging- calls. If you want to call computers in foreign countries or computers in USA which do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can type ID XXXX when being connected to Telenet? You are then asked for the password. If you have such a NUI (Network-User-ID) you can call nearly every host connected to any computer-network in the world. Here are some examples: 026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for CHRIS !!!) 0311050500061 :Is the Los Alamos Integrated computing network (One of the hosts connected to it is the DNA (Defense Nuclear Agency)!!!) 0530197000016 :Is a BBS in New Zealand 024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) 02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear research centers in the world) Login as GUEST 0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the ID 999_ with the password 9_ 0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the Multi-User-Dungeon !) 0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID HELP with password HELP works fine with security level 3 0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is connected to Telenet, too !) ID and Password is: PETER You can read the news of the next day ! The prefixes are as follows: 02624 is Datex-P in Germany 02342 is PSS in England 03110 is Telenet in USA 03106 is Tymnet in USA 02405 is Telepak in Sweden 04251 is Isranet in Israel 02080 is Transpac in France 02284 is Telepac in Switzerland 02724 is Eirpac in Ireland 02704 is Luxpac in Luxembourg 05252 is Telepac in Singapore 04408 is Venus-P in Japan ...and so on... Some of the countries have more than one packet-switching-network (USA has 11, Canada has 3, etc). OK. That should be enough for the moment. As you see most of the passwords are very simple. This is because they must not have any fear of hackers. Only a few German hackers use these networks. Most of the computers are absolutely easy to hack !!! So, try to find out some Telenet-ID's and leave them here. If you need more numbers, leave e-mail. I'm calling from Germany via the German Datex-P network, which is similar to Telenet. We have a lot of those NUI's for the German network, but none for a special Tymnet-outdial-computer in USA, which connects me to any phone #. CUL8R, Mad Max PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more Page 73 The Official Phreaker's Manual Informations on packet-switching-networks ! PS2: The new password for the Washington Post is KING !!!! Page 74 The Official Phreaker's Manual Phreaking AT&T Cards =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My topic will deal with using an AT&T calling card for automated calls. Ok to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the desired area code and the number to call. Also when calling the same number that the card is being billed to you enter the phone number and at the tone only enter the last four digits on the card. But we don't want to do that now, do we. If additional calls are wanted all you do is hit the (#) and you will get a new dial tone! After you hit (#) you do not have to re-enter the calling card number simply enter your desired number and it will connect you. If the number you called is busy just keep hitting (#) and the number to be called until you connect! Ok to calL the U.S. of a from another country, you use the exact same format as described above! Ok now I will describe the procedure for placing calls to a foreign country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset then enter (01) + the country code + the city code + the local telephone number. Ok after you get the tone enter the AT&T calling card number. Ok if you can not dial operator assisted calls from your area don't worry just jingle the operator and she will handle your call, don't worry she can't see you! The international number on the AT&T calling card is used for calling the US of A from places like RUSSIA, CHINA you never know when you might get stuck in a country like those and you have no money to make a call! The international operator will be able to tell you if they honor the AT&T calling card. Well I hope that this has straightened out some of your problems on the use of an AT&T calling card! All you have to remember is that weather you are placing the call or the operator, be careful and never use the calling card from your home phone!! That is a BIG NO NO.. Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) they say that it was designed to meet the public's needs! These phones will be popping up in many place such as airport terminals, hotels, etc... What the new card caller service is, is a new type of phone that has a (CRT) screen that will talk to you in a language of your choice. The service works something like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) and there is a strip of magnetic tape on the card which reads the number, thus no one can hear you saying your number or if there were a bug in the phone,no touch tones will be heard!! You can also bill the call to a third party. that is one that I am not totally clear on yet! The phone is supposed to tell you how it can be done. That is after you have inserted your card and lifted the receiver! Page 75 The Official Phreaker's Manual :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: :% %: :% AT&T FORGERY %: :% Written by The Blue Buccaneer %: :% %: :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: Here is a very simple way to either: [1] Play an incredibly cruel and realistic joke on a phreaking friend. -OR- [2] Provide yourself with everything you ever wanted to be an AT&T person. All you need to do is get your hands on some AT&T paper and/or business cards. To do this you can either go down to your local business office and swipe a few or call up somewhere like WATTS INFORMATION and ask them to send you their information package. They will send you: 1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." 2. A business card (again with AT&T) saying who the sales representative is. 3. A very nice color booklet telling you all about WATTS lines. 4. Various billing information. (Discard as it is very worthless) Now take the piece of AT&T paper and the AT&T business card down to your local print/copy shop. Tell them to run you off several copies of each, but to leave out whatever else is printed on the business card/letter. If they refuse or ask why, take your precious business elsewhere. (This should only cost you around $2.00 total) Now take the copies home and either with your typewriter, MAC, or Fontrix, add whatever name, address, telephone number, etc. you like. (I would recommend just changing the name on the card and using whatever information was on there earlier) And there you have official AT&T letters and business cards. As mentioned earlier, you can use them in several ways. Mail a nice letter to someone you hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like that. (Be sure to use correct English and spelling) (Also do not hand write the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) Another possible use (of many, I guess) is (if you are old enough to look the part) to use the business card as some sort of fake id. The last example of uses for the fake AT&T letters & b.cards is mentioned in my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that reads: WCAT - FM202: (Like my examples? Haha!) (As you probably know, radio stations give away things by accepting the 'x' call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes they may ask a trivia question, but that's your problem. Anyway, the letter continues:) (You basically say that they have become so popular that they are getting too many calls at once from listeners trying to win tickets. By asking them to call all at the same time is overloading our systems. We do, of course, have means of handling these sort of matters, but it would require you sending us a Page 76 The Official Phreaker's Manual schedule of when you will be asking your listeners to call in. That way we would be able to set our systems to handle the amount of callers you get at peak times..(etc..etc..more BS..But you get the idea, right?) Joseph Hakimout AT&T Telecommunications East Bumblefuck, Nowheresville 55555 Ok, so it probably won't work (DJs just aren't that dumb, unless you really do live in Nowheresville), but using AT&T paper and a business card might up your chances some. :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- Page 77 The Official Phreaker's Manual =><---------------------------------><= => A little something about <= => Your phone company <= =><---------------------------------><= => By Col. Hogan <= ======================================== Ever get an operator who gave you a hard time, and you didn't know what to do? Well if the operator hears you use a little Bell jargon, she might wise up. Here is a little diagram (excuse the artwork) of the structure of operators /--------\ /------\ /-----\ !Operator!-- > ! S.A. ! --->! BOS ! \--------/ \------/ \-----/ ! ! V /-------------\ ! Group Chief ! \-------------/ Now most of the operators are not bugged, so they can curse at you, if they do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not report to her (95% of them are hers) but they will solve most of your problems. She MUST give you her name as she connects & all of these calls are bugged. If the SA gives you a rough time get her BOS (Business Office Supervisor) on the line. S/He will almost always back her girls up, but sometimes the SA will get tarred and feathered. The operator reports to the Group Chief, and S/He will solve 100% of your problems, but the chances of getting S/He on the line are nill. If a lineman (the guy who works out on the poles) or an installation man gives you the works ask to speak to the Installation Foreman, that works wonders. Here is some other bell jargon, that might come in handy if you are having trouble with the line. Or they can be used to lie your way out of situations.... An Erling is a line busy for 1 hour, used mostly in traffic studies A Permanent Signal is that terrible howling you get if you disconnect, but don't hang up. Everyone knows what a busy signal is, but some idiots think that is the *Actual* ringing of the phone, when it just is a tone "beeps" when the phone is ringing, wouldn't bet on this though, it can (and does) get out of sync. When you get a busy signal that is 2 times as fast as the normal one, the person you are trying to reach isn't really on the phone, (he might be), it is actually the signal that a trunk line somewhere is busy and they haven't or can't reroute your call. Sometimes you will get a Recording, or if you get nothing at all (Left High & Dry in fone terms) all the recordings are being used and the system is really overused, will probably go down in a little while. This happened when Kennedy was shot, the system just couldn't handle the calls. By the way this is called the "reorder signal" and the trunk line is "blocked". One more thing, if an overseas call isn't completed and doesn't generate any money for AT&T, is is called an "Air & Water Call". Page 78 The Official Phreaker's Manual [ESSENCE OF TELEPHONE CONFERENCING] [WRITTEN BY:] [FOREST RANGER] TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT IS IN. NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; 1000,2000,3000. NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR TO PLACE CONFERENCE CALLS. THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. REMEMBER:REACH OUT AND PHREAK SOMEONE! [TELEPHONE CONFERENCE CONTROLS] # - CONTROL MODE # - 6 PASSES CONTROL Page 79 The Official Phreaker's Manual # - 1 + AREA CODE & NUMBER ADDS # - 9 SILENT MODE # - 7 GETS CONFERENCE OPERATOR * - ENDS CONFERENCE THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO GIVE CONTROL TO. TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. Page 80 The Official Phreaker's Manual Phone Tapping HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE PHONE LINE. FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR 'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL CONVERSATIONS IN THE ROOM. THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT TONE, YOU'LL HEAR A CLICK. INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE USING THE PHONE: A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL AWAY UNNOTICED. I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: -------)!----)!(-------------> )!( CAP ^ )!( )!( )!( )!( ^^^^^---)!(-------------> ^ 100K ! ! THE HITCHHINKERS <%=- BRING YOUR TOWEL Page 88 The Official Phreaker's Manual 2600 Magazine's story on the Private Sector Bust Uploaded by Elric of Imrryr Lunatic Labs Unlimited :::::::::::::::::::::::::::::::::::::::::::::::: Typed By Shooting Shark : The following article appeared in the August, 1985 issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article follows. SEIZED! 2600 Bulletin Board is Implicated in Raid on Jersey Hackers On July 12, 1985, law enforcement officials seized the Private Sector BBS, the official computer bulletin board of 2600 magazine, for "complicity in computer theft," under the newly passed, and yet untested, New Jersey Statute 2C:20-25. Police had uncovered in April a credit carding ring operated around a Middlesex County electronic bulletin board, and from there investigated other North Jersey bulletin boards. Not understanding subject matter of the Private Sector BBS, police assumed that the sysop was involved in illegal activities. Six other computers were also seized in this investigation, including those of Store Manager [perhaps they mean Swap Shop Manager? - Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure Chest BBS. Immediately after this action, members of 2600 contacted the media, who were completely unaware of any of the raids. They began to bombard the Middlesex County Prosecutor's Office with questions and a press conference was announced for July 16. The system operator of the Private Sector BBS attempted to attend along with reporters from 2600. They were effectively thrown off the premises. Threats were made to charge them with trespassing and other crimes. An officer who had at first received them civilly was threatened with the loss of his job if he didn't get them removed promptly. Then the car was chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that he presence of some technically literate reporters would ruin the effect of his press release on the public. As it happens, he didn't need our help. The next day the details of the press conference were reported to the public by the press. As Rockoff intended, paranoia about hackers ran rampant. Headlines got as ridiculous as hackers ordering tank parts by telephone from TRW and moving satellites with their home computers in order to make free phone calls. These and even more exotic stories were reported by otherwise respectable media sources. The news conference understandably made the front page of most of the major newspapers in the US, and was a major news item as far away as Australia and in the United Kingdom due to the sensationalism of the claims. We will try to explain why these claims may have been made in this issue. On July 18 the operator of The Private Sector was formally charged with"computer conspiracy" under the above law, and released in the custody of his parents. The next day the American Civil Liberties Union took over his defense. The ACLU commented that it would be very hard for Rockoff to prove a conspiracy just "because the same information, construed by the prosecutor to be illegal, appears on two bulletin boards." especially as Rockoff admitted that "he did not believe any of the defendants knew each other." The ACLU believes that the system operator's rights were violated, as he was assumed to Page 89 The Official Phreaker's Manual be involved in an illegal activity just because of other people under investigation who happened to have posted messages on his board. In another statement which seems to confirm Rockoff's belief in guilt by association, he announced the next day that "630 people were being investigated to determine if any used their computer equipment fraudulently." We believe this is only the user list of the NJ Hack Shack, so the actual list of those to be investigated may turn out to be almost 5 times that. The sheer overwhelming difficulty of this task may kill this investigation, especially as they find that many hackers simply leave false information. Computer hobbyists all across the country have already been called by the Bound Brook, New Jersey office of the FBI. They reported that the FBI agents used scare tactics in order to force confessions or to provoke them into turning in others. We would like to remind those who get called that there is nothing inherently wrong or illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI would not comment on the case as it is an "ongoing investigation" and in the hands of the local prosecutor. They will soon find that many on the Private Sector BBS's user list are data processing managers, telecommunications security people, and others who are interested in the subject of the BBS, hardly the underground community of computer criminals depicted at the news conference. The Private Sector BBS was a completely open BBS, and police and security people were even invited on in order to participate. The BBS was far from the "elite" type of underground telecom boards that Rockoff attempted to portray. Within two days, Rockoff took back almost all of the statements he had made at the news conference, as AT&T and the DoD [Department of Defense - Shark] discounted the claims he had made. He was understandably unable to find real proof of Private Sector's alleged illegal activity, and was faced with having to return the computer equipment with nothing to show for his effort. Rockoff panicked, and on July 31, the system operator had a new charge against him, "wiring up his computer as a blue box." Apparently this was referring to his Novation Applecat modem which is capable of generating any hertz tone over the phone line. By this stretch of imagination an Applecat could produce a 2600 hertz tone as well as the MF which is necessary for "blue boxing." However, each and every other owner of an Applecat or any other modem that can generate its own tones therefore has also "wired up his computer as a blue box" by merely installing the modem. This charge is so ridiculous that Rockoff probably will never bother to press it. However, the wording of WIRING UP THE COMPUTER gives rockoff an excuse to continue to hold onto the computer longer in his futile search for illegal activity. "We have requested that the prosecutors give us more specific information," said Arthur Miller, the lawyer for The Private Sector. "The charges are so vague that we can't really present a case at this point." Miller will appear in court on August 16 to obtain this information. He is also issuing a demand for the return of the equipment and, if the prosecutors don't cooperate, will commence court proceedings against them. "They haven't been particularly cooperative," he said. Rockoff probably will soon reconsider taking Private Sector's case to court, as he will have to admit he just didn't know what he was doing when he seized the BBS. The arrest warrant listed only "computer conspiracy" against Private Sector, which is much more difficult to prosecute than the multitude of charges against some of the other defendants, which include credit card fraud, toll fraud, the unauthorized entry into computers, and numerous others. Both Rockoff and the ACLU mentioned the Supreme Court in their press Page 90 The Official Phreaker's Manual releases, but he will assuredly take one of his stronger cases to test the new New Jersey computer crime law. by seizing the BBS just because of supposed activities discussed on it, Rockoff raises constitutional questions. Darrell Paster, a lawyer who centers much of his work on computer crime, says the New Jersey case is "just another example of local law enforcement getting on the bandwagon of crime that has come into vogue to prosecute, and they have proceeded with very little technical understanding, and in the process they have abused many people's constitutional rights. What we have developing is a mini witch hunt which is analogous to some of the arrests at day care centers, where they sweep in and arrest everybody, ruin reputations, and then find that there is only one or two guilty parties." We feel that law enforcement, not understanding the information on the BBS, decided to strike first and ask questions later. 2600 magazine and the sysops of the Private Sector BBS stand fully behind the system operator. As soon as the equipment is returned, the BBS will go back up. We ask all our readers to do their utmost to support us in our efforts, and to educate as many of the public as possible that a hacker is not a computer criminal. We are all convinced of our sysop's innocence, and await Rockoff's dropping of the charges. NOTE: Readers will notice that our reporting of the events are quite different than those presented in the media and by the Middlesex County Prosecutor. We can only remind you that we are much closer to the events at hand than the media is, and that we are much more technologically literate than the Middlesex County Prosecutor's Office. The Middlesex County Prosecutor has already taken back many of his statements, after the contentions were disproven by AT&T and the DoD. One problem is that the media and the police tend to treat the seven cases as one case, thus the charges against and activities of some of the hackers has been extended to all of the charged. We at 2600 can only speak about the case of Private Sector. Page 91 The Official Phreaker's Manual Chapter 4 By now I assume that the reader has a fair idea of what phreaking is, and know a little bit about how to go about it. From now on, I will assume that the reader has read all the material before this or understands all the material covered. Now we will take a journey into the "Basics of Telecommunications" and learn a little about how everything works, and is related to everything else. This series of articles is extremely good and should be read by all levels of phreaks. As we go further into the advanced world of phreaking, we come closer to the edge of technology. As we approach it, everything seems to become larger and more complicated. We notice that many things that were possible aren't anymore. Blue boxing is starting to become the only method of exploration as Equal Access looms nearer and nearer. As it stands now, equal access is here, and many LD services such as Sprint and MCI will be tougher to hack. Extenders will become more used and abused, which will cause them to get access codes miles long... Blue boxing becomes harder as all Bell switching and transmission facilities go under to CCIS. Then to further complicate things, digital microwave, fiber optic, and satellite transmission are all coming to be digital and do not recognize 2600hz for the hang up signal. I predict that around 1990, blue boxes will be obsolete from all major cities. A new type of box will have to be invented, or you'll have to get two fone line to phreak with, on to place the actual call and the other to tap into a COSMOS computer to change the status of the call from toll to toll-free, ie. 800#. Well somethings will change for the better, with ISDN you'll get 144k bps lines and some other neat stuff. Page 92 The Official Phreaker's Manual ************* << BIOC AGENT 003'S COURSE IN >> ************* * * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * BASIC TELECOMMUNICATIONS * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * PART II * * * ************************************************************ PREFACE: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. CN/A: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED #'S. HERE'S HOW IT WORKS: 1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. 2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE NPA IS 914 AND THE CN/A# IS 518-471-8111. 3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, "HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP YOUR OWN REAL SOUNDING NAME, THOUGH. 4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. HERE'S THE LIST: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> NPA CN/A # NPA CN/A # --- ------------ --- ------------ 201 201-676-7070 517 313-232-8690 202 202-384-9620 518 518-471-8111 203 203-789-6800 519 416-487-3641 204 ****N/A***** 601 601-961-0877 205 205-988-7000 602 303-232-2300 206 206-382-8000 603 617-787-2750 207 617-787-2750 604 604-432-2996 208 303-232-2300 605 402-345-0600 209 415-546-1341 606 502-583-2861 212 518-471-8111 607 518-471-8111 213 213-501-4144 608 414-424-5690 214 214-948-5731 609 201-676-7070 215 412-633-5600 612 402-345-0600 216 614-464-2345 613 416-487-3641 217 217-525-7000 614 614-464-2345 218 402-345-0600 615 615-373-5791 Page 93 The Official Phreaker's Manual 219 317-265-7027 616 313-223-8690 301 301-534-11?? 617 617-787-2750 302 412-633-5600 618 217-525-7000 303 303-232-2300 701 402-345-0600 304 304-344-8041 702 415-546-1341 305 912-784-9111 703 804-747-1411 306 ****N/A***** 704 912-784-9111 307 303-232-2300 705 416-487-3641 308 402-345-0600 707 415-546-1341 309 217-525-7000 709 ****N/A***** 312 312-769-9600 712 402-345-0600 313 313-223-8690 713 713-658-1793 314 314-436-3321 714 213-995-0221 315 518-471-8111 715 414-424-5690 316 816-275-2782 716 518-471-8111 317 317-265-7027 717 412-633-5600 318 318-227-1551 801 303-232-2300 319 402-345-0600 802 617-787-2750 401 617-787-2750 803 912-784-9111 402 402-345-0600 804 804-747-1411 403 403-425-2652 805 415-546-1341 404 912-784-9111 806 512-828-2502 405 405-236-6121 807 416-487-3641 406 303-232-2300 808 212-226-5487 408 415-546-1341 BERMUDA ONLY 412 412-633-5600 809 212-334-4336 413 617-787-2750 812 317-265-7027 414 414-424-5690 813 813-228-7871 415 415-546-1132 814 412-633-5600 416 416-487-3641 815 217-525-7000 417 314-436-3321 816 816-275-2782 418 514-861-6391 817 214-948-5731 419 614-464-2345 819 514-861-6391 501 405-236-6121 901 615-373-5791 502 502-583-2861 902 902-421-4110 503 503-241-3440 903 ****N/A***** 504 504-245-5330 904 912-784-9111 505 303-232-2300 906 313-223-8690 506 506-657-3855 907 ****N/A***** 507 402-345-0600 912 912-784-9111 509 206-382-8000 913 816-275-2782 512 512-828-2501 914 518-471-8111 513 614-464-2345 915 512-828-2501 514 514-861-6391 916 415-546-1341 515 402-345-0600 918 405-236-6121 516 518-471-8111 919 912-784-9111 <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS HE NEVER CALLED. NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY 5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT ORIGINALLY APPEARED IN TAP ISSUE #78. AT&T NEWSLINES: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST Page 94 The Official Phreaker's Manual INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> 201-483-3800 NJ 513-421-9060 OH 203-771-4920 CT 516-234-9914 NY 212-393-2151 NY 518-471-2272 NY 213-621-4141 CA 617-955-1111 MA 213-829-0111 CA (GTE) 702-789-6711 NV 213-449-8830 CA 713-224-6116 TX 312-368-8000 IL 714-238-1111 CA 313-223-7223 MI 717-255-5555 PA 314-247-5511 MO 717-787-1031 PA 408-493-5000 CA 802-955-1111 VE 412-633-3333 PA 808-533-4426 HI 414-678-3511 WI 813-223-5666 FL 416-929-4323 ONT. 914-948-8100 NY 503-228-6271 OR 916-480-8000 CA LOOPS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) 332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO TALK!!!" ********** AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 #'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP Page 95 The Official Phreaker's Manual THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE DISCUSSED SHORTLY). BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP FORMAT: MANHATTAN & BRONX-------NNX-9977/9979 BROOKLYN & QUEENS-------NNX-9900/9906 NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO STATIONS: 212-220-9900/9906 212-283-9977/9979 212-352-9900/9906 212-365-9977/9979 212-529-9900/9906 212-562-9977/9979 212-982-9977/9979 212-986-9977/9979 THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL OTHER LOOPS ARE BUSY. 99XX SCANNING: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR EXCHANGE AND YOU MAY BECOME LUCKY! HERE ARE MY FINDINGS IN THE 914-268: 9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) 9936 - VOICE # TO THE TELCO CO 9937 - VOICE # TO THE TELCO CO 9941 - CARRIER 9960 - OSC. TONE (TONE SIDE LOOP) 9963 - TONE (STOPS: MUTED) 9966 - CARRIER 9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS Page 96 The Official Phreaker's Manual MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN THE EXCHANGE AND THE TELCO OPERATING COMPANY. WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES WHEN YOU FIND ONE: 1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE BUT THE FUCKING CLICK IS SUPER ANNOYING. 2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. 3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY AGAIN IN A MONTH OR SO) 4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE SWITCH", IE, TURN OFF THE LOOP. SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. 268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 (DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S DON'T SUPE EITHER. IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP LINES (AS MENTIONED ABOVE). IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE BELOW: NPA-NNX-99XX SCAN <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> _________________________________________________________ | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | |_______|____|____|____|____|____|____|____|____|____|____| | 990 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 991 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 992 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 993 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 994 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 995 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 996 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| Page 97 The Official Phreaker's Manual | 997 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 998 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| | 999 | | | | | | | | | | | |_______|____|____|____|____|____|____|____|____|____|____| <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN THEM. FOR EXAMPLE: B - BUSY (TRY AGAIN AT ANOTHER TIME) R - RINGS (TRY AGAIN AT ANOTHER TIME) O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) T - TONE ] TONE AT A LOWER # + IGNORE I - IGNORE ] AT A HIGHER # = LOOP V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. C - CARRIER THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN UNDERSTAND. NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) 634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" NEXT TO EACH OTHER FOR A LOOP. SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE #'S! ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR EXAMPLE: "(713) 324-1799/1499" IS A LOOP. THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: 1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! 2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & 9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. 3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS Page 98 The Official Phreaker's Manual MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. ANI <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT WILL TELL YOU WHAT # YOU ARE CALLING FROM. THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM AREA TO AREA. HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: 890-751-5191 202-222-2222 1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE TO DIAL 1-990-1111) TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE NEXT PART), TRY 1-9XX-1111. ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR NEIGHBOR WHO WORKS FOR THE FONE COMPANY. RING BACK <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL RING. IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP FOR THE FIRST TIME (IE, AT THE FIRST TONE). OTHER RINGBACK #'S THAT I HAVE SEEN ARE: 26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. 890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. 119911/11911/1199911 - GTE NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY Page 99 The Official Phreaker's Manual SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD THEN RINGBACK. TOUCH-TONE TEST: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP TWICE. I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 COMING SOON: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE NETWORK. BREAK UP OF BELL: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD "FONE NETWORK" FOR BELL SYSTEM. AU REVOIR, *****BIOC *=$=*AGENT *****003 DECEMBER 8, 1983 ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, & MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN DISTRIBUTING THIS TUTORIAL. Page 100  Downloaded From P-80 International Information Systems 304-744-2253