============================================================================= PHUK MAGAZINE - Phile 3 of 10 ============================================================================= --------------------------- HISTORY: New Scientist 1973 --------------------------- This issue's HISTORY section has an article published in the New Scientist on the 13th December 1973 in the wake of the Old Bailey trial. The article made the front page, running under the headline "Are phone phreaks just telephone addicts?". Anything in square brackets is mine, the rest comes straight from the magazine page to you ... Enjoy & Have phun! - Phuk-Ed -- [headline] Are telephones addictive? [intro] Nine "phone phreaks" were acquitted last month after a seven-week trial at the Old Bailey. The trial gave considerable publicity to teh techniques used by a small and determined group of intellectuals with a compulsive desire to know the telephone system inside out. [start] When Post Office invesigators raided a Hammersmith, London flat in October 1972, the found a "phone phreaks" conference in progress with large quantities of telephone equipment, a computer printout listing supposedly secret Post Office codes, and devices for making calls. A Post Office installed monitoring device showed that one man had spent much of the day experimenting with one of London's international exchanges. Nineteen men went on trial on 3 October at the Old Bailey. With advance promises of nominal fines, 10 pleaded guilty - one to actually making calls, the others to conspiracy. Fines ranged from 50 to 100 [pounds]. The other nine stood trial for conspiracy to defraud the telephone system. On 13 November, all were acquitted, in a trial estimated to have cost more than 100,000 [pounds]. Most were men in their 20s holding university degrees, primarily from Oxford, Cambridge and London. Their interest had begun in student days, usually from reading standard texts such as Atkinson's Telphony and moving on to the Post Office Electrical Engineers Journal. Experiments by exhuastive dialing on local networks followed. Soon the exhausted the possibilities of dialing and moved on to electronic aids. Their attitude was neatly summarised by the trial judge Neil McKinnon, QC, when he commented: "Some take to heroin, some take to telephones." He, too, entered into the spirit of the thing and asked for the codes used in his own local exchange in south London. Like scientists conducting experiments, the phone phreaks report results to one another. And they take a perverse delight in writing to the Post Office to explain new and previously undetected ways to beat the telephone system - often the Post Office does not believe these suggestions until much later. The penetration of the Post Office's secrets has been massive. The investigation that led to the recent trial was apparently triggered by the discovery that for some years the Cambridge University Titan computer had held complete and laboriously compiled files detailing the entire trunk and local network system [caption] Imitate control signals [start] In general, telephone enthusiasts (as the court genteely put it) work by imitating the control signals that the telephone system must have. he signals tell an exchange, for example, that a call is coming from another exchange, or that a subscriber has hung up, or that a call has been answered and that charging should begin. On long distance trunk circuits the signals are withing the normal telephone speech bandwidth (30 Hz - 3 kHz), and the UK Post Office uses pulses of single frequency - 2.28 kHz, As the signalling must take place on the line which will be used for the call, there is no way that the Post Office can prevent anyone from imitating the codes. Usually they use a "bleeper" which puts the tone onto the line with an accoustic coupler, similar to that used for portable computer terminals. Details of using a bleeper to make international calls are given in the box. [start sub-box] [photograph with caption] Typical phone phreaking equipment. Rear right - an older style AC9 simulator (bleeper) with a telephone dial. Front, a newer AC9 simulator, with an accoustic coupler (an ordinary telephone earpiece). Rear left - a multifrequency simulator. A print-out of telephone codes lies under the equipment. [basically thats what the photo shows ... this stuff is OLD and clunky looking though!] [end sub-box] In the last few years, the Post Office has begun the introduction of the Trunk Transit Network to effect speedier transit of information. Where the normal system uses pulses of 2.28 kHz to represent numbers (1 pulse for 1, 2 for 2, etc, just like a telephone dial), the new Multifrequcny system (MF2) has six different tones, and uses two at a time, permitting 15 possible combinations (10 numbers and 5 control signals). Thus, where the 0 required 10 pulses, it now only requires 1. The Post Office hopes to introduce full nationwide STD using this technique by 1980. This goal was achieved in the USA and many European countries some years ago. Generating the six tones required in the UK is more complex than tha traditional 2.28 kHz, and involves a six-frequency generator. Because many countries have their own sets of tones, the international phone phreak will need a set of bleepers. One presented in evidence at the trial was very elaborate, being capable of simulating seven different signalling sytems. Nicknamed the Mighty Wurlitzer, it was rumoured to cost 200 [pounds] to build. The Post Office offered 20 [pounds] for it. As new MF2 centres are added to the network - Newcastle, Hull and Bradford last month - the Post Office is reportedly intensly worried about the vulnerability of MF2. It is perhaps typical that the Post Office were initially complacent, and did not believe the Cambridge undergrad who some years ago told them that MF2 could be beaten. One defendant revealed that he and others had written a set of letters to the Post Office explaining flaws in the system. His most recent contribution - a dialling sequence known as 9-1-11 which would give irregular STD service from small country exchanges - was haughtlyi rejected by a Post Office expert with "it couldn't theoretically work". [begin sub-box] [caption] Bleeping around the world [start] At the trial, the Post Office gave a demonstration of how international calls might be made, using a bleeper. The telephone enthusiast first dials an STD call to a destination which will be charged at local rate - from London to Badger's Mount just north of Sevenoaks will do. This call is routed automatically through the london STD centre and the trunk exchange in sevenoaks. When the call (which is made to a number known to be spare) had gone through, he sends the "clear forward" signal which tells Badger's Mount that the call is finished. Because the enthusiast's telephone is still off the hook, the London equipment believes that the call to be still in progress. The result is an open line going as far as the Sevenoaks trunk exchange. He then sends to Sevenoaks a signal known as "seize" which wakes up the Sevenoaks end. He could then send the digit "1" which will put him on the outgoing trunks from Sevenoaks. By dialling the secret trunk codes or routings, he can then dial freely through the trunk network. He could dial to Tunbridge Wells (code 15) and through it to Cardiff (65) and London International (112). At this point, by using other tones, he could if he wished experiment in any part of the world. Unlike STD codes, the trunk codes are not the same throughout the country - to get from Reading to Tunbridge the code would be 35 rather than 15. Thus the enthusiasts have built up massive files of trunk codes, often produced on computer printouts. Knowing the codes, however, does little good because they cannot simply be dialled - extra equipment is required. The clicks that an ordinary telephone dial sends down the line are reallt DC pulses, 67 millisec (ms) long, send at the rate of 10 per second. Long distance trunk circuits cannot handle DC, so the exchange automatically converts these to eually long pulses of 2.28 kHz. This signalling system is known as AC9. Having already passed the local exchange, the phone phreak must produce his own 2.28 kHz signals. Some people are actuially able to whistle the correct tone, but most phone phreaks use some sort of electronic simulator - usually called a bleeper - made up of a tone generator and a telephone dial or more complex push button system. The device must also produce at least one other signal - the Clear Forward which is 700 ms of 2.28 kHz. The seize signal is simply a "1". One of the effects of the clear forward signal is to accidentally generate another signal which starts the equipment in London charging for the call. Thus, the user of a bleeper is then paying for the call whether or not he ever completes it. But the charge is always for a call to the first exchange dialed (London always thinks that the call is to Badger's Mount) so the bleeper user always starts with a call to the local exchange to keep the cost down. The legal question enters at this point - the effect of the recent acquittal would appear to be that using a bleeper is not illegal unless a call is actually completed, in which case the phone phreak is getting a long distance call at local rates. Simple possesion of bleepers themselves is apparently not illegal, although the Post Office has the right to disconnect the phone of anyone who uses one [there is a diagram accompanying this sub-box which just uses a box and arrow type diagram showing the relationships between the different exchanges discussed in para 2] [end sub-box] [caption] Dial direct [start] There is a second major way for the telephone enthusiasts to get into the PO network. As described here recently (vol 58, pg 23), some engineers had covertly installed their own unauthorised links. As these individuals had ample opportunity to discover the secrets of the telephone network, the only purpose of such circuits could be fraud, as was shown in the recent prosecution of a Bristol engineer who operated an Air Charter compnay on the side. Several other accesses arose accidentaly, caused by careless or sloppy design. Thei utility to telephone enthusiasts had resulted in a large scale hunt for them. A list of these trunk accesses was eventually passed to the Post Office. Nevertheless, suggestions of "sabotage from within" are hotly denied by the Post Office. But a recent example is an "engineers fiddle" fitted to the Chiswick exchange. It allowed North London Post Office staff who knew about it to make free STD calls, quite illegally from phones all over London. By dialling 995 for Chiswick, then 47, then any four digits to "unlock" the circuit (since someone, perhaps even an investigator, might stumble on 995-47 by accident), they would be enabled to dial free calls. This money saving device disappeared earlier this year, when the code became needed for new subscribers on that exchange and the engineer had to take it out. Two devices to avoid payment were displayed at the trial. One, known simply as a black box or non-charge facility, is simply a battery and two simple components that can be fitted to any telephone and prevent the exchange from realising that the called telephone has been answered - thus no charge is made to the caller. The other was more amusing - a 2p piece on a length of thread. Its student owner had not known that it could be used for telephones, but a zealous executive engineer studied the problem and showed the court how, with a little legerdemain, it could be retrieved from the reject slot of the coin box. [caption] Telephone tapping? As might be expected in Watergate year, allegations of telephone tapping were well to the fore, and several Post Office methods were exposed. The first, and simplest, is a printermeter, which makes an automatic record of whom you call, for how long, and the exact time and date of the call. The second is the misuse of special test circuits to listen in to any call. The operator or monitor merely has to dial you number on these special circuits, and listen for as long as he likes. The intended use of such circuits is to interrupt a call to tell you that someone is trying to call you from abroad, for instance. The third is the euphemistically named "Call Check Circuit" - this can be attached to any phone in the country - and is undetectable. It can be used with a tape recorder to record all incoming and outgoing calls. Identifiable only by the type number painted on it, 60345, it is now fitted as standard equipment. [start sub-box] [photograph with caption] The Post Office goes to great, but unsuccessful lengths to keep its secrets. The centre door (31-32 High Holborn) is the unmarked entrance to the Kingsway exchange, London's largest trunk exchange, located in two deep bomb shelters under Chancery Lane underground station. [end sub-box] The British Post Office is not the only organisation with pranksters prowling through their system. In the USA, the vast telephone network has been blighted for some time by the phenomenon. For technical reasons, the Bell system is far more open to the possessor of a Blue Box, as a bleeper is called across the Atlantic. Forty years ago, world telephone technologies diverged. The Bell system, which owns almost all of North America;s 140 million telephones, started to use the crossbar system, while Britain stuck with the Strowger method, invented by a Kansas City undertaker in the 1890s. The effect of the crossbar on the trunk network was to enable the same codes that are used for the nationwide dialling system to be used for the internal codes of the system, resulting in far greater reliability and faster operation. It also uses a multifrequency signalling system, using frequencies between 700 Hz and 1700 Hz. Because of the identical code usage, US phreaks are sparedn the hard work of compiling and using special trunk codes as in Britain. The phreaks first appeared on the US scene in the early 1960s when a group of MIT students were found to have conducted a late night dialling experiment on the Defense Department's secret network. They were rewarded with jobs when they explained their system to Bell investigators. The attitude was a little different a few years later when blind Joe Engressia, sometimes acclaimed as the "King of the Phone Phreaks", was discovered merrily whistling down the line to fix up free calls around the world for his school friends. As a result of his widely-publicised prosecution, many individuals who had been working in teh dark, alone, across the continent rang in to Blind Joe. The new technology spread rapidly through the underground, and names like Captain Crunch and Midnight Stalker became commonplace on illegaly procured trunks. The name "phone phreak" identified the enthusiasts with the common underground usage of freak as someone who was cool and used drugs. Since then, the telephone system has been a battleground between the phreaks and the Telcos (as the telephone companies nickname themselves). Abbie Hoffman's Yippies, the Youth International Party, gave birth to a phreak division whose monthly, The Party Line, publishes details of the latest and best Anti-Telco hardware. It has recently diversified into using high-power magnets on parking meters in order to stay longer, cheaper. In June 1972, Ramparts carried a set of instructions on how to build the Black Box, or non-charge facility. In the US, phreaking is receiving increasing publicity, and the annual conference held on 8 September at a major New York hotel was given wide press coverage. Unveiled at that meeting was the Red Box - an electronic device that simulates tone pulses sent to an operator when money is put into a coin box. From the Telcos this year comes their effort to keep up, the Model 51A Dialled Digit recorder. It costs $3500. For a further $1000 the MF option can be fitted, and with another $100 for the 67A extender, the telephone company can have a recorder which will record no less than four different types of signalling: a match to the Mighty Wurlitzer. [begin sub-box] [caption] An Old Bailey anniversary This year is the 20th anniversary of another Old Bailey telephone conspiracy trial. In that year, a Mayfair chemical company director and two friends were accused of making automatic trunk calls around Britain - almost ten years before STD was introduced. And all for a single charge of an old penny. Their method was known as the Toll A drop-back, named after Toll A, an exchange near St Paul's which routes calls between London and nearby non-London exchanges. The trick was to dial a number, such as Dartford 21111, which was then not allocated. Then, the reciever rest would be "flashed" (depressed for 1/2 a second). This would act in a similar way to the "clear forward" on the a.c. system. The caller would be left with an open line into the Toll A exchange. The user could then dial a code, 018, which would take him on to what was then the first trunk (long distance) exchange in Britain. Once again with a list of trunk codes which he could have compiled by experimentation, he could dial around Britain. The advantages of these methods in 1953 was immense. The delays on trunk calls through the trunk operator could often be several hours, and the quality very poor. The method is still available. One of the defendannts in last month's trial was alleged to have made experiments by using a Toll A dropback. He had dialled Caterham 41111, a number not in use. Then by flashing, he could dial through the Toll A exchange, and out through exchanges around London to some point where he would be able to dial up onto the trunk network. In May, a London chemistry student pleaded guilty to making calls to he US utilising Toll A dropback via exchanges in Surrey where trunk accesses had been fitted at the time. he was fined 70 [pounds] plus 10 [pounds] costs and ordered to pay the Post Office 350 [pounds] for lost revenue. [end sub-box] [Phew! I am knackered after typing that in! but I hoped you enjoyed it! Nice to know that the Red Box has come of age ... being 21 years old this year! I actually met one of these defendants at this trial at a 2600 meeting last year. A few questions though ... WHERE are the Call Check Circuit marked 60345 installed??? In a junction? a DP? In you house??? and WHY can't BT be as complacent as the Post Office are reported to have been? - Phuk-Ed] +++ EOF