The Phreakers Handbook-1

[Phile 1.1]


*================================*
[# #]
[# THE PHREAKER'S HANDBOOK #1 #]
[# #]
*================================*


**** An Official Phortune 500 Product ****

----------------------------------------------
a useful source for the phreaker covering both
the basics and advances of phreaking
----------------------------------------------






GENERAL NOTE
------------
The purpose of this newsletter is purely educational. It has
been released in order to teach and advance the knowledge of
today's declining phreaks. However, the author does not take
any responsibility over the misuse of the herein contained
information, and the newsletter itself does not encourage or
support the above type of activity. Also, any wrong or old
information in this document is not to the responsibility of
the author, and the reader accepts any consequences due to
information that may be mistaken in this manner.


NOTE TO ABUSERS
---------------
All information contained within this document was intended
towards educational purposes. Any misuse or illegal use of
the information contained in this document is strictly at
the misuser's risk. The author assumes NO responsibility
of the reader's actions following the release this document
(in otherwords, you're on your own if you get nailed!)








TPH Issue #1, Volume 1 Release Date::July 3, 1989

WRITTEN BY::DOCTOR DISSECTOR
 [Phile 1.2]


TPH #1 Table Of Contents:
=========================

Title Page & Disclaimer Notes............................. 1.1

Table Of Contents & Introduction.......................... 1.2

The Phreak's Vitals....................................... 1.3
True Definition Of The Phreaker
The Phone Phreak's Ten Commandments

The Phreaker's Glossary................................... 1.4

Other Fone Information.................................... 1.5
Voltages & Technical Stuff
Scanning Phun Fone Stuff

References & Suggested Reading............................ 1.6



Introduction To TPH #1
======================
This phile was written for beginning as well as those uninformed
"advanced" phreaks who need something as a reference when reading or
writing philes concerning phreaking or fone phraud. Of course, you could be
a beginning phreak and use this phile to B.S. your way into a big group by
acting like you know a lot, or something, but that is up to you. Anyway, I
compiled this listing phrom various sources, the majority is listed as
references at the end of this phile.

This phile's only goal is to educate and inform. Any illegal or
fraudulent activity is neither encouraged nor supported by the author of
this phile, not by the majority of the >TRUE< phreaking community. The
author assumes NO responsibility for the actions of the reader.

Also, I know that some of the stuff covered in this release of TPH
will be old and outdated; however, I will try to clean that up by the next
release of TPH, and will notify you, the reader, of the changes due to
these revisions.
 [Phile 1.3]


The Phreak's Vitals:
====================

True Definition Of The Phreaker
-------------------------------
"Many people think of phone phreaks as slime, out to rip off Bell for
all she is worth. Nothing could be further from the truth! Granted, there
are some who get their kicks by making free calls; however, they are not
true phone phreaks. Real phone phreaks are 'telecommunications hobbyists'
who experiment, play with, and learn from the phone system. Occasionally,
this experimenting and a need to communicate with other phreaks, without
going broke, leads to free calls. The free calls are but a small subset of
a >TRUE< phone phreak's activities."

- Wise Words Of The Magician


The Phone Phreak's Ten Commandments
-----------------------------------
I. Box thou not over thine home telephone wires, for those who doest
will surely bring the wrath of the Chief Special Agent down upon thy head.
II. Speakest thou not of important matters over thine home telephone
wires, for to do so is to risk thine right of freedom.
III. Use not thine own name when speaking to other phreaks, for that
every third phreak is an FBI agent is well known.
IV. Let not overly many people know that thy be a phreak, as to do so
is to use thine own self as a sacrificial lamb.
V. If thou be in school, strive to get thine self good grades, for the
authorities well know that scholars never break the law.
VI. If thou workest, try to be an employee and impressest thine boss
with thine enthusiasm, for important employees are often saved by their own
bosses.
VII. Storest thou not thine stolen goodes in thine own home, for those
who do are surely non-believers in the Bell System Security Forces, and are
not long for this world.
VIII. Attractest thou not the attention of the authorities, as the
less noticeable thou art, the better.
IX. Makest sure thine friends are instant amnesiacs and willst not
remember thou hast called illegally, for their cooperation with the
authorities willst surely lessen thine time for freedom on this earth.
X. Supportest thou TAP, as it is thine newsletter, and without it, thy
work would be far more limited.

 [Phile 1.4]


The Phreaker's Glossary
=======================
1XB - No.1 Crossbar system. See XBAR for more information.

2600 - A hack/phreak oriented newsletter that periodically was
released and still is being released. See Phile 1.6 for more information on
the magazine and ordering.

4XB - No.4 Crossbar system. See XBAR for more information.

5XB - No.5 Crossbar system. The primary end office switch of Bell
since the 60's and still in wide use. See XBAR for more detail.

700 Services - These services are reserved as an advanced forwarding
system, where the forwarding is advanced to a user-programed location which
could be changed by the user.

800 Exceptional Calling Report - System set up by ESS that will log
any caller that excessively dials 800 numbers or directory assistance. See
ESS for more information.

800 Services - Also known as WATS. These services often contain WATS
extenders which, when used with a code, may be used to call LD. Many LD
companies use these services because they are toll-free to customers. Most
800 extenders are considered dangerous because most have the ability to
trace.

900 Services - Numbers in the 900 SAC usually are used as special
services, such as TV polls and such. These usually are $.50 for the first
minute and $.35 for each additional minute. Dial (900)555-1212 to find out
what the 900 services currently have to offer.

950 - A nationwide access exchange in most areas. Many LD companies
have extenders located somewhere on this exchange; however, all services on
this exchange are considered dangerous due to the fact that they ALL have
the ability to trace. Most 950 services have crystal clear connections.

ACCS - Automated Calling Card Service. The typical 0+NPA+Nxx+xxxx
method of inputting calling cards and then you input the calling card via
touch tones. This would not be possible without ACTS.

ACD - Automatic Call Distributor.

ACD Testing Mode - Automatic Call Distributor Test Mode. This level of
phreaking can be obtained by pressing the "D" key down after calling DA.
This can only be done in areas that have the ACD. The ACD Testing Mode is
characterized by a pulsing dial tone. From here, you can get one side of a
loop by dialing 6, the other side is 7. You may also be able to REMOB a
line. All possibilities of the ACD Test have not been experimented with.
See silver box for more details.

ACTS - Automated Coin Toll Service. This is a computer system that
automates phortress fone service by listening for red box tones and takes
appropriate action. It is this service that is commonly heard saying, "Two
dollars please. Please deposit two dollars for the next three minutes."
Also, if you talk for more than three minutes and then hang up, ACTS will
call back and demand your money. ACTS is also responsible for ACCS.

Alliance - A teleconferencing system that is apart from AT&T which
allows the general public to access and use its conferencing equipment. The
equipment allows group conversations with members participating from
throughout the United States. The fone number to Alliance generally follows
the format of 0-700-456-x00x depending on the location the call originates
from and is not accessible direct by all cities/states.

AMA - Automated Message Accounting. Similar to the CAMA system; see
CAMA for more info.

analog - As used for a word or data transmission, a continuously
varying electrical signal in the shape of a wave.

ANI - Automatic Number Identification - This is the system you can
call, usually a three digit number or one in the 99xx's of your exchange,
and have the originating number you are calling from read to you by a
computer. This is useful if you don't know the number you are calling from,
for finding diverters, and when you are playing around with other fone
equipment like cans or beige boxes. The ANI system is often incorporated
into other fone companies such as Sprint and MCI in order to trace those
big bad phreaks that abuze codez.

ANIF - Automatic Number Identification Failure. When the ANI system of
a particular office fails.

APF - All PINs Fail. This is a security measure which is designed to
frustrate attempts at discovering valid PINs by a hacking method.

aqua box - A box designed to drain the voltage of the FBI lock-in-
trace/trap-trace so you can hang up your fone in an emergency and
phrustrate the Pheds some more. The apparatus is simple, just connect the
two middle wires of a phone wire and plug, which would be the red and green
wires if in the jack, to the cord of some electrical appliance; ie, light
bulb or radio. KEEP THE APPLIANCE OFF. Then, get one of those line
splitters that will let you hook two phone plugs into one jack. Plug the
end of the modified cord into one jack and your fone into the other. THE
APPLIANCE MUST BE OFF! Then, when the Pheds turn their lame tracer on and
you find that you can't hang up, remove your fone from the jack and turn
the appliance ON and keep it ON until you feel safe; it may be awhile. Then
turn it off, plug your fone back in, and start phreaking again. Invented
by: Captain Xerox and The Traveler.

BAUDOT - 45.5 baud. Also known as the Apple Cat Can.

BEF - Band Elimination Filter. A muting system that will mute the 2600
Hz tone which signals hang-up when you hang up.

beige box - An apparatus that is a home-made lineman's handset. It is
a regular fone that has clips where the red and green wires normally
connect to in a fone jack. These clips will attach to the rings and tips
found in many of MA's output devices. These are highly portable and VERY
useful when messing around with cans and other output devices the fone
company has around. Invented by: The Exterminator and The Terminal Man.

BITNET - Nationwide system for colleges and schools which accesses a
large base of education-oriented information. Access ports are always via
mainframe.

bit stream - Refers to a continuous series of bits, binary digits,
being transmitted on a transmission line.

black box - The infamous box that allows the calling party to not be
billed for the call placed. We won't go in depth right now, most plans can
be found on many phreak oriented BBS's. The telco can detect black boxes if
they suspect one on the line. Also, these will not work under ESS.

bleeper boxes - The United Kingdom's own version of the blue box,
modified to work with the UK's fone system. Based on the same principles.
However, they use two sets of frequencies, foreword and backwards.

Blotto box - This box supposedly shorts every fone out in the
immediate area, and I don't doubt it. It should kill every fone in the
immediate area, until the voltage reaches the fone company, and the fone
company filters it. I won't cover this one in this issue, cuz it is
dangerous, and phreaks shouldn't destroy MA's equipment, just phuck it up.
Look for this on your phavorite BBS or ask your phavorite phreak for info
if you really are serious about seriously phucking some fones in some area.

blue box - An old piece of equipment that emulated a true operator
placing calls, and operators get calls for free. The blue box seizes an
open trunk by blasting a 2600 Hz tone through the line after dialing a
party that is local or in the 800 NPA so calls will be local or free for
the blue boxer. Then, when the blue boxer has seized a trunk, the boxer may
then, within the next 10-15 seconds, dial another fone number via MF tones.
These MF tones must be preceded by a KP tone and followed with a ST tone.
All of these tones are standardized by Bell. The tones as well as the inter-
digit intervals are around 75ms. It may vary with the equipment used since
ESS can handle higher speeds and doesn't need inter-digit intervals. There
are many uses to a blue box, and we will not cover any more here. See your
local phreak or phreak oriented BBS for in depth info concerning blue boxes
and blue boxing. Incidentally, blue boxes are not considered safe anymore
because ESS detects "foreign" tones, such as the 2600 Hz tone, but this
detection may be delayed by mixing pink noise of above 3000 Hz with the
2600 Hz tone. To hang up, the 2600 Hz tone is played again. Also, all blue
boxes are green boxes because MF "2" corresponds to the Coin Collect tone
on the green box, and the "KP" tone corresponds to the Coin Return tone on
the green box. See green box for more information. Blue boxing is
IMPOSSIBLE under the new CCIS system slowly being integrated into the Bell
system.

blue box tones - The MF tones generated by the blue box in order to
place calls, emulating a true operator. These dual tones must be entered
during the 10-15 second period after you have seized a trunk with the 2600
Hz tone.
700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse
Parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop
2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2
KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None
(green box tones) 1500: ** : ** : ** : ** : ST :
: 900:1100:1300:1500:1700: 75ms pulse/pause

BLV - Busy Line Verification. Allows a TSPS operator to process a
customer's request for a confirmation of a repeatedly busy line. This
service is used in conjunction with emergency break-ins.

BNS - Billed Number Screening.

break period - Time when the circuit during pulse dialing is left
open. In the US, this period is 40ms; foreign nations may use 33ms break
periods.

break ratio - The interval pulse dialing breaks and makes the loop
when dialing. The US standard is 10 pulses per second. When the circuit is
opened, it is called the break interval. When the circuit is closed, it is
called the make interval. In the US, there is a 60ms make period and a 40ms
break period. This is often referred to as a 60% make interval. Many
foreign nations have a 67% make interval.

bridge - I don't really understand this one, but these are important
phreak toys. I'll cover them more in the next issue of TPH.

British Post Office - The United Kingdom's equivalent to Ma Bell.

busy box - Box that will cause the fone to be busy, without taking it
OFF-HOOK. Just get a piece of fone wire with a plug on the end, cut it off
so there is a plug and about two inches of fone line. Then, strip the wire
so the two middle wires, the tip and the ring, are exposed. Then, wrap the
ring and the tip together, tape with electrical tape, and plug into the
fone jack. The fone will be busy until the box is removed.

cans - Cans are those big silver boxes on top of or around the
telephone poles. When opened, the lines can be manipulated with a beige box
or whatever phun you have in mind.

calling card - Another form of the LD service used by many major LD
companies that composes of the customers fone number and a PIN number. The
most important thing to know when questioned about calling cards are the
area code and the city where the calling card customer originated from.

CAMA - Centralized Automatic Message Accounting. System that records
the numbers called by fones and other LD systems. The recording can be used
as evidence in court.

CC - Calling Card.

CC - Credit Card.

CCIS - Common Channel Inter-office Signaling. New method being
incorporated under Bell that will send all the signaling information over
separate data lines. Blue boxing is IMPOSSIBLE under this system.

CCITT - The initials of the name in French of the International
Telegraph and Telephone Consultative Committee. At CCITT representatives of
telecommunications authorities, operators of public networks and other
interested bodies meet to agree on standards needed for international
intermarrying of telecommunications services.

CCS - Calling Card Service.

CCSS - Common Channel Signalling System. A system whereby all
signalling for a number of voice paths are carried over one common channel,
instead of within each individual channel.

CDA - Coin Detection and Announcement.

CF - Coin First. A type of fortress fone that wants your money before
you receive a dial tone.

Channel - A means of one-way transmission or a UCA path for electrical
transmission between two or more points without common carrier, provided
terminal equipment. Also called a circuit, line, link, path, or facility.

cheese box - Another type of box which, when coupled with call
forwarding services, will allow one to place free fone calls. The safety of
this box is unknown. See references for information concerning text philes
on this box.

clear box - Piece of equipment that compromises of a telephone pickup
coil and a small amp. This works on the principal that all receivers are
also weak transmitters. So, you amplify your signal on PP fortress fones
and spare yourself some change.

CN/A - Customer Name And Address. Systems where authorized Bell
employees can find out the name and address of any customer in the Bell
System. All fone numbers are listed on file, including unlisted numbers.
Some CN/A services ask for ID#'s when you make a request. To use, call the
CN/A office during normal business hours, and say that you are so and so
from a certain business or office, related to customers or something like
that, and you need the customer's name and address at (NPA)Nxx-xxxx. That
should work. The operators to these services usually know more than DA
operators do and are also susceptible to "social engineering." It is
possible to bullshit a CN/A operator for the NON PUB DA number and policy
changes in the CN/A system.

CO Code - Central Office code which is also the Nxx code. See Nxx for
more details. Sometimes known as the local end office.

conference calls - To have multiple lines inter-connected in order to
have many people talking in the same conversation on the fone at once. See
Alliance and switch crashing for more information.

credit operator - Same as TSPS operator. The operator you get when you
dial "0" on your fone and phortress fones. See TSPS for more information.

CSDC - Circuit Switched Digital Capability. Another USDN service that
has no ISDN counterpart.

DA - Directory Assistance. See directory assistance.

DAO - Directory Assistance Operator. See directory assistance.

data communications - In telefone company terminology, data
communications refers to an end-to-end transmission of any kind of
information other than sound, including voice, or video. Data sources may
be either digital or analog.

data rate - The rate at which a channel carries data, measured in bits
per second, bit/s, also known as "data signalling rate."

data signalling rate - Same as "data rate." See data rate.

DCO-CS - Digital Central Office-Carrier Switch.

DDD - Direct Distance Dialed.

Dial-It Services - See 900 Services.

digital - A method to represent information to be discrete or
individually distinct signals, such as bits, as opposed to a continuously
variable analog signal.

digital transmission - A mode of transmission in which all information
to be transmitted is first converted to digital form and then transmitted
as a serial stream of pulses. Any signal, voice, data, television, can be
converted to digital form.

Dimension 2000 - Another LD service located at (800)848-9000.

directory assistance - Operator that you get when you call 411 or
NPA-555-1212. This call will cost $.50 per call. These won't know where you
are calling from, unless you annoy them, and do not have access to unlisted
numbers. There are also directory assistance operators for the deaf that
transfer BAUDOT. You can call these and have interesting conversations. The
fone number is 800-855-1155, are free, and use standard Telex abbreviations
such as GA for Go Ahead. These are nicer than normal operators, and are
often subject to "social engineering" skills (bullshitting). Other
operators also have access to their own directory assistance at
KP+NPA+131+ST.

diverter - This is a nice phreak tool. What a diverter is is a type of
call forwarding system done externally, apart from the fone company, which
is a piece of hardware that will foreword the call to somewhere else. These
can be found on many 24 hour plumbers, doctors, etc. When you call, you
will often hear a click and then ringing, or a ring, then a click, then
another ring, the second ring often sounds different from the first. Then,
the other side picks the fone up and you ask about their company or
something stupid, but DO NOT ANNOY them. Then eventually, let them hang up,
DO NOT HANG UP YOURSELF. Wait for the dial tone, then dial ANI. If the
number ANI reads is different from the one you are calling from, then you
have a diverter. Call anywhere you want, for all calls will be billed to
the diverter. Also, if someone uses a tracer on you, then they trace the
diverter and you are safe. Diverters can, however, hang up on you after a
period of time; some companies make diverters that can be set to clear the
line after a set period of time, or click every once in a while, which is
super annoying, but it will still work. Diverters are usually safer than LD
extenders, but there are no guarantees. Diverters can also be accessed via
phortress fones. Dial the credit operator and ask for the AT&T CREDIT
OPERATOR. They will put on some lame recording that is pretty long. Don't
say anything and the recording will hang up. LET IT HANG UP, DO NOT HANG
UP. Then the line will clear and you will get a dial tone. Place any call
you want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls,
just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call to make
sure you have a diverter.

DLS - Dial Line Service.

DNR - Also known as pen register. See pen register.

DOV - Data-Over-Voice.

DSI - Data Subscriber Interface. Unit in the LADT system that will
concentrate data from 123 subscribers to a 56k or a 9.6k bit-per-second
trunk to a packet network.

DT - Dial tone.

DTF - Dial Tone First. This is a type of fortress fone that gives you
a dial tone first.

DTI - Digital Trunk Interface.

DTMF - Dual-Tone-Multi-Frequency, the generic term for the touch tone.
These include 0,1,2,3,4,5,6,7,8,9 as well as A,B,C,D. See silver box for
more details.

DVM - Data Voice Multiplexor. A system that squeezes more out of a
transmission medium and allows a customer to transmit voice and data
simultaneously to more than one receiver over the existing telefone line.

emergency break-in - Name given to the art of "breaking" into a busy
number which will usually result in becoming a third party in the call
taking place.

end office - Any class 5 switching office in North America.

end-to-end signalling - A mode of network operation in which the
originating central office, or station, retains control and signals
directly to each successive central office, or PBX, as trunks are added to
the connection.

ESS - Electronic Switching System. "The phreak's nightmare come true."
With ESS, EVERY SINGLE digit you dial is recorded, even mistakes. The
system records who you call, when you call, how long you talked, and, in
some cases, what you talked about. ESS is programed to make a list of
people who make excessive 800 calls or directory assistance. This is called
the "800 Exceptional Calling Report." ESS can be programed to print out
logs of who called certain numbers, such as a bookie, a known communist, a
BBS, etc. ESS is a series of programs working together; these programs can
be very easily changed to do whatever the fone company wants ESS to do.
With ESS, tracing is done in MILLISECONDS and will pick up any "foreign"
tones on the line, such as 2600 Hz. Bell predicts the whole country will be
on ESS by 1990! You can identify an ESS office by the functions, such as
dialing 911 for help, fortress fones with DT first, special services such
as call forwarding, speed dialing, call waiting, etc., and ANI on LD calls.
Also, black boxes and Infinity transmitters will NOT work under ESS.

extender - A fone line that serves as a middleman for a fone call,
such as the 800 or 950 extenders. These systems usually require a multi-
digit code and have some sort of ANI to trace suspicious calls with.

facsimile - A system for the transmission of images. The image is
scanned at the transmitter, reconstructed at the receiving station, and
duplicated on some form of paper. Also known as a FAX.

FAX - See facsimile for details.

FiRM - A large cracking group who is slowly taking the place of PTL and
the endangered cracking groups at the time of this writing.

fortress phone - Today's modern, armor plated, pay fone. These may be
the older, 3 coin/coin first fones or the newer, 1 coin/DT first fones.
There are also others, see CF, DTF, and PP. Most phortresses can be found
in the 9xxx or 98xx series of your local Nxx.

gateway city - See ISC.

Gestapo - The telefone company's security force. These nasties are the
ones that stake out misused phortresses as well as go after those bad
phreaks that might be phucking with the fone system.

green base - A type of output device used by the fone company. Usually
light green in color and stick up a few feet from the ground. See output
device for more information.

green box - Equipment that will emulate the Coin Collect, Coin Return,
and Ringback tones. This means that if you call someone with a fortress
fone and they have a green box, by activating it, your money will be
returned. The tones are, in hertz, Coin Collect=700+1100, Coin
Return=1100+1700, and Ringback=700+1700. However, before these tones are
sent, the MF detectors at the CO must be alerted, this can be done by
sending a 900+1500 Hz or single 2600 Hz wink of 90ms followed by a 60ms
gap, and then the appropriate signal for at least 900ms.

gold box - This box will trace calls, tell if the call is being
traced, and can change a trace.

grey box - Also known as a silver box. See silver box.

group chief - The name of the highest ranking official in any fone
office. Ask to speak to these if an operator is giving you trouble.

high-speed data - A rate of data transfer ranging upward from 10,000
bits per second.

H/M - Hotel/Motel.

ICH - International Call Handling. Used for overseas calls.

ICVT - InComing Verification Trunk.

IDA - Integrated Digital Access. The United Kingdom's equivalent of
ISDN.

IDDD - International Direct Distance Dialing - The ability to place
international calls direct without processing through a station. Usually,
one would have to place the call through a 011, station, or a 01, operator
assisted, type of setup.

IDN - Integrated Digital Networks. Networks which provide digital
access and transmission, in both circuit switched and packet modes.

in-band - The method of sending signaling information along with the
conversion using tones to represent digits.

INS - Information Network System. Japan's equivalent of ISDN.

Intercept - The intercept operator is the one you get connected to
when there are not enough recordings available to tell you that the number
has been disconnected or changed. These usually ask what number you are
calling and are the lowest form of the operator.

intermediate point - Any class 4X switching office in North America.
Also known as an RSU.

international dialing - In order to call across country borders, one
must use the format PREFIX + COUNTRY CODE + NATION #. The prefix in North
America is usually 011 for station-to-station calls or 01 for operator-
assisted calls. If you have IDDD, you don't need to place this prefix in.

INTT - Incoming No Test Trunks.

INWARD - An operator that assists your local TSPS '0' operator in
connecting calls. These won't question you as long as the call is within
their service area. The operator can ONLY be reached by other operators or
a blue box. The blue box number is KP+NPA+121+ST for the INWARD operator
that will help you connect to any calls in that area ONLY.

INWATS - Inward Wide Area Telecommunications Service. These are the
800 numbers we are all familiar with. These are set up in bands; 6 total.
Band 6 is the largest, and you can call band 6 INWATS from anywhere in the
US except the state where the call is terminated. This is also why some
companies have a separate 800 number for their state. Band 5 includes the
48 contiguous states. All the way down to band 1, which only includes the
states contiguous to that one. Understand? That means more people can reach
a band 6 INWATS as compared to the people that can access a band 1 INWATS.

IOCC - International Overseas Completion Centre. A system which must
be dialed in order to re-route fone calls to countries inaccessible via
dialing direct. To route a call via IOCC with a blue box, pad the country
code to the RIGHT with zeroes until it is 3 digits. Then KP+160 is dialed,
plus the padded country code, plus ST.

IPM - Interruptions Per Minute. The number of times a certain tone
sounds during a minute.

ISC - Inter-Nation Switching Centers. Most outgoing calls from a
certain numbering system will be routed through these "gateway cities" in
order to reach a foreign country.

ISDN - Integrated Services Digital Network. ISDN is a planned
hierarchy of digital switching and transmission systems. Synchronized so
that all digital elements speak the same "language" at the same speed, the
ISDN would provide voice, data, and video in a unified manner.

ITT - This is another large LD service. The extenders owned by this
company are usually considered dangerous. The format is
ACC-ESS#,(NPA)Nxx-xxxx,1234567.

KP - Key Pulse. Tone that must be generated before inputting a fone
number using a blue box. This tone is, in hertz, 1100+1700.

KP2 - Key Pulse 2. Tone that is used by the CCITT SYSTEM 5 for special
international calling. This tone is, in hertz, 1300+1700.

LADT - Local Area Data Transport. LADT is a method by which customers
will send and receive digital data over existing customer loop wiring. Dial-
Up LADT will let customers use their lines for occasional data services;
direct access LADT will transmit simultaneous voice and data traffic on the
same line.

LAN - Local Area Network.

LAPB - Link Access Protocol Balanced.

LD - Long Distance

Leave Word And Call Back - Another new type of operator.

local loop - When a loop is connected between you and your CO. This
occurs when you pick the fone up or have a fone OFF-HOOK.

loop - A pair or group of fone lines. When people call these lines,
they can talk to each other. Loops consist of two or more numbers, they
usually are grouped close together somewhere in the Nxx-99xx portions of
your exchange. The lower number in a loop is the tone side of the loop, or
the singing switch. The higher number is always silent. The tone disappears
on the lower # when someone dials the other side of the loop. If you are
the higher #, you will have to listen to the clicks to see if someone
dialed into the loop. There also are such things as Non-Supervised loops,
where the call is toll-free to the caller. Most loops will be muted or have
annoying clicks at connection, but otherwise, you might find these useful
goodies scanning the 99xx's in your exchange. Some loops allow multi-user
capability; thus, many people can talk to each other at the same time, a
conference of sorts. Since loops are genuine test functions for the telco
during the day, most phreaks scan and use them at night.

MA - Ma Bell, the Bell Telesys Company. Telco, etc. See Ma Bell for
more information.

Ma Bell - The telephone company. The Bell Telesys Phone Company. The
company you phreak and hack with. The company that doesn't like you too
much. The company you often phuck with, and sometimes phuck up. The company
that can phuck u up if u aren't careful.

make period - The time when, during pulse dialing, the circuit is
closed. In the US, this period is 60ms; however, foreign nations may use a
67ms make period. Make periods are also referred to in percentages, so a
60ms make period would be 60%, a 67ms as 67%.

marine verify - Another type of operator.

MCI - Yet another LD service that owns many dial-ups in most areas.
However, the codes from various areas may not be interchangeable. Not much
is known about MCI; however, MCI probably has some sophisticated anti-
phreak equipment. The format is ACC-ESS#,12345,(NPA)Nxx-xxxx.

MCI Execunet - The calling card equivalent of the regular MCI LD
service, but the codes are longer and interchangeable. For the local access
port near you, call (800)555-1212. The format for the port will be
ACC-ESS#,1234567,(NPA)Nxx-xxxx.

Metrofone - Owned by Western Union. A very popular system among fone
phreaks. Call Metrofone's operator and ask for the local access number at
(800)325-1403. The format is ACC-ESS#,CODE,(NPA)Nxx-xxxx. Metrofone is
alleged to place trap codes on phreak BBS's.

MF - Multi-Frequency. These are the operator and blue box tones. An MF
tone consists of two tones from a set of six master tones which are
combined to produce 12 separate tones. These are NOT the same as touch
tones. See blue box tones for frequencies.

mobile - A type of operator.

NAP/PA - North American Pirate/Phreak Association. A large group of bbs
boards which include a lot of pirates/phreakers. I'm not quite sure where the
group will go from here.

NON PUB DA - A reverse type of CN/A bureau. You tell the service the
name and the locality, they will supply the fone number. However, they will
ask for you name, supervisor's name, etc. Use your social engineering
skills here (aka, bullshitting skills). You also can get detailed billing
information from these bureaus.

NPA - Numbering Plan Area. The area code of a certain city/state. For
example, on the number (111)222-3333, the NPA would be 111. Area codes
never cross state boundaries sans the 800, 700, 900, and special exchanges.

Nxx - The exchange or prefix of the area to be dialed. For example of
the number (111)222-3333, the Nxx would be 222.

OGVT - OutGoing Verification Trunk.

OFF-HOOK - To be on-line, to have the switchhook down. To have a
closed connection. At this point, you also have a local loop.

ON-HOOK - To be off-line, to have the switchhook up. To have an open
connection.

ONI - Operator Number Identification. Identifies calling numbers when
an office is not equipped with CAMA, the calling number is not
automatically recorded by CAMA, or has equipment failures, such as ANIF.

OPCR - Operator Actions Program. Standard TBOC or equivalent "0"
operator.

OPEN - Northern Telecom's Open Protocol Enhanced Networks World
Program.

OSI - Open System Interconnection. Form of telecommunication
architechture which will probobly fail to SNA.

OST - Originating Station Treatment.

OTC - Operating Telefone Company.

out-of-band - Type of signaling which sends all of the signaling and
supervisory informations, such as ON and OFF HOOK, over separate data
links.

output device - Any type of interface such as cans, terminal sets,
remote switching centers, bridging heads, etc., where the fone lines of the
immediate area are relayed to before going to the fone company. These often
are those cases painted light green and stand up from the ground. Most of
these can be opened with a 7/16 hex driver, turning the security bolt(s)
1/8 of an inch counter-clockwise, and opening. Terminals on the inside
might be labeled "T" for tip and "R" for ring. Otherwise, the ring side is
usually on the right and the tip side is on the left.

OUTWATS - Outward Wide Area Telecommunications Service. These are WATS
that are used to make outgoing calls ONLY.

Paper Clip Method - This method of phreaking was illustrated in the
movie War Games. What a phortress fone does to make sure money is in a fone
is send an electrical pulse to notify the fone that a coin has been
deposited, for the first coin only. However, by simply grounding the
positive end of the microphone, enough current and voltage is deferred to
the ground to simulate the first quarter in the coin box. An easy way to
accomplish this is to connect the center of the mouthpiece to the coin box,
touch tone pad, or anything that looks like metal with a piece of wire. A
most convenient piece of wire is a bend out of a paper clip. Then you can
send red box tones through the line and get free fone calls! Also, telco
modified fones may require you to push the clip harder against the
mouthpiece, or connect the mouthpiece to the earpiece. If pressing harder
against the mouthpiece becomes a problem, pins may be an easier solution.

PBX - Private Branch eXchange. A private switchboard used by some big
companies that allow access to the OUTWATS line by dialing a 8 or a 9
after inputting a code.

PCM - Pulse Code-Modulated trunks.

PC Pursuit - A computer oriented LD system, comparable to Telenet,
which offers low access rates to 2400 baud users. Hacking on this system is
virtually impossible due to the new password format.

pen register - A device that the fone company puts on your line if
they suspect you are fraudulently using your fone. This will record EVERY
SINGLE digit/rotary pulse you enter into the fone as well as other
pertinent information, which may include a bit of tapping. Also known as
DNR.

Phortune 500 - An elite group of users currently paving the way for
better quality in their trade.

PHRACK - Another phreak/hack oriented newsletter. See reference
section, phile 1.6 for more information.

PHUN - Phreakers and Hackers Underground Network. They also release a
newsletter that is up to #4 at the time of this writing. See phile 1.6 for
more information on finding this phile.

PIN - Personal Identification Number - The last four digits on a
calling card that adds to the security of calling cards.

plant tests - test numbers which include ANI, ringback, touch tone
tests, and other tests the telco uses.

Post Office Engineers - The United Kingdom's fone workers.

PP - Dial Post-Pay Service. On phortress fones, you are prompted to
pay for the call after the called party answers. You can use a clear box to
get around this.

PPS - Pulses Per Second.

printmeter - The United Kingdom's equivalent of a pen register. See
pen register for more info.

PTE - Packet Transport Equipment.

PTL - One of the bigger cracking groups of all time. However, the group
has been dying off and only has a few nodes as of this writing.

PTS - Position and Trunk Scanner.

PTT - Postal Telephone Telegraph.

pulse - See rotary phones.

purple box - This one would be nice. Free calls to anywhere via blue
boxing, become an operator via blue box, conference calling, disconnect
fone line(s), tap fones, detect traces, intercept directory assistance
calls. Has all red box tones. This one may not be available under ESS.

rainbow box - An ultimate box. You can become an operator. You get
free calls, blue box. You can set up conference calls. You can forcefully
disconnect lines. You can tap lines. You can detect traces, change traces,
and trace as well. All incoming calls are free. You can intercept directory
assistance. You have a generator for all MF tones. You can mute and redial.
You have all the red-box tones. This is an awesome box. However, it does
not exist under ESS.

RAO - Revenue Accounting Office. The three digit code that sometimes
replaces the NPA of some calling cards.

RBOC - Regional Bell Operating Company.

red box - Equipment that will emulate the red box tone generated for
coin recognition in all phortress fones.

red box tones - Tones that tell the phortress fone how much money was
inserted in the fone to make the required call. In one slot fones, these
are beeps in pulses; the pulse is a 2200+1700 Hz tone. For quarters, 5 beep
tones at 12-17 PPS, for dimes it is 2 beep tones at 5-8.5 PPS, and a nickel
causes 1 beep tone at 5-8.5 PPS. For three slot fones, the tones are
different. Instead of beeps, they are straight dual tones. For a nickel, it
is one bell at 1050-1100 Hz, two bells for a dime, and one gong at 800 Hz
for a quarter. When using red box tones, you must insert at least one
nickel before playing the tones, cuz a ground test takes place to make sure
some money has been inserted. The ground test may be fooled by the Paper
Clip Method. Also, it has been known that TSPS can detect certain red box
tones, and will record all data on AMA or CAMA of fraudulent activity.

regional center - Any class 1 switching office in North America.

REMOB - Method of tapping into lines by entering a code and the 7
digit number you want to monitor, from ACD Test Mode. A possibility of this
may be mass conferencing.

ring - The red wire found in fone jacks and most fone equipment. The
ring also is less positive than the tip. When looking at a fone plug on the
end of typical 4 wire fone line from the top, let's say the top is the side
with the hook, the ring will be the middle-right wire. Remember, the ring
is red, and to the right. The three "R's" revived!

ring-around-the-rosy - 9 connections in tandem which would cause an
endless loop connection and has never occurred in fone history.

ringback - A testing number that the fone company uses to have your
fone ring back after you hang up. You usually input the three digit
ringback number and then the last four digits to the fone number you are
calling from.

ring trip - The CO process involved with stopping the AC ringing
signal when a fone goes OFF-HOOK.

rotary phone - The dial or pulse phone that works by hooking and un-
hooking the fone rapidly in secession that is directly related to the
number you dialed. These will not work if another phone with the same
number is off-hook at the time of dialing.

Rout & Rate - Yet another type of operator; assists your TSPS operator
with rates and routings. This once can be reached at KP+800+141+1212+ST.

RPE - Remote Peripheral Equipment.

RQS - The Rate Quote System. This is the TSPS operator's rate/quote
system. This is a method your '0' operator gets info without dialing the
rate and route operator. The number is KP+009+ST.

RSU - Remote Switching Unit. The class 4X office that can have an
unattended exchange attached to it.

RTA - Remote Trunk Arrangement.

SAC - Special Area Code. Separate listing of area codes, usually for
special services such as TWX's, WATS, or DIAL-IT services.

SCC - Specialized Common Carriers. Common Nxx numbers that are
specialized for a certain purpose. An example is the 950 exchange.

sectional center - Any class 2 switching office in North America.

service monitoring - This is the technical name of phone tapping.

SF - Supervision Control Frequency. The 2600 Hz tone which seizes any
open trunk, which can be blue boxed off of.

short-haul - Also known as a local call.

signalling - The process by which a caller or equipment on the
transmitting end of a line in: forms a particular party or equipment at the
receiving end that a message is to be communicated. Signalling is also the
supervisory information which lets the caller know the called know the
called party is ready to talk, the line is busy, or the called party has
hung up.

silver box - Equipment that will allow you to emulate the DTMF tones
A,B,C,D. The MF tones are, in hertz, A=697+1633, B=770+1633, C=852+1633,
D=941+1633. These allow special functions from regular fones, such as ACD
Testing Mode.

Skyline - Service owned by IBM, Comsat, and AEtna. It has a local
access number in the 950 exchange. The fone number is 950-1088. The code is
either a 6 or 8 digit number. This company is alleged to be VERY dangerous.

SNA - System Network Architechture, by IBM. A possible future standard
of architechture only competed by OSI.

SOST - Special Operator Service Treatment. These include calls which
must be transferred to a SOST switchboard before they can be processed;
services such as conferences, appointments, mobile, etc.

SPC - Stored Program Control. Form of switching the US has heavily
invested in.

Sprint - One of the first LD services, also known as SPC. Sprint owns
many extender services and is not considered safe. It is common knowledge
that Sprint has declared war on fone phreakers.

SSAS - Station Signaling and Announcement System. System on most
fortress fones that will prompt caller for money after the number, usually
LD numbers, has been dialed, or the balance due before the call will be
allowed to connect.

stacking tandems - The art of busying out all trunks between two
points. This one is very amusing.

STart - Pulse that is transmitted after the KP+NPA+Nxx+xxxx through
operator or blue boxed calls. This pulse is, in hertz, 1500+1700.

station # - The last four digits in any seven digit fone number.

STD - Subscriber Trunk Dialing. Mechanism in the United Kingdom which
takes a call from the local lines and legimately elevates it to a trunk or
international level.

step crashing - Method of using a rotary fone to break into a busy
line. Example, you use a rotary fone to dial Nxx-xxx8 and you get a busy
signal. Hang up and dial Nxx-xxx7 and in between the last pulse of your
rotary dial and before the fone would begin to ring, you can flash your
switchhook extremely fast. If you do it right, you will hear an enormous
"CLICK" and all of a sudden, you will cut into your party's conversation.

STPS - Signal Transfer PointS. Associated with various switching
machines and the new CCIS system.

switchhook - The button on your fone that, when depressed, hangs the
fone up. These can be used to emulate rotary dial fones if used correctly.

SxS - Step-By-Step. Also known as the Strowger Switch or the two-
motion switch. This is the switching equipment Bell began using in 1918.
However, because of its limitations, such as no direct use of DTMF and
maintenance problems, the fone company has been upgrading since. You can
identify SxS switching offices by lack of DTMF or pulsing digits after
dialing DTMF, if you go near the CO it will sound like a typewriter testing
factory, lack of speed calling, lack of special services like call
forwarding and call waiting, and fortress fones want your money first,
before the dial tone.

TAP - The "official" phone phreak's newsletter. Previously YIPL.

T&C - Time and Charge.

tapping - To listen in to a phone call taking place. The fone company
calls this "service monitoring."

TASI - Time Assignment Speech Interpolation. This is used on satellite
trunks, and basically allows more than one person to use a trunk by putting
them on while the other person isn't talking.

Telenet - A computer-oriented system of relay stations which relay
computer calls to LD numbers. Telenet has a vast array of access ports
accessible at certain baud rates.

Tel-Tec - Another LD company that usually give out a weak connection.
The format is (800)323-3026,123456,(NPA)Nxx-xxxx.

Tel-Tex - A subsidiary of Tel-Tec, but is only used in Texas. The
number is *800)432-2071 and the format is the same as above.

terminal - A point where information may enter or leave a
communication network. Also, any device that is capable of sending and/or
receiving data over a communication channel.

tip - The green wire found in fone jacks and most fone equipment. The
tip is the more positive wire compared to the ring. When looking at a fone
plug from the top, lets say the hook side is the top, the tip will be the
middle wire on the left.

toll center - Any class 4 switching office located in North America.

toll point - Any class 4P switching office in North America.

Toll LIB - Reverse CN/A bureau. See NON PUB DA for more info.

touch tone phone - A phone that uses the DTMF system to place calls.

touch tone test - This is another test number the fone company uses.
You dial the ringback number and have the fone ring back. Then, when you
pick it up, you will hear a tone. Press your touch-tone digits 1-0. If they
are correct, the fone will beep twice.

trace - Something you don't want any fone company to do to you. This
is when the fone company you are phucking with flips a switch and they find
the number you are calling from. Sometimes the fone company will use ANI or
trap and trace methods to locate you. Then the local Gestapo home in and
terminate the caller if discovered.

trap and trace - A method used by the FBI and some step offices that
forces a voltage through the line and traces simultaneously, which mean
that you can't hang up unless the Pheds do, and pray you aren't calling
from your own house. Trap and trace is also known as the lock-in-trace.

trap codes - Working codes owned by the LD company, not a customer,
that, when used, will send a "trouble card" to Ma Bell, no matter what
company the card is coming from, and ESS will immediately trace the call.
Trap codes have been in use for some time now, and it is considered safer
to self-hack codes opposed to leeching them off of BBS's, since some LD
companies post these codes on phreak oriented BBS's.

Travelnet - Service owned by GM that uses WATS as well as local access
numbers. Travelnet also accepts voice validation for its LD codes.

TSPS - Traffic Service Position System. Operator that usually is the
one that obtains billing information for Calling Card or 3rd number calls,
identifies called customer on person-to-person calls, obtains acceptance of
charges on collect calls, or identifies calling numbers. These operators
have an ANI board and are the most dangerous type of operator.

TWX - Telex II consisting of 5 teletypewriter area codes. These are
owned by Western Union. These may be reached via another TWX machine
running at 110 baud. You can send TWX messages via Easylink (800)325-4122.

USDN - United States Digital Network. The US's version of the ISDN
network.

videotext - Generic term for a class of two-way, interactive data
distribution systems with output typically handled as in teletext systems
and input typically accepted through the telephone or public data network.

WATS - Wide Area Telecommunications Service. These can be IN or OUT,
see the appropriate sections.

WATS Extender - These are the LD companies everyone hacks and phreaks
off of in the 800 NPA. Remember, INWATS + OUTWATS = WATS Extender.

white box - This is a portable DTMF keypad.

XBAR - Crossbar. Crossbar is another type of switching equipment the
fone company uses in some areas. There are three major types of Crossbar
systems called No.1 Crossbar (1XB), No.4 Crossbar (4XB), and No.5 Crossbar
(5XB). 5XB has been the primary end office switch of MA since the 60's and
is still in wide use. There is also Crossbar Tandem (XBT) used for toll-
switching.

XBT - Crossbar Tandem. Used for toll-switching. See XBAR.

YIPL - The classic "official" phreak's magazine. Now TAP.
 [Phile 1.5]


Other Fone Information
======================

Voltages & Technical Stuff
--------------------------
When your telephone is ON-HOOK, there is 48 volts of DC across the tip
and the ring. When the handset of a fone is lifted a few switches close
which cause a loop to become connected between you and the fone company, or
OFF-HOOK. This is also known as the local loop. Once this happens, the DC
current is able to flow through your fone with less resistance. This causes
a relay to energize which causes other CO equipment to realize that you
want service. Eventually, you will end up with a dial tone. This also
causes the 48 VDC to drop down to around 12 VDC. The resistance of the loop
also drops below the 2500 ohm level; FCC licensed telephone equipment must
have an OFF-HOOK impedance of 600 ohms.
When your fone rings, the telco sends 90 volts of pulsing AC down the
line at around 15-60 Hz, usually 20 Hz. In most cases, this causes a metal
armature to be attracted alternately between two electromagnets; thus, the
armature often ends up striking two bells of some sort, the ring you often
hear when non-electronic fones receive a call. Today, these mechanical
ringers can be replaced with more modern electronic bells and other
annoying signaling devices, which also explains why deaf people can have
lights and other equipment attached to their fones instead of ringers.
When you dial on a fone, there are two common types of dialing, pulse
and DTMF. If you are like me, you probably don't like either and thought
about using MF or blue box tones. Dialing rotary breaks and makes
connections in the fone loop, and the telco uses this to signal to their
equipment that you are placing a call. Since it is one fone that is
disconnecting and reconnecting the fone line, if someone else picks up
another fone on the same extension, both cannot make pulse fone calls until
one hangs up. DTMF, on the other hand, is a more modern piece of equipment
and relies on tones generated by a keypad, which can be characterized by a
0,1,2,3,4,5,6,7,8,9/A,B,C,D keypad. Most fones don't have an A,B,C,D
keypad, for these frequencies are used by the telco for test and other
purposes.


Scanning Phun Fone Stuff
------------------------
Scanning is the act of either randomly or sequentially dialing fone
numbers in a certain exchange when you are looking for several different
things. These things could be carriers, extenders, ANI, "bug tracers,"
loops, as well as many other interesting "goodies" the fone company uses
for test purposes.
When scanning for carriers, your local BBS probably has some scanning
programs, as these became popular after the movie WARGAMES, but what these
do are to call every fone in an exchange, or a specified range of fone
numbers in certain exchanges to look for possible carriers and other
interesting computer equipment. So, if your computer finds a carrier, or
what seems like a carrier, it will either print it out or save it in some
file for later reference. With these carriers one finds, one can either
call them and find out what each is or, if one of them is interesting, one
can hack or attempt to break into some interesting systems available, not
to the general public, of course.
Scanning telephone "goodies" requires time and patience. These goodies
usually cannot be traced by most unmodified modems, as the frequencies and
voice transmissions cannot be differentiated from other disturbances, such
as the annoying operator saying, "We're sorry... blah blah..". Anyway, to
scan these, you usually get a regular carrier scanner and, with the modem
speaker on, sit by your wonderful computer and listen in on the scanning
for any interesting tones, voices, or silences, which could be telco fone
phun numbers, for us of course! Then write these down, and spread them
around, use, abuze, etc. if you dare. Anyway, most telefone goodies are
located in the 99xx suffixes of any fone exchange. If you found everything
you think in the exchanges you have scanned, try the 0xxx and 1xxx suffixes
in that order. You might even find loops, ANI, and other phun things if you
mess around enough.
 [Phile 1.6]


References & Suggested Reading
==============================
The following is a list of references and suggested reading for the
beginning, as well as advanced phreak. See you local fone phreak for these,
or call your local phreak oriented BBS for information regarding these
publications.


2600 Magazine

Aqua Box, The
By Captain Xerox & The Traveler

Basic Alliance Teleconferencing
By The Trooper

Bell Hell
By The Dutchman & The Neon Knights

Better Homes And Blue Boxing
By Mark Tabas

BIOC Agent 003's Course In Basic Telecommunications
By BIOC Agent 003

History Of British Phreaking, The
By Lex Luthor & The Legion Of Doom

Home Phone Tips
By 13th Floor Enterprises

How To Build A Blotto Box
By The Traveler

How To Build A Cheese Box
By Mother Phucker

Introducing The Beige Box - Construction & Use
By The Exterminator and The Terminal Man

Integrated Services Digital Network [ISDN]
By Zander Zan

LOD/H Technical Journal

Loops I've Known And Loved
By Phred Phreak

PHRACK Magazine
Edited By Taran King and Knight Lightning UMCVMB

Phreakers And Hackers Underground Network [PHUN]
Edited By Red Knight
The Toll Center Bulletin Board System (718)358-9209

TAP - The Official Phreak Newsletter
Room 603
147 West 42nd Street
New York, NY 10036

........When You Need The BEST Of The Best........
....There Is NO Substitute....
----------------------
============================> PHORTUNE 500 <==============================
----------------------
These philes distributed in part by:

Skeleton Crue 415-376-8060 located out of Moraga, California.
!!Get on the band wagon before it RUNS YOU DOWN!!
Headquarters for Computer Hackers and Anarchists to Overthrow the State
(CH&AOS)

Phreakers Handbook

PHREAKERS HANDBOOK

Title: PHREAKERS HANDBOOK
Written: CAT-TRAX
_________________________
Ý Ý
Ý The Phreaker's HandBook
Ý___________________________________________
Ý
Ý Written by: Cat-Trax ÅThe "White-Collar Criminal
Ý Typed by: Cat-Trax
Ý
Ý Copywrong (X) May, 1985
Ý The Hackin' Hoodlum Press, Inc.
Ý
Ý Call: The Hacker's Hideout
Ý [206/265/6369]
Ý Password: U/L
Ý 300/1200 Baud



[ Definitions ]

Phreak ["free"k] Verb--1. The act of "Phreaking" 2. The act of making telephone calls without paying money [Slang]
Phreaker ["free"-k-er] Noun--1. One who engages in the act of "Phreaking"2. One who makes telephone calls without paying money [Slang]
<%=-------------------------------------------------------------------------=%>
[ Introduction ]

Phreaking is a method used by most intelligent people Åmost often thosewho use a computer and a Modulator-Demodulator (MoDem)³. If you happen to resemble the major mass of people who do not have the income to afford large
phone bills then phreaking is for you. If you live in an area with anElectronic Switching System [ESS] then phreaking is something which should be done in moderate amounts.

<%=-------------------------------------------------------------------------=%>

[ Switching Systems ]

Three types of switching systems are present in the United States today:

[1] Step by Step
[2] Crossbar
[3] ESS ÅElectronic Switching System


<] Step by Step [>

First switching system used in America, adopted in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step [SxS]. A long, and confusing train of switches is used for SxS switching.

[> Disadvantages <][
[A] The switch train may become jammed : Blocking call.
[B] No DTMF [Dual-Tone Multi-Frequency]["Touch-tone"].
[C] Much maintanance and much electricity.
[D] Everything is hardwired

+> Identification
[A] No pulsing digits ater dialing or DTMF.
[B] Phone Company sounds like many typewriters.
[C] No: Speed calling, Call forwarding, and other services.
[D] Pay-phone wants money first before dial-tone.


<] Crossbar [>

Crossbar has been Bell's primary switcher after 1960. Three types of Crossbar
switching exist: Number 1 Crossbar [1XB], Number 4 Crossbar [4XB], and Number5 Crossbar [5XB]. A switching matrix is used for all the phones in an area.When someone calls, the route is determined and is met up with the othr phone.
The matrix is set-up in horizontal and vertical paths. There are no definite distinguishing features of Crossbar switching.


<] ESS [>

You probably were hoping I wouldn't talk about this nightmare, if you did youwill know why everyone doesn't want to be reminded about Bell's holocaust on
America. With ESS Bell knows: every digit dialed Åincluding mistakes!³, whoyou call, when you called, how long you were connected, and in some cases,what you talked about! Yes, this is the closest anyone has come to true Totalitarianism. ESS is programmed to print out the numbers of people who make excessive calls to WATS numbers [Wide Area Telephone Service][1-800 numbers]or directory assistance. This deadly trap is called "800 Exceptional CallingReport." ESS can be programmed to print logs of who called certain numbers. Electronic Switching System makes the job of the FBI, Bell Security ÅTheGestapo in phreakin' tongue³, NSA, and other organizations which like to invade
our privacy, extremely easy! Tracing is done in microseconds, and the resultsare printed out on the monitor of a Gestapo officer. ESS can also pick upforeign tones on the line, like 2600 Hz. Åused in blue boxes, discussed later³Bell claims that the entire country will be plagued by ESS by the 1990's!

+> Identification <+
[A] Dialing 911 for emergencies.
[B] Dial-tone first for pay-phones.
[C] Calling services, like: Call forwarding, Speed dialing, Call waiting.
[D] ANI [Automatic Number Identification] for long-distance calls.

[[[Note]]] of the above identifications of the three switching systems, do not solely rely on these descriptions, the best way to find outis to [no!] call your local telephone company.

<%=-------------------------------------------------------------------------=%>

[ Long-Distance Services ]

To attempt to help the community Åand for private business³ companies developedways to lessen the costs of long-distance calling charges. The companies owntheir own switching systems and use extenders for callers to call. The way[
extenders operate: 1] Customer calls service, 2] He/she hears a low tone whichsounds like a dial-tone, 3] She/he either dials the access code then the phone
number, or dials the phone number then the access code, 4] Is connected to whatever he/she calls. Aside from Ma Bells collection, the customer recieves abill for calls made with his/her long-distance company Åa supposedly cheaperbill than Ma Bell's³. Thought: Hey, I could randomly pick access codes anduse them to call whatever area the company services! Righto, that's what basicphreaking is! A wise idea, though, is to have many access codes and many service numbers to rotate throughout your average life as a phreaker. To aid in your quest to beat the system I have provided many 1-800 numbers whichanyone can call, aside from local numbers, such as Sprint, or MCI. The reason
for providing you with WATS nummbers is because all of us aren't in a big citywhere Sprint or MCI even exist, this way everyone can pheak! A way to findmore access codes is by using your old modem. Yes, your modem can imitate DTMF
tones!

Å>Procedure: 1) dial 1-800 + service number
2) dial access code->area code->phone number, or
3) dial area code->phone number->access code

³Å::::::::::::::::::::::::::::::::::::::::::::::::::::::::³Å
\/ -=+>Cat-Trax' list of WATS [1-800] numbers:<+=- \/
³Å::::::::::::::::::::::::::::::::::::::::::::::::::::::::³Å

Number---Code Length...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 547-6754 6 245-4890 4 327-6713 4
243-7650 6 328-7112 4 654-8494 6
327-9895 7 327-9136 4 227-3414 4
682-4000 6 343-1844 4 858-9000 3
462-6471 5 322-1415 6 521-1674 4
527-3511 8 321-0327 4 321-0845 6
843-0698 9 221-8190 4 543-7168 8
521-8400 8 327-2731 6 252-5879 8
345-0008 7 245-7508 5 526-5305 8
323-3027 6 242-1122 ? 621-1506 ?
621-4611 ? 325-3075 ? 336-6000 ?
221-1950 ? 323-8126 ? 325-7222 6?

[[[Note]]] remember to dial 1-800-above number, also remember to rotatenumbers and access codes.
<%=-----------------------------------------------------=%>

[ Colored Boxes ]

A more shrewd, technological, safer Åwithout ESS³ way to phreak is with a piece of hardware known as a ________ Box. Boxes are many different colors ÅI don't know ALL the colors because it seems like every time I turn around there's some
new color out!³. Colors I have heard of: Blue, Black, Red,White, Silver,Clear, and MANY, MANY more... Plans for making these boxes can be obtained bycalling different boards [BBS's], AE lines, or whatever. But!, if you havean
Apple Cat modem then do I have good news for ->you<-!! The Apple Cat modemcan emulate the frequencies Åusually 2600 Hz.³ made by ________ Boxes with the help of a handy little program called "Cat's Meow!"
<%=-----------------------------------------------------=%>

::Warning!:: Phreak at your own risk! Stiff laws are starting to pop-up nowdays. But, if you're careful then don't worry! I haven't been busted yet!Heck [Hack!], what would life be without risks?
<%=-----------------------------------------------------=%>

This was an original phile by: Cat-Trax

<%=-----------------------------------------------------=%>

The // // // //
// // // //
//=--=// //=--=//
// // // //
// //ackin' // //oodlums[

as of: 05/8/89


Leader: Cat-Trax
Co-Leader: Al Capone

Agents: Mr. DOS Terminator Lumpy
The Raven The Spartan The Alar
Doctor Jam


Call:

______________________
Ý\ \
Ý __________________\
Ý Ý Ý
Ý Ý The Hacker's Hideout Ý
Ý Ý Ý
Ý [206][265][MEOW] Ý
Ý Ý Ý
Ý Ý Password: U/L Ý
Ý Ý Ý
Ý Ý 300/1200 Baud! Ý
\ Ý Ý
\Ý______________________Ý

The Newbies Handbook- ' How to beging in the World of Hacking

**************************************************************************
**************************************************************************
*********************** NEWBIES HANDBOOK ******************************
************** HOW TO BEGIN IN THE WORLD OF H/P ************************
********************** BY : Plowsk¥ Phreak ***********************************
***************************************************************************
***************************************************************************
Disclaimer-
I am not responsible for any of the information in this document, if it is
used for any other purpose than educational reading. Some of the
information on this page can be used illegally if the reader does not act
responsible. The reader is responsible for his own actions.
You can copy anything from this file to any other file as long as you quote,
dont change it up, and give me the proper credit...like:
NEWBIES HANDBOOK
HOW TO BEGIN IN THE WORLD OF H/P
BY : Plowsk¥ Phreak
Into:

When I got into hacking, i realized that there wasnt many text philes for
newbies. so, i decided to write one. i dont really care about misspelled
werds or puncuation so, please ignore the mistakes. In this document i will
refer you to other documents a lot. (because why should i waste my time
rewriting something that has already been writen?) If at anytime while
reading this document you ask yourself "So...How do I hack?", then go away
now and save yourself the frustration because you'll never learn. To
hack you must understand everything about a system, and then you can get
ideas and try them out.

I tried to keep this phile as short as possible, when you read this you
should just get an idea about how to hack and why we hack. If you read this
document and the philes that i have listed, you should have a good idea
on what to do, how to do it, and why. Remember every 'project' is different.
You have to use your brain and adjust to each different one.
Tools:

There are a few things you need to have to be a hacker/phreaker.
'puter - computer (duh)
terminal software - a program like, hyper terminal or ordinary terminal
that allows you to dial out to another system.
blue box - (exerpted from 2600faq)Blue boxes use a 2600hz tone to size
control of telephone switches that use in-band signalling. The caller may
then access special switch functions, with the usual purpose of making
free long distance phone calls, using the tones provided by the Blue Box.

scanner - a scanner is a program that dials out every number in your area
and listens for tones that are comming from other modems. (helps you locate
your local targets) a good scanner is Toneloc. Find it!
Fone (phone) line - I hope you know whut this is...
It also helps to know a computer language ex: C, C++ ect.

Info resources:
I dont know many good boards anymore because almost all of their sysops
(system operators) have been busted. But I suggest you get a server that
uses netscape and get unlimited access to the www(World wide web). And visit
these good homepages by entering their name in the webcrawler search
engine (http://webcrawler.com)

Silicon Toads Hacking Resources
Flamestrike Enterprises
The Plowsk¥ Page (mine, you can reach me from there)
Matervas Hideout
Burns Lair
Cold fire
From these pages you will find a wealth of information on h/p
(hacking/phreaking)

getting started:
the first thing you must do is get on your computer, open your terminal
software and connect to a board. (bulletin board, bbs). This is a must!
(its also a VERY basic thing). (You can usually find a bbs number on a
homepage or enter bbs in a search engine.) Now that you can do that, start
reading. Read as many text philes as possible.
Required reading:
Hackers Manifesto (at bottom)
Hackers Code of ethics
Any old issues of Phrack
any old issues of 2600
2600faq
any text documents on systems (unix, iris, dec)
DOD (department of defense) standards
Any philes on boxes (blue(one at bottom), red, beige)

For beginners, which most of you probably are, I suggest you find some of
the following systems that exist in your area and work on them first. (they
are the easiest and least risky)
This next segment is excerpted from:
A Novice's Guide to Hacking- 1989 edition
by
The Mentor
Legion of Doom/Legion of Hackers

IRIS- IRIS stands for Interactive Real Time Information System. It orig-inally ran on PDP-11's, but now runs on many other minis. You can
spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don't know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES

UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn't the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like 'login:' in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you'll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin
Code of ethics:

Once you get in a system, do not manipulate anything but the log file
(erase the record of your bad logins) and anywhere you might have left your
handle. (name, a.k.a.) You dont want to leave your handle anywhere because
they WILL be able to track you down by your handle alone.
Its ok to be paranoid!
Dont think for one minute that you are undetectable, if you make any
mistakes, you could get caught. Here is a list of things you could do to
help yourself from getting in trouble.

* Encrypt your entire hard drive
* hide your files in a very safe spot.
* dont tell anyone that you dont know very well about your hacking. Good
hackers never reveal specific details to anyone about their current project.
They give only very vague hints of what they are doing.
* dont openly give out your real name or address
* dont join any major hacking groups, be an individual.
* Dont hack government computers, ESPECIALLY YOUR OWN GOVERNMENTS! Foreign
computers can sometimes be phun, but dont say i didnt warn you!
* Make sure that you dont leave any evidence that you have been in a system
and any evidence of who it was.
* Use your brain.
If you follow most of these guidelines, you should be safe. The last thing
you want is to end up in a one room apartment located in the third floor of
the state prision with your cellmate Bruno, the ax murderer, whose doing
life.
Getting in:
The hardest thing about hacking is getting the numbers for a system. You
can do this by using a scanning program. Then, once you connect to a system
you must first recognise what kind of system you have connected to. (by the
way, for you real brainiacs, you have to use your terminal software to call
another system.) You can usually do this by looking at the prompt you get,
if you get one. (check the Unresponsive section) Sometimes a system will
tell you as soon as you connect by saying some thing like "hello, welcome
to Anycompany using anysystem v 1.0" When you determine what system you have
connected to, this is when you start trying your logins. You can try typing
in demo and as your userid and see if you can find any users names to try.
If you enter a name and you are allowed in without a password you usually,
but not always, have entered a name that you cant do a whole lot with but,
it can still be phun and you can probably find clues on how to get in on
another name.
While your in:
There are usually many interesting files you can read in all of these
systems. You can read files about the system. You might want to try a help
command. They will usually tell you a lot. Sometimes, if your lucky, you can
manage to download the manual of the system!
There is nothing like the thrill of your first hack, even if it wasnt a very
good one, it was probably still phun. You could read every text phile in the
world and you still probably wouldnt learn as much as you do during your
first hack. Have Phun!
This next segment is also excerpted from:
A Novice's Guide to Hacking- 1989 edition
by
The Mentor
Legion of Doom/Legion of Hackers

Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn't absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need...
3) Send a series of 's.
4) Send a hard break followed by a .
5) Type a series of .'s (periods). The Canadian network Datapac responds
to this.
6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A --> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.
I tried to keep this phile as short as possible to save downloading time and just telling you the very basics like what you need to do and what you need to read. I hope this was helpful.

Plowsk¥ Phreak
Here are two philes i copied for your reading pleasure:
bluebox.txt
and
The Hackers Manifesto
bluebox.txt -
The Secrets of the Little Blue Box Originally found in Esquire Magazine
THE BLUE BOX IS INTRODUCED: IT'S QUALITIES ARE REMARKED
I am in the expensively furnished living room of Al Gilbertson, the creator
of the blue box. Gilbertson is holding one of his shiny black-and-silver
blue boxes comfortably in the palm of his hand, pointing out the thirteen
little red push buttons sticking up from the console. He is dancing his
fingers over the buttons, tapping out discordant beeping electronic jingles.
He is trying to explain to me how his little blue box does nothing less than
place the entire telephone system of the world, satellites, cables and all,
at the service of the blue-box operator, free of charge.
"That's what it does. Essentially it gives you the power of a super
operator. You sieze a tandem with this top button," he presses the top
button with his index finger and the blue box emits a high-pitched cheep,
"and like that," the box cheeps again "you control the phone company's long
distance switching systems from your cute little Princess phone or any old
pay phone. And you've got anonymity. An operator has to operate from a
definite location. The phone company knows where she is and what she's
doing. But with your blue box, once you hop onto a trunk, say from a Holiday
Inn 800 number, they don't know where you are, or where you're coming from,
they don't know how you slipped into their lines and popped up in that 800
number. They don't even know anything illegal is going on. And you can
obscure your origins through as many levels as you like. You can call next
door by way of White Plains, then over to Liverpool by cable and then back
here by satellite. You can call yourself from one pay phone all the way
around the world to a pay phone next to you. And you get your dime back too.
"And they can't trace the calls? They can't charge you?"
"Not if you do it the right way. But you'll find that the free-call thing
isn't really as exciting at first as the feeling of power you get from
having one of these babies in your hand. I've watched people when they first
get hold of one of these things and start using it, and discover they can
make connections, set up crisscross and zigzag switching patterns back and
forth across the world. They hardly talk to the people they finally reach.
They say hello and start thinking of what kind of call to make next. They go
a little crazy." He looks down at the neat little package in his palm. His
fingers are still dancing, tapping out beeper patterns.
"I think it's something to do with how small my models are. There are lots
of blue boxes around, but mine are the smallest and most sophisticated
electronically. I wish I could show you the prototype we made for our big
syndicate order."
He sighs. "We had this order for a thousand blue boxes from a syndicate
front man in Las Vegas. They use them to place bets coast to coast, keep
lines open for hours, all of which can get expensive if you have to pay. The
deal was a thousand blue boxes for $300 apiece. Before then we retailed them
for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a
manufacturing deal worked out in the Philippines. Everything was ready to
go. Anyway, the model I had ready for limited mass production was small
enough to fit inside a flip-top Marlboro box. It had flush-touch panels for
a keyboard, rather than these unsightly buttons sticking out. Looked just
like a tiny portable radio. In fact I had designed it with a tiny transistor
receiver to get one AM channel, so in case the law became suspicious the
owner could switch on the radio part, start snapping his fingers and no one
could tell anything illegal was going on. I thought of everything for this
model--I had it lined with a band of thermite which could be ignited by
radio signal from a tiny button transmitter on your belt, so it could be
burned to ashes instantly in case of a bust. It was beautiful. A beautiful
little machine. You should have seen the face on these syndicate guys when
they came back after trying it out. They'd hold it in their palm like they
never wanted to let it go, and they'd say, 'I can't believe it.' You
probably won't believe it until you try it."
THE BLUE BOX IS TESTED: CERTAIN CONNECTIONS ARE MADE
About eleven o'clock two nights later Fraser Lucey has a blue box in the
palm of his left hand and a phone in the palm of his right. His is standing
inside a phone booth next to an isolated shut-down motel. I am standing
outside the phone booth.
Fraser likes to show off his blue box for people. Until a few weeks ago when
Pacific Telephone made a few arrests in his city, Fraser Lucey liked to
bring his blue box to parties. It never failed: a few cheeps from his device
and Fraser became the center of attention at the very hippest of gatherings,
playing phone tricks and doing request numbers for hours. He began to take
orders for his manufacturer in Mexico. He became a dealer.
Fraser is cautious now about where he shows off his blue box. But he never
gets tired of playing with it. "It's like the first time every time," he
tells me.
Fraser puts a dime in the slot. He listens for a tone and holds the receiver
up to my ear. I hear the tone.
Fraser begins describing, with a certain practiced air, what he does while
he does it.
"I'm dialing an 800 number now. Any 800 number will do. It's toll free.
Tonight I think I'll use the Ryder Rent A Van number. Listen it's ringing.
Here, you hear it? Now watch."
He places the blue box over the mouthpiece of the phone so that the one
silver and twelve black push buttons are facing up toward me. He presses the
silver button - the one at the top - and I hear that high-pitched beep.
"That's 2600 cycles per second to be exact," says Lucey. "Now, quick,
listen."
He shoves the ear piece at me. The ringing has vanished. The line gives a
slight hiccough, there is a sharp buzz, and then nothing but soft white
noise.
"We're home free now," Lucey tells me, taking back the phone and applying
the blue box to its mouthpiece once again. "We're up on a tandem, into a
long-lines trunk. Once you're up on a tandem, you can send yourself anywhere
you want to go." He decides to check you London first. He chooses a certain
pay phone located in Waterloo station. This particular pay phone is popular
with the phone-phreaks because there are usually people walking by at all
hours who will pick it up and talk for a while.
He presses the lower left-hand corner button which is marked "KP" on the
face of the box.
"That's Key Pulse. It tells the tandem we're ready to give it instructions.
First I'll punch out KP 182 START, which will slide us into the overseas
sender in White Plains." I hear neat clunk-cheep. "I think we'll head over
to England by satellite. Cable is actually faster and the connection is
somewhat better, but I like going by satellite. So I just punch out KP Zero
44. The Zero issupposed to guarantee a satellite connection and 44 is the
country code for England. Okay...we're there. In Liverpool actually. Now all
I have to do is punch out the London area code which is 1, and dial up the
pay phone. Here, listen, I've got a ring now."
I hear the soft quick purr-purr of a London ring. Then someone picks up the
phone. "Hello," says the London voice.
"Hello, Who's this?" Fraser asks.
"Hello. There's actually nobody here. I just picked this up while I was
passing by. This is a public phone. There's no one here to answer actually."
"Hello. Don't hang up. I'm calling from the United States."
"Oh. What is the purpose of the call? This is a public phone you know."
"Oh. You know. To check out, uh, to find out what's going on in London. How
is it there?"
"It's five o'clock in the morning. It's raining now."
"Oh. Who are you?"
The London passerby turns out to be an R.A.F. enlistee on his way back to
the base in Lincolnshire, with a terrible hangover after a thirty-six hour
pass.
He and Fraser talk about the rain. They agree that it's nicer when it's not
raining. They say good-bye and Fraser hangs up. His dime returns with a nice
clink.
"Isn't that far out," he says grinning at me. "London. Like that."
Fraser squeezes the little blue box affectionately in his palm. "I told ya
this thing is for real. Listen, if you don't mind I'm gonna try this girl I
know in Paris. I usually give her a call around this time. It freaks her
out. This time I'll use the Penske 800 number and we'll go by overseas cable
133; 33 is the country code for France, the 1 sends you by cable. Okay, here
we go. Oh damn. Busy. Who could she be talking to at this time?"
A state police car cruises slowly by the motel. The car does not stop, but
Fraser gets nervous. We hop back into his car and drive ten miles in the
opposite direction until we reach a Texaco station locked up for the night.
We pull up to a phone booth by the tire pump. Fraser dashes inside and tries
the Paris number. It is busy again.
"I don't understand who she could be talking to. The circuits may be busy.
It's too bad I haven't learned how to tap into lines overseas with this
thing yet."
Fraser begins to phreak around, as the phone phreaks say. He dials a leading
nationwide charge card's 800 number and punches out the tones that bring him
the Time recording in Sydney, Australia. He beeps up the Weather recording
in Rome, in Italian of course. He calls a friend in Chicago and talks about
a certain over the counter stock they are into heavily. He finds the Paris
number busy again. He calls up a dealer of another sort and talks in code.
He calls up Joe Engressia, the original blind phone phreak genius, and pays
his respects. There are other calls. Finally Fraser gets through to his
young lady in Paris. They both agree the circuits must have been busy, and
criticize the Paris telephone system. At two-thirty in the morning Fraser
hangs up, pockets his dime, and drives off, steering with one hand, holding
what he calls his "lovely little blue box" in the other.
YOU CAN CALL LONG DISTANCE FOR LESS THAN YOU THINK
"You see, a few years ago the phone company made one big mistake,"
Gilbertson explains two days later in his apartment. "They were careless
enough to let some technical journal publish the actual frequencies used to
create all their multi-frequency tones. Just a theoretical article some Bell
Telephone Laboratories engineer was doing about switching theory, and he
listed the tones in passing. At MIT I had been fooling around with phones
for several years before I came across a copy of the journal in the
engineering library. I ran back to the lab and it took maybe twelve hours
from the time I saw that article to put together the first working blue box.
It was bigger and clumsier than this little baby, but it worked."
It's all there on public record in that technical journal written mainly by
Bell Lab people for other telephone engineers. Or at least it was public.
"Just try and get a copy of that issue at some engineering school library
now. Bell has had them all red-tagged and withdrawn from circulation,"
Gilbertson tells me.
"But it's too late now. It's all public now. And once they became public the
technology needed to create your own beeper device is within the range of
any twelve-year-old kid, any twelve-year-old blind kid as a matter of fact.
And he can do it in less than the twelve hours it took us. Blind kids do it
all the time. They can't build anything as precise and compact as my beeper
box, but theirs can do anything mine can do."
"How?"
"Okay. About twenty years ago AT&T made a multi-million dollar decision to
operate its entire long-distance switching system on twelve electronically
generated combinations of six master tones. Those are the tones you
sometimes hear in the background after you've dialed a long distance number.
They decided to use some very simple tones. The tone for each number is just
two fixed single-frequency tones played simultaneously to create a certain
beat frequency. Like 1300 cycles per second and 900 cycles per second played
together give you the tone for digit 5. Now, what some of these phone
phreaks have done is get themselves access to an electric organ. Any cheap
family home entertainment organ. Since the frequencies are public knowledge
now, one blind phone phreak has even had them recorded in one of those
talking books for the blind, they just have to find the musical notes on the
organ which correspond to the phone tones. Then they tape them. For
instance, to get Ma Bell's tone for the number, you press down organ keys F3
and A3 (900 and 700 cycles per second) at the same time. To produce the tone
for 2 it's F3 and C6 (1100 and 700 c.p.s). The phone phreaks circulate the
whole list of notes so there's no trial and error anymore."
He shows me a list of the rest of the phone numbers and the two electric
organ keys that produce them.
"Actually, you have to record these notes at 3 3/4 inches per second tape
speed and double it to 7 1/2 inches per second when you play them back, to
get the proper tones," he adds.
"So once you have all the tones recorded, how do you plug them into the
phone system?"
"Well, they take their organ and their cassette recorder, and start banging
out entire phone numbers in tones on the organ, including country codes,
routing instructions, 'KP' and 'Start' tones. Or, if they don't have an
organ, someone in the phone-phreak network sends them a cassette with all
the tones recorded with a voice saying 'Number one,' then you have the tone,
'Number two,' then the tone and so on. So with two cassette recorders they
can put together a series of phone numbers by switching back and forth from
number to number. Any idiot in the country with a cheap cassette recorder
can make all the free calls he wants."
"You mean you just hold the cassette recorder up to the mouthpiece and
switch in a series of beeps you've recorded? The phone thinks that anything
that makes these tones must be its own equipment?"
"Right. As long as you get the frequency within thirty cycles per second of
the phone company's tones, the phone equipment thinks it hears its own voice
talking to it. The original grandaddy phone phreak was this blind kid with
perfect pitch, Joe Engressia, who used to whistle into the phone. An
operator could tell the difference between his whistle and the phone
company's electronic tone generator, but the phone company's switching
circuit can't tell them apart.
The bigger the phone company gets and the further away from human operators
it gets, the more vulnerable it becomes to all sorts of phone Phreaking."
A GUIDE FOR THE PERPLEXED
"But wait a minute," I stop Gilbertson. "If everything you do sounds like
phone-company equipment, why doesn't the phone company charge you for the
call the way it charges its own equipment?"
"Okay. That's where the 2600-cycle tone comes in. I better start from the
beginning."
The beginning he describes for me is a vision of the phone system of the
continent as thousands of webs, of long-line trunks radiating from each of
the hundreds of toll switching offices to the other toll switching offices.
Each toll switching office is a hive compacted of thousands of long-distance
tandems constantly whistling and beeping to tandems in far-off toll
switching offices.
The tandem is the key to the whole system. Each tandem is a line with some
relays with the capability of signaling any other tandem in any other toll
switching office on the continent, either directly one-to-one or by
programming a roundabout route several other tandems if all the direct
routes are busy. For instance, if you want to call from New York to Los
Angeles and traffic is heavy on all direct trunks between the two cities,
your tandem in New York is programmed to try the next best route, which may
send you down to a tandem in New Orleans, then up to San Francisco, or down
to a New Orleans tandem, back to an Atlanta tandem, over to an Albuquerque
tandem and finally up to Los Angeles.
When a tandem is not being used, when it's sitting there waiting for someone
to make a long-distance call, it whistles. One side of the tandem, the side
"facing" our home phone, whistles at 2600 cycles per second toward all the
home phones serviced by the exchange, telling them it is at their service,
should they be interested in making a long-distance call. The other side of
the tandem is whistling 2600 c.p.s. into one or more long distance trunk
lines, telling the rest of the phone system that it is neither sending nor
receiving a call through the trunk at the moment, that it has no use for
that trunk at the moment.
When you dial a long-distance number the first thing that happens is that
you are hooked into a tandem. A register comes up to the side of the tandem
facing away from you and presents that side with the number you dialed. This
sending side of the tandem stops whistling 2600 into its trunk line. When a
tandem stops the 2600 tone it has been sending through a trunk, the trunk is
said to be "seized," and is now ready to carry the number you have dialed,
converted into multi-frequency beep tones, to a tandem in the area code and
central office you want.
Now when a blue-box operator wants to make a call from New Orleans to New
York he starts by dialing the 800 number of a company which might happen to
have its headquarters in Los Angeles. The sending side of this New Orleans
tandem stops sending 2600 out over the trunk to the central office in Los
Angeles, thereby seizing the trunk. Your New Orleans tandem begins sending
beep tones to a tandem it has discovered idly whistling 2600 cycles in Los
Angeles. The receiving end of that L.A. tandem is seized, stops whistling
2600, listens to the beep tones which tell it which L.A. phone to ring, and
starts ringing the 800 number. Meanwhile, a mark made in the New Orleans
office accounting tape indicates that a call from your New Orleans phone to
the 800 number in L.A. has been initiated and gives the call a code number.
Everything is routine so far.
But then the phone phreak presses his blue box to the mouthpiece and pushes
the 2600-cycle button, sending 2600 out from the New Orleans tandem notices
the 2600 cycles are coming over the line again and assumes that New Orleans
has hung up because the trunk is whistling as if idle. But,
Thus the blue-box operator in New Orleans now is in touch with a tandem in
L.A. which is waiting like and obedient genie to be told what to do next.
The blue-box owner then beeps out the ten digits of the New York number
which tells the L.A. tandem to relay a call to New York City. Which it
promptly does. As soon as your party picks up the phone in New York, the
side of the New Orleans tandem facing you stops sending 2600 to you and
starts carrying his voice to you by way of the L.A. tandem. A notation is
made on the accounting tape that the connection has been made on the 800
call which had been initiated and noted earlier. When you stop talking to
New York a notation is made that the 800 call has ended.
At three the next morning, when phone company's accounting computer starts
reading back over the master accounting tape for the past day, it records
that a call of a certain length of time was made from your New Orleans home
to an L.A. 800 number and, of course the accounting computer has been
trained to ignore these toll free 800 calls when compiling your monthly
bill.
"All they can prove is that you made an 800 call," Gilbertson the inventor
concludes. "Of course, if you're foolish enough to talk for two hours on an
800 call, and they've installed one of their special anti-fraud computer
programs to watch out for such things, they may spot you and ask you why you
took two hours talking to Army Recruiting's 800 number when you're 4-F. But
if you do it from a pay phone, they may discover something peculiar the next
day, if they've got a blue-box hunting program in their computer, but you'll
be a long time gone from the pay phone by then. Using a pay phone is almost
guaranteed safe."
"What about the recent series of blue-box arrests all across the country,
New York, Cleveland, and so on?" I asked. "How were they caught so easily?"
"From what I can tell, they made one big mistake. They were seizing trunks
using an area code plus 555-1212 instead of an 800 number. When you send
multi-frequency beep tones off 555 you get a charge for it on your tape and
the accounting computer knows there's something wrong when it tries to bill
you for a two-hour call to Akron, Ohio, information, and it drops a trouble
card which goes right into the hands of the security agent if they're
looking for blue-box users.
"Whoever sold those guys their blue boxes didn't tell them how to use them
properly, which is fairly irresponsible. And they were fairly stupid to use
them at home all the time. But what those arrests really mean is that an
awful lot of blue boxes are flooding into the country and that people are
finding them so easy to make that they know how to make them before they
know how to use them. Ma Bell is in trouble."
"And if a blue-box operator or a cassette-recorder phone phreak sticks to
pay phones and 800 numbers, the phone company can't stop them?"
"Not unless they change their entire nationwide long-lines technology, which
will take them a few billion dollars and twenty years. Right now they can't
do a thing. They're screwed."
CAPTAIN CRUNCH DEMONSTRATES HIS FAMOUS UNIT
There is an underground telephone network in this country. Gilbertson
discovered it the very day news of his activities hit the papers. That
evening his phone began ringing. Phone phreaks from Seattle, from Florida,
from New York, from San Jose, and from Los Angeles began calling him and
telling him about the phone-phreak network. He'd get a call from a phone
phreak who'd say nothing but, "Hang up and call this number."
When he dialed the number he'd find himself tied into a conference of a
dozen phone phreaks arranged through a quirky switching station in British
Columbia. They identified themselves as phone phreaks, they demonstrated
their homemade blue boxes which they called "MFers"(for multi-frequency,
among other things) for him, they talked shop about phone phreak devices.
They let him in on their secrets on the theory that if the phone company was
after him he must be trustworthy. And, Gilbertson recalls, they stunned him
with their technical sophistication.
I ask him how to get in touch with the phone-phreak network. He digs around
through a file of old schematics and comes up with about a dozen numbers in
three widely separated area codes.
"Those are the centers," he tells me. Alongside some of the numbers he
writes in first names or nicknames: names like Captain Crunch, Dr. No, Frank
Carlson, (also a code word for free call), Marty Freeman (code word for MF

device), Peter the Perpendicular Pimple, Alefnull, and The Cheshire Cat. He
makes checks alongside the names of those among these top twelve who are
blind. There are five checks.
I ask him who this Captain Crunch person is.
"Oh, The Captain. He's probably the most legendary phone phreak. He calls
himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle.
Several years ago the makers of Cap'n Crunch breakfast cereal offered a toy
whistle prize in every box as a treat for the Cap'n Crunch set. Somehow a
phone phreak discovered that the toy whistle just happened to produce a
perfect 2600-cycle tone. When the man who calls himself Captain Crunch was
transferred overseas to England with his Air Force unit, he would receive
scores of calls from his friends and "mute" them, that is, make them free of
charge to them, by blowing his Cap'n Crunch whistle into his end."
"Captain Crunch is one of the older phone phreaks," Gilbertson tells me.
"He's an engineer who once got in a little trouble for fooling around with
the phone, but he can't stop. Well, this guy drives across country in a
Volkswagen van with an entire switchboard and a computerized
super-sophisticated MFer in the back. He'll pull up to a phone booth on a
lonely highway somewhere, snake a cable out of his bus, hook it onto the
phone and sit for hours, days sometimes, sending calls zipping back and
forth across the country, all over the world."
Back at my house, I dialed the number he gave me for "Captain Crunch" and
asked for Gary Thomas, his real name, or at least the name he uses when he's
not dashing into a phone booth beeping out MF tones faster than a speeding
bullet, and zipping phantomlike through the phone company's long-distance
lines.
When Gary answered the phone and I told him I was preparing a text file
about phone phreaks, he became very indignant.
"I don't do that. I don't do that anymore at all. And if I do it, I do it
for one reason and one reason only. I'm learning about a system. The phone
company is a system. A computer is a system. Do you understand? If I do what
I do, it is only to explore a System. Computers. Systems. That's my bag. The
phone company is nothing but a computer."
A tone of tightly restrained excitement enters the Captain's voice when he
starts talking about Systems. He begins to pronounce each syllable with the
hushed deliberation of an obscene caller.
"Ma Bell is a system I want to explore. It's a beautiful system, you know,
but Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful
system but she screwed up. I learned how she screwed up from a couple of
blind kids who wanted me to build a device. A certain device. They said it
could make free calls. But when these blind kids told me I could make calls
into a computer, my eyes lit up. I wanted to learn about computers. I wanted
to learn about Ma Bell's computers. So I built the little device. Only I
built it wrong and Ma Bell found out. Ma Bell can detect things like that.
Ma Bell knows. So I'm strictly out of it now. I don't do it. Except for
learning purposes." He pauses. "So you want to write a text file. Are you
paying for this call? Hang up and call this number."
He gives me a number in an area code a thousand miles north of his own. I
dial the number.
"Hello again. This is Captain Crunch. You are speaking to me on a toll-free
loop in Portland Oregon. Do you know what a toll-free loop is? I'll tell
you."
He explains to me that almost every exchange in the country has open test
numbers which allow other exchanges to test their connections with it. Most
of thest numbers occur in consecutive pairs, such as 302 956-0041 and
956-0042. Well certain phone phreaks discovered that if two people from
anywhere in the country dial those two consecutive numbers they can talk
together just as if one had called the other's number, with no charge to
either of them, of course.
"Your voice is looping around in a 4A switching machine up there in Canada,
zipping back down to me," the Captain tells me. "My voice is looping around
up there and back down to you. And it can't ever cost anyone money. The
phone phreaks and I have compiled a list of many many of these numbers. You
would be surprised if you saw the list. I could show it to you. But I won't.
I'm out of that now. I'm not out to screw Ma Bell. I know better. If I do
anything it's for the pure knowledge of the System. You can learn to do
fantastic things. Have you ever heard eight tandems stacked up? Do you know
the sound of tandems stacking and unstacking? Give me your phone number.
Hang up now and wait a minute.
Slightly less than a minute later the phone rang and the Captain was on the
line, his voice sounding far more excited, almost aroused.
"I wanted to show you what it's like to stack up tandems (Whenever the
Captain says "stack up" he sounds like he is smacking his lips)."
"How do you like the connection you're on now?" the Captain asks me. "It's a
raw tandem. A raw tandem. I'm going to show you what it's like to stack up.
Blow off. Land in a faraway place. To stack that tandem up, whip back and
forth across the country a few times, then shoot on up to Moscow."
"Listen," Captain Crunch continues. "Listen. I've got a line tie on my
switchboard here, and I'm gonna let you hear me stack and unstack tandems.
Listen to this. I'm gonna blow your mind."
First I hear a super rapid-fire pulsing of flutelike phone tones, then a
pause, then another popping burst of tones, then another, then another. Each
burst is followed by a beep-kachink sound.
"We have now stacked up four tandems," said Captain Crunch, sounding
somewhat remote. "That's four tandems stacked up. Do you know what that
means? That means I'm whipping back and forth, back and forth twice, across
the country, before coming to you. I've been known to stack up twenty
tandems at a time. Now, just like I said, I'm going to shoot up to Moscow."
There is a new longer series of beeper pulses over the line, a brief
silence, then a ring.
"Hello," answers a far-off voice.
"Hello, Is this the American Embassy Moscow?"
"Yes, sir, who is calling?" says the voice.
"Yes, This is test board here in New York. We're calling to check out the
circuits, see what kind of lines you've got. Everything okay there in
Moscow?"
"Okay?"
"Well, yes, how are things there?"
"Oh. Well everything's okay, I guess."
"Okay. Thank you." They hang up, leaving a confused series of beep-kachink
sounds hanging in mid-ether in the wake of the call before disolving away.

Hackers Manifesto -
Another one got caught today, it's all over the papers. "Teenager Arrested
in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever
take a look behind the eyes of the hacker? Did you ever wonder what made
him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the
other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the
fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I
didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It
does what I want it to. If it makes a mistake, it's because I screwed it up.
Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the
phone line like heroin through an addict's veins, an electronic pulse is sent
out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to them,
may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school
when we hungered for steak... the bits of meat that you did let slip through
were pre-chewed and tasteless. We've been dominated by sadists, or ignored
by the apathetic. The few that had something to teach found us willing
pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty
of the baud. We make use of a service already existing without paying for
what could be dirt-cheap if it wasn't run by profiteering gluttons, and you
call us criminals. We explore... and you call us criminals. We seek after
knowledge... and you call us criminals. We exist without skin color, without
nationality, without religious bias... and you call us criminals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to
make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of
judging people by what they say and think, not what they look like. My
crime is that of outsmarting you, something that you will never forgive me
for.
I am a hacker, and this is my manifesto. You may stop this individual, but
you can't stop us all... after all, we're all alike.
+++The Mentor+++