150.txt

1000 HOWTOs for various needs [WINDOWS]

some technical journal publish the actual frequencies used to create all their
multi-frequency tones.  Just a theoretical article some Bell Telephone
Laboratories engineer was doing about switching theory, and he listed the tones
in passing.  At ----- (a well-known technical school) I had been fooling around
with phones for several years before I came across a copy of the journal in the
engineering library.  I ran back to the lab and it took maybe twelve hours from
the time I saw that article to put together the first working blue box.  It was
bigger and clumsier than this little baby, but it worked."

It's all there on public record in that technical journal written mainly by
Bell Lab people for other telephone engineers.  Or at least it was public.
"Just try and get a copy of that issue at some engineering-school library now.
Bell has had them all red-tagged and withdrawn from circulation," Gilbertson
tells me.

"But it's too late.  It's all public now.  And once they became public the
technology needed to create your own beeper device is within the range of any
twelve-year-old kid, any twelve-year-old blind kid as a matter of fact.  And he
can do it in less than the twelve hours it took us.  Blind kids do it all the
time.  They can't build anything as precise and compact as my beeper box, but
theirs can do anything mine can do."

"How?"

"Okay.  About twenty years ago A.T.&T. made a multi-billion-dollar decision to
operate its entire long-distance switching system on twelve electronically
generated combinations of twelve master tones. Those are the tones you
sometimes hear in the background after you've dialed a long-distance number.
They decided to use some very simple tones -- the tone for each number is just
two fixed single-frequency tones played simultaneously to create a certain beat
frequency.  Like 1300 cycles per second and 900 cycles per second played
together give you the tone for digit 5.  Now, what some of these phone phreaks
have done is get themselves access to an electric organ.  Any cheap family
home-entertainment organ.  Since the frequencies are public knowledge now --
one blind phone phreak has even had them recorded in one of the talking books
for the blind -- they just have to find the musical notes on the organ which
correspond to the phone tones.  Then they tape them.  For instance, to get Ma
Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and
700 cycles per second) at the same time.  To produce the tone for 2 it's F~5
and C~6 (1100 and 700 c.p.s).  The phone phreaks circulate the whole list of
notes so there's no trial and error anymore."

He shows me a list of the rest of the phone numbers and the two electric organ
keys that produce them.

"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed
and double it to 7 1/2 inches-per-second when you play them back, to get the
proper tones," he adds.

"So once you have all the tones recorded, how do you plug them into the phone
system?"

"Well, they take their organ and their cassette recorder, and start banging out
entire phone numbers in tones on the organ, including country codes, routing
instructions, 'KP' and 'Start' tones.  Or, if they don't have an organ, someone
in the phone-phreak network sends them a cassette with all the tones recorded,
with a voice saying 'Number one,' then you have the tone, 'Number two,' then
the tone and so on.  So with two cassette recorders they can put together a
series of phone numbers by switching back and forth from number to number. Any
idiot in the country with a cheap cassette recorder can make all the free calls
he wants."

"You mean you just hold the cassette recorder up the mouthpiece and switch in a
series of beeps you've recorded?  The phone thinks that anything that makes
these tones must be its own equipment?"

"Right.  As long as you get the frequency within thirty cycles per second of
the phone company's tones, the phone equipment thinks it hears its own voice
talking to it.  The original granddaddy phone phreak was this blind kid with
perfect pitch, Joe Engressia, who used to whistle into the phone.  An operator
could tell the difference between his whistle and the phone company's
electronic tone generator, but the phone company's switching circuit can't tell
them apart.  The bigger the phone company gets and the further away from human
operators it gets, the more vulnerable it becomes to all sorts of phone
phreaking."

A Guide for the Perplexed

"But wait a minute," I stop Gilbertson.  "If everything you do sounds like
phone-company equipment, why doesn't the phone company charge you for the call
the way it charges its own equipment?"

"Okay.  That's where the 2600-cycle tone comes in.  I better start from the
beginning."

The beginning he describes for me is a vision of the phone system of the
continent as thousands of webs, of long-line trunks radiating from each of the
hundreds of toll switching offices to the other toll switching offices.  Each
toll switching office is a hive compacted of thousands of long-distance tandems
constantly whistling and beeping to tandems in far-off toll switching offices.

The tandem is the key to the whole system.  Each tandem is a line with some
relays with the capability of signalling any other tandem in any other toll
switching office on the continent, either directly one-to-one or by programming
a roundabout route through several other tandems if all the direct routes are
busy.  For instance, if you want to call from New York to Los Angeles and
traffic is heavy on all direct trunks between the two cities, your tandem in
New York is programmed to try the next best route, which may send you down to a
tandem in New Orleans, then up to San Francisco, or down to a New Orleans
tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up
to Los Angeles.

When a tandem is not being used, when it's sitting there waiting for someone to
make a long-distance call, it whistles.  One side of the tandem, the side
"facing" your home phone, whistles at 2600 cycles per second toward all the
home phones serviced by the exchange, telling them it is at their service,
should they be interested in making a long-distance call.  The other side of
the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines,
telling the rest of the phone system that it is neither sending nor receiving a
call through that trunk at the moment, that it has no use for that trunk at the
moment.

"When you dial a long-distance number the first thing that happens is that you
are hooked into a tandem.  A register comes up to the side of the tandem facing
away from you and presents that side with the number you dialed.  This sending
side of the tandem stops whistling 2600 into its trunk line.  When a tandem
stops the 2600 tone it has been sending through a trunk, the trunk is said to
be "seized," and is now ready to carry the number you have dialed -- converted
into multi-frequency beep tones -- to a tandem in the area code and central
office you want.

Now when a blue-box operator wants to make a call from New Orleans to New York
he starts by dialing the 800 number of a company which might happen to have its
headquarters in Los Angeles.  The sending side of the New Orleans tandem stops
sending 2600 out over the trunk to the central office in Los Angeles, thereby
seizing the trunk.  Your New Orleans tandem begins sending beep tones to a
tandem it has discovered idly whistling 2600 cycles in Los Angeles.  The
receiving end of that L.A. tandem is seized, stops whistling 2600, listens to
the beep tones which tell it which L.A. phone to ring, and starts ringing the
800 number.  Meanwhile a mark made in the New Orleans office accounting tape
notes that a call from your New Orleans phone to the 800 number in L.A. has
been initiated and gives the call a code number. Everything is routine so far.

But then the phone phreak presses his blue box to the mouthpiece and pushes the
2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A.
tandem.  The L.A. tandem notices 2600 cycles are coming over the line again and
assumes that New Orleans has hung up because the trunk is whistling as if idle.
The L.A. tandem immediately ceases ringing the L.A. 800 number.  But as soon as
the phreak takes his finger off the 2600 button, the L.A. tandem assumes the
trunk is once again being used because the 2600 is gone, so it listens for a
new series of digit tones - to find out where it must send the call.

Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A.
which is waiting like an obedient genie to be told what to do next.  The
blue-box owner then beeps out the ten digits of the New York number which tell
the L.A. tandem to relay a call to New York City.  Which it promptly does.  As
soon as your party picks up the phone in New York, the side of the New Orleans
tandem facing you stops sending 2600 cycles to you and stars carrying his voice
to you by way of the L.A. tandem.  A notation is made on the accounting tape
that the connection has been made on the 800 call which had been initiated and
noted earlier.  When you stop talking to New York a notation is made that the
800 call has ended.

At three the next morning, when the phone company's accounting computer starts
reading back over the master accounting tape for the past day, it records that
a call of a certain length of time was made from your New Orleans home to an
L.A. 800 number and, of course, the accounting computer has been trained to
ignore those toll-free 800 calls when compiling your monthly bill.

"All they can prove is that you made an 800 toll-free call," Gilbertson the
inventor concludes.  "Of course, if you're foolish enough to talk for two hours
on an 800 call, and they've installed one of their special anti-fraud computer
programs to watch out for such things, they may spot you and ask why you took
two hours talking to Army Recruiting's 800 number when you're 4-F.

But if you do it from a pay phone, they may discover something peculiar the
next day -- if they've got a blue-box hunting program in their computer -- but
you'll be a long time gone from the pay phone by then.  Using a pay phone is
almost guaranteed safe."

"What about the recent series of blue-box arrests all across the country -- New
York, Cleveland, and so on?" I asked.  "How were they caught so easily?"

"From what I can tell, they made one big mistake: they were seizing trunks
using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to
detect because when you send multi-frequency beep tones of 555 you get a charge
for it on your tape and the accounting computer knows there's something wrong
when it tries to bill you for a two-hour call to Akron, Ohio, information, and
it drops a trouble card which goes right into the hands of the security agent
if they're looking for blue-box user.

"Whoever sold those guys their blue boxes didn't tell them how to use them
properly, which is fairly irresponsible.  And they were fairly stupid to use
them at home all the time.

"But what those arrests really mean is than an awful lot of blue boxes are
flooding into the country and that people are finding them so easy to make that
they know how to make them before they know how to use them.  Ma Bell is in
trouble."

And if a blue-box operator or a cassette-recorder phone phreak sticks to pay
phones and 800 numbers, the phone company can't stop them?

"Not unless they change their entire nationwide long-lines technology, which
will take them a few billion dollars and twenty years.  Right now they can't do
a thing.  They're screwed."

Captain Crunch Demonstrates His Famous Unit

There is an underground telephone network in this country.  Gilbertson
discovered it the very day news of his activities hit the papers. That evening
his phone began ringing.  Phone phreaks from Seattle, from Florida, from New
York, from San Jose, and from Los Angeles began calling him and telling him
about the phone-phreak network.  He'd get a call from a phone phreak who'd say
nothing but, "Hang up and call this number."

When he dialed the number he'd find himself tied into a conference of a dozen
phone phreaks arranged through a quirky switching station in British Columbia.
They identified themselves as phone phreaks, they demonstrated their homemade
blue boxes which they called "M-Fers" (for "multi-frequency," among other
things) for him, they talked shop about phone-phreak devices.  They let him in
on their secrets on the theory that if the phone company was after him he must
be trustworthy.  And, Gilbertson recalls, they stunned him with their technical
sophistication.

I ask him how to get in touch with the phone-phreak network.  He digs around
through a file of old schematics and comes up with about a dozen numbers in
three widely separated area codes.

"Those are the centers," he tells me.  Alongside some of the numbers he writes