Sunday, September 24, 2006

X-HACKER:
19 year old Belgium female technology student known as 'Gigabyte' was arrested and charged with computer data sabotage for creating viruses. She says she never spread the viruses, she also created a virus in C#, her site has been taken offline and her computers were confiscated.

Links of Interest:
Gigabytes Guestbook: View or Sign
Google Cache of coderz.net/gigabyte

"When people make guns, can you blame them when somebody else kills with them?" - "I only write them. I don't release them." She said.

Gigabyte in '02 did a interview with TechTV defending her work saying she never releases her viruses into the wild. If convicted she faces up to 3 years in prison and fines up to 250,000.

Monday, March 27, 2006

Cell phone Hacking !!!


The cellular/mobile phone system is one that is perfectly set up to be exploited by phreaks with the proper knowledge and equipment. Thanks to deregulation, the regional BOC's (Bell Operating Companies) are scattered and do not communicate much with each other. Phreaks can take advantage of this by pretending to be mobile phone customers whose "home base" is a city served by a different BOC, known as a "roamer". Since it is impractical for each BOC to keep track of the customers of all the other BOC's, they will usually allow the customer to make the calls he wishes, often with a surcharge of some sort.

The bill is then forwarded to the roamer's home BOC for collection. However, it is fairly simple (with the correct tools) to create a bogus ID number for your mobile phone, and pretend to be a roamer from some other city and state, that's "just visiting". When your BOC tries to collect for the calls from your alleged "home BOC", they will discover you are not a real customer; but by then, you can create an entirely new electronic identity, and use that instead.

How does the cellular system know who is calling, and where they are? When a mobile phone enters a cell's area of transmission, it transmits its phone number and its 8 digit ID number to that cell, who will keep track of it until it gets far enough away that the sound quality is sufficiently diminished, and then the phone is "handed off" to the cell that the customer has walked or driven into. This process continues as long as the phone has power and is turned on. If the phone is turned off (or the car is), someone attempting to call the mobile phone will receive a recording along the lines of "The mobile phone customer you have dialed has left the vehicle or driven out of the service area." When a call is made to a mobile phone, the switching equipment will check to see if the mobile phone being called is "logged in", so to speak, or present in one of the cells. If it is, the call will then act (to the speaking parties) just like a normal call - the caller may hear a busy tone, the phone may just ring, or the call may be answered.

How does the switching equipment know whether or not a particular phone is authorized to use the network? Many times, it doesn't. When a dealer installs a mobile phone, he gives the phone's ID number (an 8 digit hexadecimal number) to the local BOC, as well as the phone number the BOC assigned to the customer. Thereafter, whenever a phone is present in one of the cells, the two numbers are checked - they should be registered to the same person. If they don't match, the telco knows that an attempted fraud is taking place (or at best, some transmission error) and will not allow calls to be placed or received at that phone. However, it is impractical (especially given the present state of deregulation) for the telco to have records of every cellular customer of every BOC. Therefore, if you're going to create a fake ID/phone number combination, it will need to be "based" in an area that has a cellular system (obviously), has a different BOC than your local area does, and has some sort of a "roamer"
agreement with your local BOC.

How can one "phreak" a cellular phone? There are three general areas when phreaking cellular phones; using one you found in an unlocked car (or an unattended walk-about model), modifying your own chip set to look like a different phone, or recording the phone number/ID number combinations sent by other local cellular phones, and using those as your own. Most cellular phones include a crude "password" system to keep unauthorized users from using the phone - however, dealers often set the password (usually a 3 to 5 digit code) to the last four digits of the customer's mobile phone number. If you can find that somewhere on the phone, you're in luck. If not, it shouldn't be TOO hard to hack, since most people aren't smart enough to use something besides "1111", "1234", or whatever. If you want to modify the chip set in a cellular phone you bought (or stole), there are two chips (of course, this depends on the model and
manufacturer, yours may be different) that will need to be changed - one installed at the manufacturer (often epoxied in) with the phone's ID number, and one installed by the dealer with the phone number, and possible the security code. To do this, you'll obviously need an EPROM burner as well as the same sort of chips used in the phone (or a friendly and unscrupulous dealer!). As to recording the numbers of other mobile phone customers and using them; as far as I know, this is just theory... but it seems quite possible, if you've got the equipment to record and decode it. The cellular system would probably freak out if two phones (with valid ID/phone number combinations) were both present in the network at once, but it remains to be seen what will happen.
Extracting the HD password from an XBox hard drive


Extracting the HD password from an XBox hard driveThe XBox harddrive uses a fairly old but relatively unused set of security commands to prevent easy access to it's built in drive. However, since the password system does not specify any form of challenge/reply system the password is transmitted in "clear" form. Thus with the right equipment and a little bit of patience you can easilly read the values.The ATA spec provides a command labeled SECURITY UNLOCK (command code 0xF2) which provides a means for passing a 32 byte password to an IDE drive in order to unlock it. There are two passwords, a master and a user password. The xbox uses the user passord.To get to the password you need at least 22 (preferrably 23) probes.DD(15:0) -- data pinsCS(1:0)- -- Chip SelectDA(2:0) -- Device AddressDIOW- -- Device I/O WriteDIOR- -- Device I/O Read (optional)When dealing with hardware you need to realise that there is a difference in the voltage level of a line and the line's meaning. For the "standard" wire the low voltage condition (usually 0V) corresponds to binary 0 and the high voltage condition (2.7V, 3.3V, 5V, 12V, or whatever) is binary 1. There are signals that are "negative logic" in which case the oposite is true: 0V == binary 1, +xV == binary 0. The ata spec uses the symbol 'A' (for asserted) to indicate the high voltage condition, and the symbol 'N' (for negated) for the low voltage condition.The CS0-1, DIOW, and DIOR lines are negative logic, which is indicated by the '-' mark after their names (above and in the spec).There are several registers in the ATA spec, they are addressed by the combination of the CS and DA lines. Several of these registers have different meanings depending on whether they are read or written, the write meaning is shown first. The values for these registers are:cs1- CS0- DA2 DA1 DA bits Name0(A) 1(N) 1(A) 1(A) 0(N) 8 Device Control Reg./Alt. Status Reg.1(N) 1(N) X X X 16 Data Port1(N) 0(A) 1(A) 1(A) 1(A) 8 Command Reg./Status Reg.1(N) 0(A) 1(A) 1(A) 0(N) 8 Device Reg.1(N) 0(A) 1(A) 0(N) 1(A) 8 LBA High Reg.1(N) 0(A) 1(A) 0(N) 0(N) 8 LBA Mid Reg.1(N) 0(A) 0(N) 1(A) 1(A) 8 LBA Low Reg.1(N) 0(A) 0(N) 1(A) 0(N) 8 Sector Count Reg.1(N) 0(A) 0(N) 0(N) 1(A) 8 Feature Reg./Error Reg.1(N) 0(A) 0(N) 0(N) 0(N) 16 Data Reg.The value to be placed in the register is passed on the DD lines (the data lines). When setting an 8 bit register the low bits in the data lines (0-7) are used.The XBox appears to use a standard method for sending ata commands to it's drives. The SECURITY UNLOCK command doesn't require the use of the sector count, LBA low/mid/high, or features registers, but they get cleared anyway. The only register that we are really interested in, to begin with, is the command register. What we need to do it setup our logic analyzer to trigger (start capturing) when the command register is written to with a value of 0xF2. The method for doing this is dependant on your analyzer, RTFM. So, trigger when:CS1 == 1CS0 == 0DA2 == 1DA1 == 1DA0 == 1DIOW == 1DD(7:0) == 0xF2At this point the XBox has written the command 0xF2 (SECURITY UNLOCK) to the drive, which is now expecting the recieve the password over the data lines in subsequent writes. The mode used to transfer the data is called "PIO data-out" and transfers 512 bytes of data (that's 256 16 bit writes) over the data lines, controlled by bits in the Status register. There is a good diagram in the ATA spec showing the transfer process, and you are encouraged to have it on hand when going through this the first time (the latest ATA specs can be found at www.t13.org).The data to be transferred is:word #0: bit 0 == 1->Master password, 0->User passwordbits 15-1 == reserved (these were 0 in my case)so the whole data word was 0x0000word #1: first two bytes of passwordword #2: second two bytes of password...word #16: last two bytes of passwordwords #17-255: reserved (these were all zero in my case)The transfer does not begin immediately. The device (the ide drive in the xbox) must first signal that it is read to recieve the data. In the PIO modes this flow control is done through the Status Register. The bits in the 8 bit status register are:bit 7: BSY Busy (the device is busy)bit 6: DRDY Device Ready (the device is accepting commands)bit 5: DF Device Fault (device is unable to complete the command)bit 4: # (Command Specific)bit 3: DRQ Data Request (device is ready to transfer data)bit 2: --- Unused (Obsolete)bit 1: --- Unused (Obsolete)bit 0: ERR Error (an error ocurred while processing a command)The transfer of data to the drive cannot occur until BSY == 0. You will see (if you are watching the DIOR line) that the xbox is polling that register waiting for the bit to clear. When it does the xbox will begin transferring the data bytes to the drive.It is worth while for me to note that on high speed analyzers you will see the logic lines drift from their previous value to the new value. This is *normal* and is due to the capacitance of the data bus. You need to be looking at the stable signal, not at the (possibly multiple) transient values which occur during the change. This is the reason for the DIOW- line, to tell the device when the data lines are stable. Slower measurement devices will (probably) not see these transient results. If you are unfamiliar with such highspeed devices this can be confusing :)Options for those without a logic analyzerI have had a bunch of questions centered mainly on how to do this without the analyzer or some other specialized equipment. Generally my answer is: you probably can't. I *seriously* doubt that any generic input device on a PC can be read at anywhere near the speed required.If someone really wants to try, my suggestion is to start with the parallel port. I do not know that much about the parallel port, but you may be able to program it to read the data at a sufficiently fast rate. It appears to have at least 9 input lines, (though some are inverted) which can be used to read the pins on the ide cable. You would have to dedicate 6 of these pins to the control signals (CS(1:0)-, DA(2:0), and DIOW-), and could use the other 3 to gather data from the DD pins. This would, of course, require multiple runs to gather all of the 16 bits for each word in the password.The two primary questions I can't answer are the capacitance of the input pins on the parallel port, and the speed with which they can be polled. If the capacitance is too high you will be ruining the ide signals, and the xbox will almost certainly not be able to communicate with the drive at all. If that is the case it may never get to the stage of trying to transfer the password to the drive (worst case is it could overheat the IDE controller chipset). If the read speed is too low then you will not be able to get all of the state changes, and will probably not be able to read anything of use. My *guess* as to the lowest possible read rate is somewhere around 25MHz. At this rate you will probably miss some of the DIOW line changes, but should be able to see all of the actual data bus changes.If you decide to try this, verify it works on some other drive before using your xbox drive, as I have no idea what kinds of problems might come up if it fails.Good luck, and happy hacking.-SpeedBump
Imaging Your Xbox HD using dd (in QNX OS)
by xbill
A method for imaging your Xbox hd to a file, or set of files, including a procedure for imaging directly from one disk to another (cloning) using dd in the QNX OS.
This is one method for imaging/cloning your Xbox hd. It is by no means the only method.

1) REQUIREMENTS AND OPTIONS
2) WARNINGS
3) UNLOCKING THE XBOX HD
4) FILE SIZE LIMITS
5) IMAGING
6) USING OPTIONS
7) CLONING


1) REQUIREMENTS AND OPTIONS
* A Disassembled Xbox
(THIS VOIDS THE WARRANTY AND PRESENTS A POTENTIAL SAFETY HAZARD)
* A fairly recent PC system with an available standard IDE interface.
* A bootable QNX (www.qnx.com) OS.
I used QNX because it installs quickly from CD ROM, and has a tiny footprint, but this should be possible with Linux as well. Free OSes rule!
* A spare IDE/ATA hd of equal or greater capacity than the Xbox hd, and/or equivalent free space on an existing file system.

OPTIONS:
* Networking components (NIC, drivers, cables, hubs, switches, etc.)
* LAN with server(s) featuring disks with file sytems such as NTFS that support large file sizes, and networking drivers, protocols installed necessary to share files on the LAN.
* SMB network file system manager/client (CIFS.) This is included with QNX.




2) WARNINGS:
Running the Xbox with the cover off, and the power supply exposed presents a safety hazard. Be extremely careful when working around the open Xbox with the power on.
A serious or fatal electrical shock could ruin your day.
Swapping cables, and working near live circuits can also potentially cause damage to the electronics if not handled carefully. If a metal part or a tool falls onto live circuits, you could roast something.
Watch out for static electricity. Prior to handling components, or swapping cables, touch the chassis of your PC with the back of your hand to discharge any built-up static charge on your body.
I, and the publisher, SiliconIce, assume no responsibility for any damage to you or your stuff. This is provided for informational purposes only.
Just watch yerself, OK?


3) UNLOCKING THE XBOX HD:
Since the Xbox hd has the ATA Security feature enabled, you'll need to unlock it before you attempt to image it.
This is the cable swap method.
Setup your Xbox and your PC right next to each other, such that the PCs available IDE drive cable, and power connector can reach the Xbox HD.
Connect an available power connector from the PCs power supply to the Xbox hd.
Connect the IDE cable from Xbox to the the Xbox hd.
Power up the PC and hit the "Pause" key before it autotypes the drives.
Power up the Xbox to the idle Dashboard.
*During the Xbox startup, the Xbox transmits the password via the ATA Unlock Command, and the drive is unlocked.
Now, carefully disconnect the Xbox IDE cable from the Xbox hd.
Plug the PC IDE cable into the Xbox hd.
Hit any key on the PC keyboard to let it continue to boot.
Now the drive is unlocked and reconnected to the PC, ready for read(/write?) operations.

4) FILE SIZE LIMITS
As with many Unix/Linux OSes, there is a 2GB file size limit with QNX due to it’s use of the minix filsystem, which kinda sucks. This means breaking the image in to smaller chunks. However, I decided that during analysis, smaller files would be easier to handle than one huge file. So, breaking the image into eight 1GB files makes some sense. I have the 8GB Western Digital hd.
For Linux, it probably depends on the distribution, the file system, and the processor. However, I think tweaking, and relinking the kernel in Linux for larger file support (LFS) is probably easier than it is in QNX.
Be aware that there may be a file size limit on some file systems.
If your OS can handle large file sizes, then you can adjust your dd options to read/write larger images.


5) IMAGING
To make images of the Xbox hd, you can use the standard dd util in a shell script.
When using dd, you must use the raw block device.
With QNX, the first IDE hd is /dev/hd0. If you connected the Xbox hd to the secondary IDE then it’s /dev/hd1.
Use df to display the total blocks on the disks.
This display is for the Western Digital 8GB, yours may look different.
# df -P
Filesystem 512-blocks Used Available Capacity Mounted on
/dev/fd0 0 0 0 100%
/dev/hd1 15633073 15633073 0 100%
/dev/hd0t79 156344517 16213159 140131358 11% /
/dev/hd0 156355585 156355585 0 100%
#

/dev/hd1 shows 15633073 blocks (512 byte sectors.)
15633073 is not evenly divisible, but 15633072 is.
15633072 / 8 = 1954134
Just include the odd sector in the last file. So, the first seven files will be 1954134 blocks each, and the last will be 1954135.
dd can take bytes or blocks, I just kept it as blocks.
The "skip" parameter is for skipping past the previously imaged sectors.
I created eight image files of roughly 1 GB each.
Create the script using the vi editor:
# vi getxboxhd
Type the letter "i", for insert mode, and type, or cut & paste these lines in:
# Western Digital 8GB
dd if=/dev/hd1 of=/xbx/xfile1 ibs=512 obs=512 count=1954134
dd if=/dev/hd1 of=/xbx/xfile2 ibs=512 obs=512 skip=1954134 count=1954134
dd if=/dev/hd1 of=/xbx/xfile3 ibs=512 obs=512 skip=3908268 count=1954134
dd if=/dev/hd1 of=/xbx/xfile4 ibs=512 obs=512 skip=5862402 count=1954134
dd if=/dev/hd1 of=/xbx/xfile5 ibs=512 obs=512 skip=7816536 count=1954134
dd if=/dev/hd1 of=/xbx/xfile6 ibs=512 obs=512 skip=9770670 count=1954134
dd if=/dev/hd1 of=/xbx/xfile7 ibs=512 obs=512 skip=11724804 count=1954134
dd if=/dev/hd1 of=/xbx/xfile8 ibs=512 obs=512 skip=13678938 count=1954135

Press the key to exit insert mode.
Press to save and exit the vi editor.
Chmod it for executable:
# chmod 744 getxboxhd
Run it:
# getxboxhd
Go find something else to do, this will take a long time to run.
I’m sure there is a cleaner way to do this, like a speedy C program, but the script here requires no compliation/linking.
While the script is running, after each dd line is done you’ll see the Records in/Records Out telling you that it copied the sectors to a file.
When it is finished, you’ll be back at the command prompt.
Type ls to see the files:
# ls -al /xbx
total 15633084
drwxrwxr-x 2 root root 2048 Jan 08 17:48 .
drwxrwxr-x 13 root root 4096 Jan 08 17:48 ..
-r--r--r-- 1 root root 1000516608 Dec 15 17:23 xfile1
-r--r--r-- 1 root root 1000516608 Dec 15 22:56 xfile2
-r--r--r-- 1 root root 1000516608 Dec 15 23:28 xfile3
-r--r--r-- 1 root root 1000516608 Dec 16 00:10 xfile4
-r--r--r-- 1 root root 1000516608 Dec 16 01:00 xfile5
-r--r--r-- 1 root root 1000516608 Dec 16 02:00 xfile6
-r--r--r-- 1 root root 1000516608 Dec 16 03:09 xfile7
-r--r--r-- 1 root root 1000517120 Dec 16 04:28 xfile8
#
Now you can use spatch to browse the files.
# spatch –b /xbx/xfile3
You should be able to use one of the file dumper utils that are out there to extract the actual xbox disk files from the images.

Also, you can modify the script and add the date and time to the filename so if you image additional files, they will be unique:
filedate=`date "+%m%d%y.%H%M"`
dd if=/dev/hd1 of=/xbx/xfile1.$filedate ibs=512 obs=512 …… ……
dd if=/dev/hd1 of=/xbx/xfile2.$filedate ibs=512 obs=512 …… ……


6) USING OPTIONS
Now that you have the image files, you may want to copy/move them to other systems for analysis.
If you have an NT or Win2K system with large NTFS disks, you can copy the files there and use your favorite Windows tools.
I used QNX’s fs-cifs SMB manager/client. This allows the QNX system to communicate with and use SMB network shares.
First, I created a share on my Win2k system called XBSHARE.
Then, on the QNX system, I launched fs-cifs to mount that share:
# fs-cifs –a //win2kbox:192.168.1.20:/XBSHARE /xshare username password
I’m not sure why, but fs-cifs requires both Netbios name and IP.
The –a option spoofs POSIX calls to get rid of error messages that occur when apps attempt to chmod/chown the files on the share. This option is not required.
The /XBSHARE is the share I created on the win2k system.
The /xshare is the local QNX mountpoint for the share.
Username and password must be any valid user account on the win2k system that has permissions to read & write the shared directory.
Now copy the files to /xshare:
# cp /xbx/xfile? /xshare
This will take a long time, too.
You could dd the files directly to the share, but this is really really slow.

Another option is to dd the files to another local disk that is formatted FAT16.
When dd script is complete, shutdown, and move the FAT16 drive to another system.

7) CLONING
I have not cloned the Xbox hd to another hd, yet. However, I believe the cloning procedure should be much the same as imaging to a file, or files using dd.
You can dd from one disk to another, but I suggest that the disks be on different IDE channels. Put the Xbox hd on as a secondary IDE master, and the spare disk on as primary IDE slave.

Make sure you know which drives are which before doing the dd.
The primary master should be /dev/hd0.
The primary slave should be /dev/hd1.
The secondary master (Xbox hd) should be /dev/hd2
Again, with file size limits, the blocks/sectors may need to be copied in chunks.
You could dd something like this:
dd if=/dev/hd2 of=/dev/hd1 ibs=512 obs=512 count=n
dd if=/dev/hd2 of=/dev/hd1 ibs=512 obs=512 skip=n count=n
dd if=/dev/hd2 of=/dev/hd1 ibs=512 obs=512 skip=n*2 count=n
dd if=/dev/hd2 of=/dev/hd1 ibs=512 obs=512 skip=n*3 count=n
: :
: :
etc.
Replace n for the count and skip options with the correct block numbers similar to the image script.

Once you have cloned the drive you could use spatch, or your favorite sector editor.

I hope this guide is useful to you.
Happy hacking.

-xbill



Dumping your Xbox HD under Win32
By Adam Branom (aka RustyBall)
FATX Explorer by opcode

WinHex (all you need is demo but, you can buy it if you want) Get it here ftp://ftp.darmstadt.gmd.de/pub/pc/win95/diskutil/winhex/winhex.zip
FATX Explorer (ported to Win32 by opcode from Andy + Luke’s Xbox HD dumper)
Available at XboxHacker Downloads
Note: This process will not work on a fat32 drive because of its file size limit.
First issue is the Xbox HD password lock. There are two ways of bypassing this. Either spend a lot of money and get a logic analyzer or have access to one, or, the much easier route of the "cable switch" method. To do the cable switch, plug a power plug from your pc into your xbox hd and fire up your computer. Right when it starts booting up, start pressing the Pause Break key and do not let it detect your drives. Then, make sure the IDE cable is going from the xbox to the HD and turn on the xbox. After it gets to the dashboard, unplug the ribbon cable that is going from the Xbox to the hd and replace it with one that is connected to your computer. Now, press a key to allow your computer to continue booting.
Once into windows, run WinHex. Go to tools > disk editor. Find the xbox hard disk in the list and hit ok. Then, hit ctrl+a and go to Edit > Copy Block > Into new file. Save the file somewhere and leave your comp alone for a while.
Once it is done, the next process begins. Working with the image file you just made.
To dump a file, load the image file and select the partition you want to see. Next select a directory from the left pane, any files in that directory will be shown in the list on the right. To dump one or more files, select the files in the list, then right-click and select "Dump Files..." this will show a Save dialog for each file you selected with the XFAT filename put in as the default name. To save the file simply press save and it will be saved to the directory/name you selected.

Xbox Video Connector Pinout Information
PIN DEFINITIONS:
Pin
Signal Name
Direction
Comment
1
DCOUT
OUT
The output of this pin provides a current-limited DC power supply for active AV Pack circuitry.
2
LINE OUT (R)
OUT
This pin outputs line-level Right channel linear audio.
3
LINE OUT (L)
OUT
This pin outputs line-level Left channel linear audio.
4
GND
-
This ground is provided for connection to the Right channel audio cable shield.
5
GND
-
This ground is provided for connection to the Left channel audio cable shield.
6
SPDIF
OUT
This pin is the SP-DIF logic-level output.
7
HSYNC (???)
OUT
Horizontal Sync Signal used for VGA output mode
8
VSYNC (???)
OUT
Vertical Sync Signal used for VGA output mode
9
MODE1
IN
Video output mode select pin 1
10
GND
-
This pin provides a convenient grounding point for the MODE1 input if needed.
11
MODE2
-
Video output mode select pin 2
12
GND
-
This pin provides a convenient grounding point for the MODE2 inputs if needed.
13
MODE3
-
Video output mode select pin 3
14
GND
-
This pin provides a convenient grounding point for the MODE3 inputs if needed.
15
STATUS
OUT
SCART Status Pin
16
GND
-
Ground connection for pin 18 (Pb)
17
GND
-
Ground connection for pin 19 (C/Pr)
18
PbB
OUT
This pin outputs the Pb component signal in HDTV mode, and the BLUE component signal in RGB SCART mode.
19
CPrR
OUT
This pin outputs the Chroma signal in SDTV mode, and the Pr component signal in HDTV mode, and the RED component signal in RGB SCART mode.
20
GND
-
Ground connection for pin 22 (Y)
21
GND
-
Ground connection for pin 23 (CVBS)
22
YG
OUT
This pin outputs the Luma signal in both SDTV and HDTV modes, and the GREEN component signal in RGB SCART mode.
23
CVBS
OUT
This pin is dedicated to the Composite Video Out (CVBS) in SDTV mode. In HDTV mode, this pin is not used.
24
DCRETURN
-
This pin is specifically designated to carry the DC return current.
AVIP connector pin out: _______________________ 24 22 20 18 16 14 12 10 8 6 4 2_ 23 21 19 17 15 13 11 9 7 5 3 1
The AVIP supports several output configurations. The MODE inputs to the AVIP are provided to identify the type of signals expected by the AV Pack. The output mode is identified by jumper wires between the mode select pins (MODE1, MODE2, and MODE3) and GND pins on the AVIP connector as shown in the table below. The state of these inputs is continuously monitored by the system management controller, and communicated to the Xbox OS. Changes in the state trigger notification to the OS that the AV mode has changed. The state of these pins does not directly control the video or audio mode; the OS configures the CRT controller of the GPU and the TV Encoder through software. It is possible to configure these independently of the MODE state pins, as may be required for test purposes.
VIDEO MODE DEFINITIONS:
AVIP Mode Input (Pin)
Video Mode
AVIP Video Output (Pin)

M[0] (9)
M[1] (11)
M[2] (13)

(23)
(22)
(19)
(18)
OPEN
OPEN
OPEN
No AV Pack Present
-
-
-
-
OPEN
OPEN
GND
525/60 RFU Mode (NTSC, mono audio)
CVBSNTSC
YNTSC
CNTSC
-
OPEN
GND
OPEN
625/50 RFU Mode (PAL/SECAM, with mono audio)
CVBSPAL
YPAL
CPAL
-
OPEN
GND
GND
HDTV Mode (Y/Pr/Pb)
-
Y
Pr
Pb
GND
OPEN
OPEN
525/60 SDTV Mode (NTSC)
CVBSNTSC
YNTSC
CNTSC
-
GND
OPEN
GND
VGA (note by kgasper: This VGA mode is misleading. I have verified that the GRB signals really are still YPrPb signals but with a 31kHz H-sync which allows the VGA monitors to sync to it. But the reason it is so green is because it is YPrPb.)
-
G
R
B
GND
GND
OPEN
625/50 SDTV Mode (PAL-I)
CVBSPAL
-
-
-
GND
GND
GND
625/50 SDTV Mode(PAL-I) SCART
CVBSPALYPAL-
--G
-CPALR
--B

Xbox Video Connector to RGB SCART
Below is the scheme to connect the Xbox-Pins to the Scart-Pins.
Xbox A/V-Plug:(Looking from the front of the connector not the wire side) 1 1 1 1 2 3 4 5 6 7 8 9 0 1 2 ------------------------_ + + + + + + + + + + + +_ + + + + + + + + + + + + ---------------------------- 1 1 1 1 1 1 1 2 2 2 2 2 3 4 5 6 7 8 9 0 1 2 3 4RGB Pinout:1 - Right Audio Signal2 - Right Audio Ground3 - SP-DIF Signal4 - RGB Switching Signal5 - Jumper to 17 (all 3 Jumpers6 - Jumper to 18 need to be7 - Jumper to 19 set for RGB)8 - Blue Ground9 - Blue Signal10 - Green Ground11 - Green Signal12 - SP-DIF Ground13 - SP_DIF +514 - Left Audio Signal15 - Left Audio Ground16 - ???17 - Jumper to 518 - Jumper to 619 - Jumper to 720 - AV Select Signal21 - Red Ground22 - Red Signal23 - Composite Ground24 - Composite Signal (Sync for RGB)Xbox Pin-> Scart Pin1 -> 22 -> 43 -> -4 -> 165 -> -6 -> -7 -> -8 -> 59 -> 710 -> 911 -> 1112 -> -13 -> -14 -> 615 -> 416 -> -17 -> -18 -> -19 -> -20 -> 821 -> 1322 -> 1523 -> 1724 -> 20Scart Pin 21 (Shield) & Xbox-Plug Shield should be connected to all the Ground-Pins (like in the XBOX-Plug).If you want SP-DIF you need to extract a seperate cable.-------zer0neg-------
Expensive VGA for Xbox By: LiQiCE
Here's the information on the X-Box VGA Box that I "made":
I purchased:
1. X-Box HD-TV Pack $20.00
2. Audio Authority 9A62 - $189.00 MSRP
The Audio Authority 9A62 box is a converter from Component Video (Y Pb Pr) to HD15 VGA. If you set your X-Box to display in 480p (essentially 640x480 @ 60hz) the 9A62 box will convert the 480p signal to VGA for you!
All you need to do is plug the Component video outputs from the X-Box HD-TV Pack into the input for the 9A62 and then plug your VGA monitor into the RGB output of the 9A62! Its as simple as that.
There is one big problem though, you can't see the Dashboard! The X-Box dashboard for some reason does not work properly with this setup. To get games to play you need to use the dashboard to set the X-Box to 480p though! Here's how you do it:
Using audio queues (assuming you have speakers plugged into the audio output from the HD-TV Pack), you can "listen" to where you are in the menu. After you turn on your X-Box without any disc inside, here is how you set it to 480p.
1. Press down once (you will hear a noise confirming you pressed down) (This is to goto Settings)
2. Press A (another confirmation noise)
3. Press Down 3 times (you will hear a click for each time you press down) (This is to goto Video Settings)
4. Press A (another confirmation noise)
5. Press up until you stop hearing the confirmation noises so you know you are at the top of the list, and press down once (this is presumably to switch from 480i to 480p, I don't know because I can't actually see!)
6. Press A
7. Press Left once (this is presumably to select Normal 4:3 mode, instead of widescreen)
8. Press A
9. Keep pressing B until you stop hearing the audio confirmation noises
10. Turn off your X-Box, turn it back on, pop in a game, and enjoy!
The games I have tested the VGA setup with so far is: Dead or Alive 3, Halo, and NHL 2002
All work perfectly.

Drizzt
How to copy an xbox game to your hard drive from a DVD using boxplorer launched from evolutionx



First you need to make sure that the game does not automatically load up from your evolutionx menu. (You cant copy a game while you play it)** :
1. Turn on your xbox WITHOUT a DVD in the drive.2. Highlight “system utilities” and press “a”(the green button)3. Highlight “settings” and press “a” 4. Scroll down the option until you find “auto launch games” and press “a” 5. Select “no” and press “a”6. Scroll down to “save and exit” and press “a”7. Reset your xbox WITHOUT a DVD in the drive (turn it off and then on again).
You should now be looking at the main evolutionx menu again; you should not notice anything different, now we can prepare a space to put the game in :
1. Put the game in the DVD drive and wait for the green light on the front of the xbox to stop flashing (you may also notice some writing on the screen change to “game” to acknowledge that there is indeed a game in the drive)2. Highlight “launch menu” and press “a”3. Highlight “apps” and press “a”4. Highlight “boxplorer” and press “a”5. Press Right trigger on control pad (you will notice the “A” change to “B” in the top right corner)6. Press the white button on the controller (this brings up the menu options)7. Highlight “select drive” and press “a”8. Highlight “e:\device\harddisk0\partition1” and press “a”9. Highlight “games” and press “a”10. Press the white button (menu options)11. Highlight “new folder” and press “a”12. Follow the onscreen instructions and “new folder” to whatever your game is called (this is only for reference and does not have to be exact)
You should now be looking at a screen with yellow writing: “new folder” (in) e:\games :
1. Follow the onscreen instructions to accept the new folder2. Press “a”3. Highlight your new folder and press “a” (the writing a the top of the screen should read “e:\games\nameofyourgame\”4. Press the left trigger (you will notice the letter in the top right hand corner turn from “B” to “A”)5. Press the white button6. Highlight “select drive” and press “a”7. Select “d:\device\cdrom0” and press “a”8. Press the white button9. Highlight “mark all” and press “a”10. Press the white button11. Highlight “Copy” and press “a”12. Follow the onscreen instructions
Your xbox will now be busy for the next 15-40 min or so depending on your drive speed and the size of the game, so don’t switch it off until its finished, it WILL tell you its finished within the hour.Congratulations you’re done! You can now reset your xbox and launch the game from the evolution x dashboard without the DVD in the drive!*Deleting a game and switching on auto load is an exact reversal of these instructions (remember if you delete the wrong thing you will bugger up your xbox and someone will have to fix it for you**Some evolutionx menu settings may vary, so use your judgment.***Use these instructions at your own risk

Sunday, March 26, 2006

Four indicted in Nigerian e-mail scam

MARCH 23, 2006 (IDG NEWS SERVICE) - Four people have been indicted and could face 30 years in prison for a variation on a popular scam in which e-mail senders claim they're trying to transfer money out of Nigeria, the U.S. Department of Justice announced today.
A grand jury in New York yesterday returned a 10-count indictment against three of the defendants and an 11-count indictment against the fourth. Alleged victims of the four individuals lost more than $1.2 million, the DOJ said.
Three of the defendants were arrested in Amsterdam by Dutch authorities on Feb. 21, based on a U.S. criminal complaint. They are being held in the Netherlands pending extradition to the U.S., the DOJ said. The fourth defendant, a Nigerian citizen, is a fugitive.
The four are Nnamdi Chizuba Anisiobi, also known as Yellowman, Abdul Rahman, Helmut Schkinger, Nancy White and other aliases; Anthony Friday Ehis, also known as John J. Smith, Toni N. Amokwu and Mr. T; Kesandu Egwuonwu, also known as KeKe, Joey Martin Maxwell and David Mark; and an unnamed defendant known as Eric Williams, Lee, Chucks and Nago.
They are charged with one count of conspiracy, eight counts of wire fraud and one count of mail fraud. Anisiobi is also charged with one count of bank fraud.
The maximum penalty for mail and wire fraud is 20 years in prison, and the maximum sentence for bank fraud is 30 years in prison. The conspiracy charge carries a maximum penalty of five years in prison.
The defendants allegedly sent spam e-mail messages to thousands of potential victims, and they falsely claimed to have control of millions of dollars located in a foreign country that belong to an individual with a terminal illness, DOJ said.
These aren't the first charges in the e-mail advance-fee scam, popular with Nigerian criminals. In January 2004, Dutch police arrested 52 people allegedly involved in Nigerian e-mail and related scams, and in May 2002, South African police arrested six people on related charges. U.S. authorities have also brought charges against other Nigerian scammers.
The defendants allegedly solicited the help of the potential victims to collect and distribute the funds to charity. In exchange for the victims' help, the defendants promised the victims a share of the large inheritance, but told victims they must pay advance fees for legal representation, taxes or bogus documentation.
After the victims wire transferred funds to pay the "required fees," the defendants did not deliver the funds as promised, DOJ said.
"Global fraudsters need to know that we are determined to find and prosecute them," U.S. Attorney Roslynn Mauskopf of the Eastern District of New York said in a statement. "Potential victims need to know that any e-mail offering millions of dollars that requires that they send money to receive this windfall is a scheme. Delete it."

Monday, March 13, 2006

The little Blue box . Information everyone should know


The Blue Box Is Introduced: Its Qualities Are Remarked I am in the expensively furnished living room of Al Gilbertson (His real name has been changed.), the creator of the "blue box." Gilbertson is holding one of his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, pointing out the thirteen little red push buttons sticking up from the console. He is dancing his fingers over the buttons, tapping out discordant beeping electronic jingles. He is trying to explain to me how his little blue box does nothing less than place the entire telephone system of the world, satellites, cables and all, at the service of the blue-box operator, free of charge.
"That's what it does. Essentially it gives you the power of a super operator. You seize a tandem with this top button," he presses the top button with his index finger and the blue box emits a high-pitched cheep, "and like that" -- cheep goes the blue box again -- "you control the phone company's long-distance switching systems from your cute little Princes phone or any old pay phone. And you've got anonymity. An operator has to operate from a definite location: the phone company knows where she is and what she's doing. But with your beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) number, they don't know where you are, or where you're coming from, they don't know how you slipped into their lines and popped up in that 800 number. They don't even know anything illegal is going on. And you can obscure your origins through as many levels as you like. You can call next door by way of White Plains, then over to Liverpool by cable, and then back here by satellite. You can call yourself from one pay phone all the way around the world to a pay phone next to you. And you get your dime back too."
"And they can't trace the calls? They can't charge you?" "Not if you do it the right way. But you'll find that the free-call thing isn't really as exciting at first as the feeling of power you get from having one of these babies in your hand. I've watched people when they first get hold of one of these things and start using it, and discover they can make connections, set up crisscross and zigzag switching patterns back and forth across the world. They hardly talk to the people they finally reach. They say hello and start thinking of what kind of call to make next. They go a little crazy." He looks down at the neat little package in his palm. His fingers are still dancing, tapping out beeper patterns.
"I think it's something to do with how small my models are. There are lots of blue boxes around, but mine are the smallest and most sophisticated electronically. I wish I could show you the prototype we made for our big syndicate order."
He sighs. "We had this order for a thousand beeper boxes from a syndicate front man in Las Vegas. They use them to place bets coast to coast, keep lines open for hours, all of which can get expensive if you have to pay. The deal was a thousand blue boxes for $300 apiece. Before then we retailed them for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a manufacturing deal worked out in the Philippines. Everything ready to go. Anyway, the model I had ready for limited mass production was small enough to fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, rather than these unsightly buttons, sticking out. Looked just like a tiny portable radio. In fact, I had designed it with a tiny transistor receiver to get one AM channel, so in case the law became suspicious the owner could switch on the radio part, start snapping his fingers, and no one could tell anything illegal was going on. I thought of everything for this model -- I had it lined with a band of thermite which could be ignited by radio signal from a tiny button transmitter on your belt, so it could be burned to ashes instantly in case of a bust. It was beautiful. A beautiful little machine. You should’ve seen the faces on these syndicate guys when they came back after trying it out. They'd hold it in their palm like they never wanted to let it go, and they'd say, 'I can't believe it. I can't believe it.' You probably won't believe it until you try it."
The Blue Box Is Tested: Certain Connections Are Made
About eleven o'clock two nights later Fraser Lucey has a blue box in the palm of his left hand and a phone in the palm of his right. He is standing inside a phone booth next to an isolated shut-down motel off Highway 1. I am standing outside the phone booth.
Fraser likes to show off his blue box for people. Until a few weeks ago when Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring his blue box (This particular blue box, like most blue boxes, is not blue. Blue boxes have come to be called "blue boxes" either because 1) The first blue box ever confiscated by phone-company security men happened to be blue, or 2) To distinguish them from "black boxes." Black boxes are devices, usually a resistor in series, which, when attached to home phones, allow all incoming calls to be made without charge to one's caller.) to parties. It never failed: A few cheeps from his device and Fraser became the center of attention at the very hippest of gatherings, playing phone tricks and doing request numbers for hours. He began to take orders for his manufacturer in Mexico. He became a dealer.
Fraser is cautious now about where he shows off his blue box. But he never gets tired of playing with it. "It's like the first time every time," he tells me.
Fraser puts a dime in the slot. He listens for a tone and holds the receiver up to my ear. I hear the tone. Fraser begins describing, with a certain practiced air, what he does while he does it. "I'm dialing an 800 number now. Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, you hear it? Now watch." He places the blue box over the mouthpiece of the phone so that the one silver and twelve black push buttons are facing up toward me. He presses the silver button -- the one at the top -- and I hear that high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. "Now, quick. Listen." He shoves the earpiece at me. The ringing has vanished. The line gives a slight hiccough, there is a sharp buzz, and then nothing but soft white noise.
"We're home free now," Lucey tells me, taking back the phone and applying the blue box to its mouthpiece once again. "We're up on a tandem, into a long-lines trunk. Once you're up on a tandem, you can send yourself anywhere you want to go." He decides to check out London first. He chooses a certain pay phone located in Waterloo Station. This particular pay phone is popular with the phone-phreaks network because there are usually people walking by at all hours who will pick it up and talk for a while.
He presses the lower left-hand corner button which is marked "KP" on the face of the box. "That's Key Pulse. It tells the tandem we're ready to give it instructions. First I'll punch out KP 182 START, which will slide us into the overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll head over to England by satellite. Cable is actually faster and the connection is somewhat better, but I like going by satellite. So I just punch out KP Zero 44. The Zero is supposed to guarantee a satellite connection and 44 is the country code for England. Okay... we're there. In Liverpool actually. Now all I have to do is punch out the London area code which is 1, and dial up the pay phone. Here, listen, I've got a ring now."
I hear the soft quick purr-purr of a London ring. Then someone picks up the phone.
"Hello," says the London voice.
"Hello. Who's this?" Fraser asks.
"Hello. There's actually nobody here. I just picked this up while I was passing by. This is a public phone. There's no one here to answer actually."
"Hello. Don't hang up. I'm calling from the United States."
"Oh. What is the purpose of the call? This is a public phone you know."
"Oh. You know. To check out, uh, to find out what's going on in London. How is it there?"
"Its five o'clock in the morning. It's raining now."
"Oh. Who are you?"
The London passerby turns out to be an R.A.F. enlistee on his way back to the base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. He and Fraser talk about the rain. They agree that it's nicer when it's not raining. They say good-bye and Fraser hangs up. His dime returns with a nice clink.
"Isn't that far out," he says grinning at me. "London, like that."
Fraser squeezes the little blue box affectionately in his palm. "I told ya this thing is for real. Listen, if you don't mind I'm gonna try this girl I know in Paris. I usually give her a call around this time. It freaks her out. This time I'll use the ------ (a different rent-a-car company) 800 number and we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking to at this time?"
A state police car cruises slowly by the motel. The car does not stop, but Fraser gets nervous. We hop back into his car and drive ten miles in the opposite direction until we reach a Texaco station locked up for the night. We pull up to a phone booth by the tire pump. Fraser dashes inside and tries the Paris number. It is busy again.
"I don't understand who she could be talking to. The circuits may be busy. It's too bad I haven't learned how to tap into lines overseas with this thing yet."
Fraser begins to phreak around, as the phone phreaks say. He dials a leading nationwide charge card's 800 number and punches out the tones that bring him the time recording in Sydney, Australia. He beeps up the weather recording in Rome, in Italian of course. He calls a friend in Boston and talks about a certain over-the-counter stock they are into heavily. He finds the Paris number busy again. He calls up "Dial a Disc" in London, and we listen to Double Barrel by David and Ansil Collins, the number-one hit of the week in London. He calls up a dealer of another sort and talks in code. He calls up Joe Engressia, the original blind phone-phreak genius, and pays his respects. There are other calls. Finally Fraser gets through to his young lady in Paris.
They both agree the circuits must have been busy, and criticize the Paris telephone system. At two-thirty in the morning Fraser hangs up, pockets his dime, and drives off, steering with one hand, holding what he calls his "lovely little blue box" in the other.
You Can Call Long Distance For Less Than You Think
"You see, a few years ago the phone company made one big mistake," Gilbertson explains two days later in his apartment. "They were careless enough to let some technical journal publish the actual frequencies used to create all their multi-frequency tones. Just a theoretical article some Bell Telephone Laboratories engineer was doing about switching theory, and he listed the tones in passing. At ----- (a well-known technical school) I had been fooling around with phones for several years before I came across a copy of the journal in the engineering library. I ran back to the lab and it took maybe twelve hours from the time I saw that article to put together the first working blue box. It was bigger and clumsier than this little baby, but it worked."
It's all there on public record in that technical journal written mainly by Bell Lab people for other telephone engineers. Or at least it was public. "Just try and get a copy of that issue at some engineering-school library now.
Bell has had them all red-tagged and withdrawn from circulation," Gilbertson tells me.
"But it's too late. It's all public now. And once they became public the technology needed to create your own beeper device is within the range of any twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he can do it in less than the twelve hours it took us. Blind kids do it all the time. They can't build anything as precise and compact as my beeper box, but theirs can do anything mine can do."
"How?"
"Okay. About twenty years ago AT&T. made a multi-billion-dollar decision to operate its entire long-distance switching system on twelve electronically generated combinations of twelve master tones. Those are the tones you sometimes hear in the background after you've dialed a long-distance number. They decided to use some very simple tones -- the tone for each number is just two fixed single-frequency tones played simultaneously to create a certain beat frequency. Like 1300 cycles per second and 900 cycles per second played together give you the tone for digit 5. Now, what some of these phone phreaks have done is get themselves access to an electric organ. Any cheap family home-entertainment organ. Since the frequencies are public knowledge now -- one blind phone phreak has even had them recorded in one of the talking books for the blind -- they just have to find the musical notes on the organ which correspond to the phone tones. Then they tape them. For instance, to get Ma Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and 700 cycles per second) at the same time. To produce the tone for 2 it's F~5 and C~6 (1100 and 700 cps). The phone phreaks circulate the whole list of notes so there's no trial and error anymore."
He shows me a list of the rest of the phone numbers and the two electric organ keys that produce them.
"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed and double it to 7 « inches-per-second when you play them back, to get the proper tones," he adds.
"So once you have all the tones recorded, how do you plug them into the phone system?"
"Well, they take their organ and their cassette recorder, and start banging out entire phone numbers in tones on the organ, including country codes, routing instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone in the phone-phreak network sends them a cassette with all the tones recorded, with a voice saying 'Number one,' then you have the tone, 'Number two,' then the tone and so on. So with two cassette recorders they can put together a series of phone numbers by switching back and forth from number to number. Any idiot in the country with a cheap cassette recorder can make all the free calls he wants."
"You mean you just hold the cassette recorder up the mouthpiece and switch in a series of beeps you've recorded? The phone thinks that anything that makes these tones must be its own equipment?"
"Right. As long as you get the frequency within thirty cycles per second of the phone company's tones, the phone equipment thinks it hears its own voice talking to it. The original granddaddy phone phreak was this blind kid with perfect pitch, Joe Engressia, who used to whistle into the phone. An operator could tell the difference between his whistle and the phone company's electronic tone generator, but the phone company's switching circuit can't tell them apart. The bigger the phone company gets and the further away from human operators it gets, the more vulnerable it becomes to all sorts of phone phreaking."
A Guide for the Perplexed
"But wait a minute," I stop Gilbertson. "If everything you do sounds like phone-company equipment, why doesn't the phone company charge you for the call the way it charges its own equipment?"
"Okay. That's where the 2600-cycle tone comes in. I better start from the beginning."
The beginning he describes for me is a vision of the phone system of the continent as thousands of webs, of long-line trunks radiating from each of the hundreds of toll switching offices to the other toll switching offices. Each toll switching office is a hive compacted of thousands of long-distance tandems constantly whistling and beeping to tandems in far-off toll switching offices.
The tandem is the key to the whole system. Each tandem is a line with some relays with the capability of signaling any other tandem in any other toll switching office on the continent, either directly one-to-one or by programming a roundabout route through several other tandems if all the direct routes are busy. For instance, if you want to call from New York to Los Angeles and traffic is heavy on all direct trunks between the two cities, your tandem in New York is programmed to try the next best route, which may send you down to a tandem in New Orleans, then up to San Francisco, or down to a New Orleans tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up to Los Angeles.
When a tandem is not being used, when it's sitting there waiting for someone to make a long-distance call, it whistles. One side of the tandem, the side "facing" your home phone, whistles at 2600 cycles per second toward all the home phones serviced by the exchange, telling them it is at their service, should they be interested in making a long-distance call. The other side of the tandem is whistling 2600 cps. into one or more long-distance trunk lines, telling the rest of the phone system that it is neither sending nor receiving a call through that trunk at the moment, that it has no use for that trunk at the moment.
"When you dial a long-distance number the first thing that happens is that you are hooked into a tandem. A register comes up to the side of the tandem facing away from you and presents that side with the number you dialed. This sending side of the tandem stops whistling 2600 into its trunk line. When a tandem stops the 2600 tone it has been sending through a trunk, the trunk is said to be "seized," and is now ready to carry the number you have dialed -- converted into multi-frequency beep tones -- to a tandem in the area code and central office you want.
Now when a blue-box operator wants to make a call from New Orleans to New York he starts by dialing the 800 number of a company which might happen to have its headquarters in Los Angeles. The sending side of the New Orleans tandem stops sending 2600 out over the trunk to the central office in Los Angeles, thereby seizing the trunk. Your New Orleans tandem begins sending beep tones to a tandem it has discovered idly whistling 2600 cycles in Los Angeles. The receiving end of that LA tandem is seized, stops whistling 2600, listens to the beep tones which tell it which LA phone to ring, and starts ringing the 800 number. Meanwhile a mark made in the New Orleans office accounting tape notes that a call from your New Orleans phone to the 800 number in LA has been initiated and gives the call a code number. Everything is routine so far.
But then the phone phreak presses his blue box to the mouthpiece and pushes the 2600-cycle button, sending 2600 out from the New Orleans tandem to the LA tandem. The LA tandem notices 2600 cycles are coming over the line again and assumes that New Orleans has hung up because the trunk is whistling as if idle. The LA tandem immediately ceases ringing the LA 800 number. But as soon as the phreak takes his finger off the 2600 button, the LA tandem assumes the trunk is once again being used because the 2600 is gone, so it listens for a new series of digit tones - to find out where it must send the call.
Thus the blue-box operator in New Orleans now is in touch with a tandem in LA which is waiting like an obedient genie to be told what to do next. The blue-box owner then beeps out the ten digits of the New York number which tell the LA tandem to relay a call to New York City. Which it promptly does. As soon as your party picks up the phone in New York, the side of the New Orleans tandem facing you stops sending 2600 cycles to you and starts carrying his voice to you by way of the LA tandem. A notation is made on the accounting tape that the connection has been made on the 800 call which had been initiated and noted earlier. When you stop talking to New York a notation is made that the 800 call has ended.
At three the next morning, when the phone company's accounting computer starts reading back over the master accounting tape for the past day, it records that a call of a certain length of time was made from your New Orleans home to an LA 800 number and, of course, the accounting computer has been trained to ignore those toll-free 800 calls when compiling your monthly bill.
"All they can prove is that you made an 800 toll-free call," Gilbertson the inventor concludes. "Of course, if you're foolish enough to talk for two hours on an 800 call, and they've installed one of their special anti-fraud computer programs to watch out for such things, they may spot you and ask why you took two hours talking to Army Recruiting's 800 number when you're 4-F.
But if you do it from a pay phone, they may discover something peculiar the next day -- if they've got a blue-box hunting program in their computer -- but you'll be a long time gone from the pay phone by then. Using a pay phone is almost guaranteed safe."
"What about the recent series of blue-box arrests all across the country -- New York, Cleveland, and so on?" I asked. "How were they caught so easily?"
"From what I can tell, they made one big mistake: they were seizing trunks using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to detect because when you send multi-frequency beep tones of 555 you get a charge for it on your tape and the accounting computer knows there's something wrong when it tries to bill you for a two-hour call to Akron, Ohio, information, and it drops a trouble card which goes right into the hands of the security agent if they're looking for blue-box user.
"Whoever sold those guys their blue boxes didn't tell them how to use them properly, which is fairly irresponsible. And they were fairly stupid to use them at home all the time.
"But what those arrests really mean is than an awful lot of blue boxes are flooding into the country and that people are finding them so easy to make that they know how to make them before they know how to use them. Ma Bell is in trouble."
And if a blue-box operator or a cassette-recorder phone phreak sticks to pay phones and 800 numbers, the phone company can't stop them?
"Not unless they change their entire nationwide long-lines technology, which will take them a few billion dollars and twenty years. Right now they can't do a thing. They're screwed."
Captain Crunch Demonstrates His Famous Unit
There is an underground telephone network in this country. Gilbertson discovered it the very day news of his activities hit the papers. That evening his phone began ringing. Phone phreaks from Seattle, from Florida, from New York, from San Jose, and from Los Angeles began calling him and telling him about the phone-phreak network. He'd get a call from a phone phreak who'd say nothing but, "Hang up and call this number."
When he dialed the number he'd find himself tied into a conference of a dozen phone phreaks arranged through a quirky switching station in British Columbia. They identified themselves as phone phreaks, they demonstrated their homemade blue boxes which they called "M-Fers" (for "multi-frequency," among other things) for him, they talked shop about phone-phreak devices. They let him in on their secrets on the theory that if the phone company was after him he must be trustworthy. And, Gilbertson recalls, they stunned him with their technical sophistication.
I ask him how to get in touch with the phone-phreak network. He digs around through a file of old schematics and comes up with about a dozen numbers in three widely separated area codes.
"Those are the centers," he tells me. Alongside some of the numbers he writes in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson (also a code word for a free call), Marty Freeman (code word for M-F device), Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks alongside the names of those among these top twelve who are blind. There are five checks.
I ask him who this Captain Crunch person is.
"Oh. The Captain. He's probably the most legendary phone phreak. He calls himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." (Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch set. Somehow a phone phreak discovered that the toy whistle just happened to produce a perfect 2600-cycle tone. When the man who calls himself Captain Crunch was transferred overseas to England with his Air Force unit, he would receive scores of calls from his friends and "mute" them -- make them free of charge to them -- by blowing his Cap'n Crunch whistle into his end.) "Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's an engineer who once got in a little trouble for fooling around with the phone, but he can't stop. Well, the guy drives across country in a Volkswagen van with an entire switchboard and a computerized super-sophisticated M-F-er in the back. He'll pull up to a phone booth on a lonely highway somewhere, snake a cable out of his bus, hook it onto the phone and sit for hours, days sometimes, sending calls zipping back and forth across the country, all over the world...."
Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked for G---- T-----, his real name, or at least the name he uses when he's not dashing into a phone booth beeping out M-F tones faster than a speeding bullet and zipping phantomlike through the phone company's long-distance lines.
When G---- T----- answered the phone and I told him I was preparing a story for Esquire about phone phreaks, he became very indignant.
"I don't do that. I don't do that anymore at all. And if I do it, I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer."
A tone of tightly restrained excitement enters the Captain's voice when he starts talking about systems. He begins to pronounce each syllable with the hushed deliberation of an obscene caller.
"Ma Bell is a system I want to explore. It's a beautiful system, you know, but Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls. I wasn't interested in free calls. But when these blind kids told me I could make calls into a computer, my eyes lit up. I wanted to learn about computers. I wanted to learn about Ma Bell's computers. So I build the little device, but I built it wrong and Ma Bell found out. Ma Bell can detect things like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. Except for learning purposes." He pauses. "So you want to write an article. Are you paying for this call? Hang up and call this number." He gives me a number in a area code a thousand miles away of his own. I dial the number.
"Hello again. This is Captain Crunch. You are speaking to me on a toll-free loop-around in Portland, Oregon. Do you know what a toll-free loop around is? I'll tell you."
He explains to me that almost every exchange in the country has open test numbers which allow other exchanges to test their connections with it. Most of these numbers occur in consecutive pairs, such as 302 956-0041 and 302 956-0042. Well, certain phone phreaks discovered that if two people from anywhere in the country dial the two consecutive numbers they can talk together just as if one had called the other's number, with no charge to either of them, of course.
"Now our voice is looping around in a 4A switching machine up there in Canada, zipping back down to me," the Captain tells me. "My voice is looping around up there and back down to you. And it can't ever cost anyone money. The phone phreaks and I have compiled a list of many of these numbers. You would be surprised if you saw the list. I could show it to you. But I won't. I'm out of that now. I'm not out to screw Ma Bell. I know better. If I do anything it's for the pure knowledge of the System. You can learn to do fantastic things. Have you ever heard eight tandems stacked up? Do you know the sound of tandems stacking and unstacking? Give me your phone number. Okay. Hang up now and wait a minute."
Slightly less than a minute later the phone rang and the Captain was on the line, his voice sounding far more excited, almost aroused.
"I wanted to show you what it's like to stack up tandems. To stack up tandems." (Whenever the Captain says "stack up" it sounds as if he is licking his lips.)
"How do you like the connection you're on now?" the Captain asks me. "It's a raw tandem. A raw tandem. Ain't nothing' up to it but a tandem. Now I'm going to show you what it's like to stack up. Blow off. Land in a far away place. To stack that tandem up, whip back and forth across the country a few times, then shoot on up to Moscow.
"Listen," Captain Crunch continues. "Listen. I've got line tie on my switchboard here, and I'm gonna let you hear me stack and unstack tandems. Listen to this. It's gonna blow your mind."
First I hear a super rapid-fire pulsing of the flutelike phone tones, then a pause, then another popping burst of tones, then another, then another. Each burst is followed by a beep-kachink sound.
"We have now stacked up four tandems," said Captain Crunch, sounding somewhat remote. "That's four tandems stacked up. Do you know what that means? That means I'm whipping back and forth, back and forth twice, across the country, before coming to you. I've been known to stack up twenty tandems at a time. Now, just like I said, I'm going to shoot up to Moscow."
There is a new, longer series of beeper pulses over the line, a brief silence, then a ring.
"Hello," answers a far-off voice.
"Hello. Is this the American Embassy Moscow?"
"Yes, sir. Who is this calling?" says the voice.
"Yes. This is test board here in New York. We're calling to check out the circuits, see what kind of lines you've got. Everything okay there in Moscow?"
"Okay?"
"Well, yes, how are things there?"
"Oh. Well, everything okay, I guess."
"Okay. Thank you."
They hang up, leaving a confused series of beep-kachink sounds hanging in mid-ether in the wake of the call before dissolving away.
The Captain is pleased. "You believe me now, don't you? Do you know what I'd like to do? I'd just like to call up your editor at Esquire and show him just what it sounds like to stack and unstack tandems. I'll give him a show that will blow his mind. What's his number?
I ask the Captain what kind of device he was using to accomplish all his feats. The Captain is pleased at the question.
"You could tell it was special, couldn't you?" Ten pulses per second. That's faster than the phone company's equipment. Believe me, this unit is the most famous unit in the country. There is no other unit like it. Believe me."
"Yes, I've heard about it. Some other phone phreaks have told me about it."
"They have been referring to my, ahem, unit? What is it they said? Just out of curiosity, did they tell you it was a highly sophisticated computer-operated unit, with acoustical coupling for receiving outputs and a switch-board with multiple-line-tie capability? Did they tell you that the frequency tolerance is guaranteed to be not more than .05 percent? The amplitude tolerance less than .01 decibel? Those pulses you heard were perfect. They just come faster than the phone company. Those were high-precision op-amps. Op-amps are instrumentation amplifiers designed for ultra-stable amplification, super-low distortion and accurate frequency response. Did they tell you it can operate in temperatures from -55øC to +125øC?"
I admit that they did not tell me all that.
"I built it myself," the Captain goes on. "If you were to go out and buy the components from an industrial wholesaler it would cost you at least $1500. I once worked for a semiconductor company and all this didn't cost me a cent. Do you know what I mean? Did they tell you about how I put a call completely around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who connected me to India, India connected me to Greece, Greece connected me to Pretoria, South Africa, South Africa connected me to South America, I went from South America to London, I had a London operator connect me to a New York operator, I had New York connect me to a California operator who rang the phone next to me. Needless to say I had to shout to hear myself. But the echo was far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear myself talk to myself."
"You mean you were speaking into the mouthpiece of one phone sending your voice around the world into your ear through a phone on the other side of your head?" I asked the Captain. I had a vision of something vaguely autoerotic going on, in a complex electronic way.
"That's right," said the Captain. "I've also sent my voice around the world one way, going east on one phone, and going west on the other, going through cable one way, satellite the other, coming back together at the same time, ringing the two phones simultaneously and picking them up and whipping my voice both ways around the world back to me. Wow. That was a mind blower." "You mean you sit there with both phones on your ear and talk to yourself around the world," I said incredulously.
"Yeah. Um hum. That's what I do. I connect the phone together and sit there and talk."
"What do you say? What do you say to yourself when you're connected?"
"Oh, you know. Hello test one two three," he says in a low-pitched voice.
"Hello test one two three," he replied to himself in a high-pitched voice.
"Hello test one two three," he repeats again, low-pitched.
"Hello test one two three," he replies, high-pitched.
"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and breaks into laughter.
Why Captain Crunch Hardly Ever Taps Phones Anymore
Using internal phone-company codes, phone phreaks have learned a simple method for tapping phones. Phone-company operators have in front of them a board that holds verification jacks. It allows them to plug into conversations in case of emergency, to listen in to a line to determine if the line is busy or the circuits are busy. Phone phreaks have learned to beep out the codes which lead them to a verification operator, tell the verification operator they are switchmen from some other area code testing out verification trunks. Once the operator hooks them into the verification trunk, they disappear into the board for all practical purposes, slip unnoticed into any one of the 10,000 to 100,000 numbers in that central office without the verification operator knowing what they're doing, and of course without the two parties to the connection knowing there is a phantom listener present on their line.
Toward the end of my hour-long first conversation with him, I asked the Captain if he ever tapped phones.
"Oh no. I don't do that. I don't think it's right," he told me firmly. "I have the power to do it but I don't... Well one time, just one time, I have to admit that I did. There was this girl, Linda, and I wanted to find out... you know. I tried to call her up for a date. I had a date with her the last weekend and I thought she liked me. I called her up, man, and her line was busy, and I kept calling and it was still busy. Well, I had just learned about this system of jumping into lines and I said to myself, 'Hmmm. Why not just see if it works. It'll surprise her if all of a sudden I should pop up on her line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed into the line. My M-F-er is powerful enough when patched directly into the mouthpiece to trigger a verification trunk without using an operator the way the other phone phreaks have to.
"I slipped into the line and there she was talking to another boyfriend. Making sweet talk to him. I didn't make a sound because I was so disgusted. So I waited there for her to hang up, listening to her making sweet talk to the other guy. You know. So as soon as she hung up I instantly M-F-ed her up and all I said was, 'Linda, we're through.' And I hung up. And it blew her head off. She couldn't figure out what the hell happened.
"But that was the only time. I did it thinking I would surprise her, impress her. Those were all my intentions were, and well, it really kind of hurt me pretty badly, and... and ever since then I don't go into verification trunks."
Moments later my first conversation with the Captain comes to a close.
"Listen," he says, his spirits somewhat cheered, "listen. What you are going to hear when I hang up is the sound of tandems unstacking. Layer after layer of tandems unstacking until there's nothing left of the stack, until it melts away into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending to a whisper with each cheep.
He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink cheep kachink cheep kachink cheep, and the complex connection has wiped itself out like the Cheshire cat's smile.
The MF Boogie Blues
The next number I choose from the select list of phone-phreak alumni, prepared for me by the blue-box inventor, is a Memphis number. It is the number of Joe Engressia, the first and still perhaps the most accomplished blind phone phreak.
Three years ago Engressia was a nine-day wonder in newspapers and magazines all over America because he had been discovered whistling free long-distance connections for fellow students at the University of South Florida.
Engressia was born with perfect pitch: he could whistle phone tones better than the phone-company's equipment.
Engressia might have gone on whistling in the dark for a few friends for the rest of his life if the phone company hadn't decided to expose him. He was warned, disciplined by the college, and the whole case became public. In the months following media reports of his talent, Engressia began receiving strange calls. There were calls from a group of kids in Los Angeles who could do some very strange things with the quirky General Telephone and Electronics circuitry in LA suburbs. There were calls from a group of mostly blind kids in ----, California, who had been doing some interesting experiments with Cap'n Crunch whistles and test loops. There was a group in Seattle, a group in Cambridge, Massachusetts, a few from New York, a few scattered across the country. Some of them had already equipped themselves with cassette and electronic M-F devices. For some of these groups, it was the first time they knew of the others.
The exposure of Engressia was the catalyst that linked the separate phone-phreak centers together. They all called Engressia. They talked to him about what he was doing and what they were doing. And then he told them -- the scattered regional centers and lonely independent phone phreakers -- about each other, gave them each other's numbers to call, and within a year the scattered phone-phreak centers had grown into a nationwide underground.
Joe Engressia is only twenty-two years old now, but along the phone-phreak network he is "the old man," accorded by phone phreaks something of the reverence the phone company bestows on Alexander Graham Bell. He seldom needs to make calls anymore. The phone phreaks all call him and let him know what new tricks, new codes, new techniques they have learned. Every night he sits like a sightless spider in his little apartment receiving messages from every tendril of his web. It is almost a point of pride with Joe that they call him.
But when I reached him in his Memphis apartment that night, Joe Engressia was lonely, jumpy and upset.
"God, I'm glad somebody called. I don't know why tonight of all nights I don't get any calls. This guy around here got drunk again tonight and propositioned me again. I keep telling him we'll never see eye to eye on this subject, if you know what I mean. I try to make light of it, you know, but he doesn't get it. I can head him out there getting drunker and I don't know what he'll do next. It's just that I'm really all alone here, just moved to Memphis, it's the first time I'm living on my own, and I'd hate for it to all collapse now. But I won't go to bed with him. I'm just not very interested in sex and even if I can't see him I know he's ugly.
"Did you hear that? That's him banging a bottle against the wall outside. He's nice. Well forget about it. You're doing a story on phone phreaks? Listen to this. It's the MF Boogie Blues.
Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, each note one of those long-distance phone tones. The music stops. A huge roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?"
The roar ceases. A high-pitched operator-type voice replaces it. "This is Southern Braille Tel. & Tel. Have tone, will phone."
This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep reassuring voice: "If you need home care, call the visiting-nurses association. First National time in Honolulu is 4:32 p.m."
Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?"
This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes manages to keep Joe's mind off his tormentor only as long as it lasts.
"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, is that this is the first time I've been able to live on my own and make phone trips on my own. I've been banned from all central offices around home in Florida, they knew me too well, and at the University some of my fellow scholars were always harassing me because I was on the dorm pay phone all the time and making fun of me because of my fat ass, which of course I do have, it's my physical fatness program, but I don't like to hear it every day, and if I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've been devoting three quarters of my life to it.
"I moved to Memphis because I wanted to be on my own as well as because it has a Number 5 crossbar switching system and some interesting little independent phone-company districts nearby and so far they don't seem to know who I am so I can go on phone tripping, and for me phone tripping is just as important as phone phreaking."
Phone tripping, Joe explains, begins with calling up a central-office switch room. He tells the switchman in a polite earnest voice that he's a blind college student interested in telephones, and could he perhaps have a guided tour of the switching station? Each step of the tour Joe likes to touch and feel relays, caress switching circuits, switchboards, crossbar arrangements.
So when Joe Engressia phone phreaks he feels his way through the circuitry of the country garden of forking paths, he feels switches shift, relays shunt, crossbars swivel, tandems engage and disengage even as he hears -- with perfect pitch -- his M-F pulses make the entire Bell system dance to his tune.
Just one month ago Joe took all his savings out of his bank and left home, over the emotional protests of his mother. "I ran away from home almost," he likes to say. Joe found a small apartment house on Union Avenue and began making phone trips. He'd take a bus a hundred miles south in Mississippi to see some old-fashioned Bell equipment still in use in several states, which had been puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to look at some brand-new experimental equipment. He hired a taxi to drive him twelve miles to a suburb to tour the office of a small phone company with some interesting idiosyncrasies in its routing system. He was having the time of his life, he said, the most freedom and pleasure he had known.
In that month he had done very little long-distance phone phreaking from his own phone. He had begun to apply for a job with the phone company, he told me, and he wanted to stay away from anything illegal.
"Any kind of job will do, anything as menial as the most lowly operator. That's probably all they'd give me because I'm blind. Even though I probably know more than most switchmen. But that's okay. I want to work for Ma Bell. I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's something beautiful about the system when you know it intimately the way I do. But I don't know how much they know about me here. I have a very intuitive feel for the condition of the line I'm on, and I think they're monitoring me off and on lately, but I haven't been doing much illegal. I have to make a few calls to switchmen once in a while which aren't strictly legal, and once I took an acid trip and was having these auditory hallucinations as if I were trapped and these planes were dive-bombing me, and all of sudden I had to phone phreak out of there. For some reason I had to call Kansas City, but that's all."
A Warning Is Delivered
At this point -- one o'clock in my time zone -- a loud knock on my motel-room door interrupts our conversation. Outside the door I find a uniformed security guard who informs me that there has been an "emergency phone call" for me while I have been on the line and that the front desk has sent him up to let me know.
Two seconds after I say good-bye to Joe and hang up, the phone rings.
"Who were you talking to?" the agitated voice demands. The voice belongs to Captain Crunch. "I called because I decided to warn you of something. I decided to warn you to be careful. I don't want this information you get to get to the radical underground. I don't want it to get into the wrong hands. What would you say if I told you it's possible for three phone phreaks to saturate the phone system of the nation. Saturate it. Busy it out. All of it. I know how to do this. I'm not gonna tell. A friend of mine has already saturated the trunks between Seattle and New York. He did it with a computerized M-F-er hitched into a special Manitoba exchange. But there are other, easier ways to do it."
Just three people? I ask. How is that possible?
"Have you ever heard of the long-lines guard frequency? Do you know about stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. I'm not gonna tell you. But whatever you do, don't let this get into the hands of the radical underground."
(Later Gilbertson, the inventor, confessed that while he had always been skeptical about the Captain's claim of the sabotage potential of trunk-tying phone phreaks, he had recently heard certain demonstrations which convinced him the Captain was not speaking idly. "I think it might take more than three people, depending on how many machines like Captain Crunch's were available. But even though the Captain sounds a little weird, he generally turns out to know what he's talking about.")
"You know," Captain Crunch continues in his admonitory tone, "you know the younger phone phreaks call Moscow all the time. Suppose everybody were to call Moscow. I'm no right-winger. But I value my life. I don't want the Commies coming over and dropping a bomb on my head. That's why I say you've got to be careful about who gets this information."
The Captain suddenly shifts into a diatribe against those phone phreaks who don't like the phone company.
"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but I can detect things like that. Well, even if it is, they know that I know that they know that I have a bulk eraser. I'm very clean." The Captain pauses, evidently torn between wanting to prove to the phone-company monitors that he does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma Bell knows how good I am. And I am quite good. I can detect reversals, tandem switching, everything that goes on a line. I have relative pitch now. Do you know what that means? My ears are a $20,000 piece of equipment. With my ears I can detect things they can't hear with their equipment. I've had employment problems. I've lost jobs. But I want to show Ma Bell how good I am. I don't want to screw her, I want to work for her. I want to do good for her. I want to help her get rid of her flaws and become perfect. That's my number-one goal in life now." The Captain concludes his warnings and tells me he has to be going. "I've got a little action lined up for tonight," he explains and hangs up.
Before I hang up for the night, I call Joe Engressia back. He reports that his tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I get, ahem, yes; but you might say he's in a drunken stupor." I make a date to visit Joe in Memphis in two days.
A Phone Phreak Call Takes Care of Business
The next morning I attend a gathering of four phone phreaks in ----- (a California suburb). The gathering takes place in a comfortable split-level home in an upper-middle-class subdivision. Heaped on the kitchen table are the portable cassette recorders, M-F cassettes, phone patches, and line ties of the four phone phreaks present. On the kitchen counter next to the telephone is a shoe-box-size blue box with thirteen large toggle switches for the tones. The parents of the host phone phreak, Ralph, who is blind, stay in the living room with their sighted children. They are not sure exactly what Ralph and his friends do with the phone or if it's strictly legal, but he is blind and they are pleased he has a hobby which keeps him busy.
The group has been working at reestablishing the historic "2111" conference, reopening some toll-free loops, and trying to discover the dimensions of what seem to be new initiatives against phone phreaks by phone-company security agents.
It is not long before I get a chance to see, to hear, Randy at work. Randy is known among the phone phreaks as perhaps the finest con man in the game. Randy is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly nylon white sport shirt, pushes his head forward from hunched shoulders somewhat like a turtle inching out of its shell. His eyes wander, crossing and recrossing, and his forehead is somewhat pimply. He is only sixteen years old.
But when Randy starts speaking into a telephone mouthpiece his voice becomes so stunningly authoritative it is necessary to look again to convince yourself it comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the voice of a brilliant performance-fund gunslinger explaining how he beats the Dow Jones by thirty percent. Then imagine a voice that could make those two sound like Stepin Fetchit. That is sixteen-year-old Randy's voice.
He is speaking to a switchman in Detroit. The phone company in Detroit had closed up two toll-free loop pairs for no apparent reason, although heavy use by phone phreaks all over the country may have been detected. Randy is telling the switchman how to open up the loop and make it free again:
"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and we've been trying to run some tests on your loop-arounds and we find'em busied out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, can you drop cards on 'em? Do you have 08 on your number group? Oh that's okay, we've had this trouble before, we may have to go after the circuit. Here lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, yeah, we'd like to clear that busy out. Right. All you have to do is look for your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that happened, but we've been having trouble with that one. Okay. Thanks a lot fella. Be seein' ya."
Randy hangs up, reports that the switchman was a little inexperienced with the loop-around circuits on the miscellaneous trunk frame, but that the loop has been returned to its free-call status.
Delighted, phone phreak Ed returns the pair of numbers to the active-status column in his directory. Ed is a superb and painstaking researcher. With almost Talmudic thoroughness he will trace tendrils of hints through soft-wired mazes of intervening phone-company circuitry back through complex linkages of switching relays to find the location and identity of just one toll-free loop. He spends hours and hours, every day, doing this sort of thing. He has somehow compiled a directory of eight hundred "Band-six in-WATS numbers" located in over forty states. Band-six in-WATS numbers are the big 800 numbers -- the ones that can be dialed into free from anywhere in the country.
Ed the researcher, a nineteen-year-old engineering student, is also a superb technician. He put together his own working blue box from scratch at age seventeen. (He is sighted.) This evening after distributing the latest issue of his in-WATS directory (which has been typed into Braille for the blind phone phreaks), he announces he has made a major new breakthrough:
"I finally tested it and it works, perfectly. I've got this switching matrix which converts any touch-tone phone into an M-F-er."
The tones you hear in touch-tone phones are not the M-F tones that operate the long-distance switching system. Phone phreaks believe AT&T. had deliberately equipped touch tones with a different set of frequencies to avoid putting the six master M-F tones in the hands of every touch-tone owner. Ed's complex switching matrix puts the six master tones, in effect put a blue box, in the hands of every touch-tone owner.
Ed shows me pages of schematics, specifications and parts lists. "It's not easy to build, but everything here is in the Heathkit catalog."
Ed asks Ralph what progress he has made in his attempts to reestablish a long-term open conference line for phone phreaks. The last big conference -- the historic "2111" conference -- had been arranged through an unused Telex test-board trunk somewhere in the innards of a 4A switching machine in Vancouver, Canada. For months phone phreaks could M-F their way into Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the internal phone-company code for Telex testing), and find themselves at any time, day or night, on an open wire talking with an array of phone phreaks from coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak sympathizers, and miscellaneous guests and technical experts. The conference was a massive exchange of information. Phone phreaks picked each other's brains clean, then developed new ways to pick the phone company's brains clean. Ralph gave M F Boogies concerts with his home-entertainment-type electric organ, Captain Crunch demonstrated his round-the-world prowess with his notorious computerized unit and dropped leering hints of the "action" he was getting with his girl friends. (The Captain lives out or pretends to live out several kinds of fantasies to the gossipy delight of the blind phone phreaks who urge him on to further triumphs on behalf of all of them.) The somewhat rowdy Northwest phone-phreak crowd let their bitter internal feud spill over into the peaceable conference line, escalating shortly into guerrilla warfare; Carl the East Coast international tone relations expert demonstrated newly opened direct M-F routes to central offices on the island of Bahrein in the Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and explained the technical operation of the new Oakland-to Vietnam linkages. (Many phone phreaks pick up spending money by M-F-ing calls from relatives to Vietnam GIs charging $5 for a whole hour of trans-Pacific conversation.)
Day and night the conference line was never dead. Blind phone phreaks all over the country, lonely and isolated in homes filled with active sighted brothers and sisters, or trapped with slow and unimaginative blind kids in straitjacket schools for the blind, knew that no matter how late it got they could dial up the conference and find instant electronic communion with two or three other blind kids awake over on the other side of America. Talking together on a phone hookup, the blind phone phreaks say, is not much different from being there together. Physically, there was nothing more than a two-inch-square wafer of titanium inside a vast machine on Vancouver Island. For the blind kids >there< meant an exhilarating feeling of being in touch, through a kind of skill and magic which was peculiarly their own.
Last April 1, however, the long Vancouver Conference was shut off. The phone phreaks knew it was coming. Vancouver was in the process of converting from a step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped out in the process. The phone phreaks learned the actual day on which the conference would be erased about a week ahead of time over the phone company's internal-news-and-shop-talk recording.
For the next frantic seven days every phone phreak in America was on and off the 2111 conference twenty-four hours a day. Phone phreaks who were just learning the game or didn't have M-F capability were boosted up to the conference by more experienced phreaks so they could get a glimpse of what it was like before it disappeared. Top phone phreaks searched distant area codes for new conference possibilities without success. Finally in the early morning of April 1, the end came.
"I could feel it coming a couple hours before midnight," Ralph remembers. "You could feel something going on in the lines. Some static began showing up, then some whistling wheezing sound. Then there were breaks. Some people got cut off and called right back in, but after a while some people were finding they were cut off and couldn't get back in at all. It was terrible. I lost it about one a.m., but managed to slip in again and stay on until the thing died... I think it was about four in the morning. There were four of us still hanging on when the conference disappeared into nowhere for good. We all tried to M-F up to it again of course, but we got silent termination. There was nothing there."
The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker"
Mark Bernay. I had come across that name before. It was on Gilbertson's select list of phone phreaks. The California phone phreaks had spoken of a mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West Coast. And in fact almost every phone phreak in the West can trace his origins either directly to Mark Bernay or to a disciple of Mark Bernay.
It seems that five years ago this Mark Bernay (a pseudonym he chose for himself) began traveling up and down the West Coast pasting tiny stickers in phone books all along his way. The stickers read something like "Want to hear an interesting tape recording? Call these numbers." The numbers that followed were toll-free loop-around pairs. When one of the curious called one of the numbers he would hear a tape recording pre-hooked into the loop by Bernay which explained the use of loop-around pairs, gave the numbers of several more, and ended by telling the caller, "At six o'clock tonight this recording will stop and you and your friends can try it out. Have fun."
"I was disappointed by the response at first," Bernay told me, when I finally reached him at one of his many numbers and he had dispensed with the usual "I never do anything illegal" formalities which experienced phone phreaks open most conversations.
"I went all over the coast with these stickers not only on pay phones, but I'd throw them in front of high schools in the middle of the night, I'd leave them unobtrusively in candy stores, scatter them on main streets of small towns. At first hardly anyone bothered to try it out. I would listen in for hours and hours after six o'clock and no one came on. I couldn't figure out why people wouldn't be interested. Finally these two girls in Oregon tried it out and told all their friends and suddenly it began to spread."
Before his Johny Appleseed trip Bernay had already gathered a sizable group of early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. Bernay does not claim credit for the original discovery of the loop-around numbers. He attributes the discovery to an eighteen-year-old reform school kid in Long Beach whose name he forgets and who, he says, "just disappeared one day." When Bernay himself discovered loop-arounds independently, from clues in his readings in old issues of the Automatic Electric Technical Journal, he found dozens of the reform-school kid's friends already using them. However, it was one of Bernay's disciples in Seattle that introduced phone phreaking to blind kids. The Seattle kid who learned about loops through Bernay's recording told a blind friend, the blind kid taught the secret to his friends at a winter camp for blind kids in Los Angeles. When the camp session was over these kids took the secret back to towns all over the West. This is how the original blind kids became phone phreaks. For them, for most phone phreaks in general, it was the discovery of the possibilities of loop-arounds which led them on to far more serious and sophisticated phone-phreak methods, and which gave them a medium for sharing their discoveries.
A year later a blind kid who moved back east brought the technique to a blind kids' summer camp in Vermont, which spread it along the East Coast. All from a Mark Bernay sticker.
Bernay, who is nearly thirty years old now, got his start when he was fifteen and his family moved into an L.A. suburb serviced by General Telephone and Electronics equipment. He became fascinated with the differences between Bell and G.T.&E. equipment. He learned he could make interesting things happen by carefully timed clicks with the disengage button. He learned to interpret subtle differences in the array of clicks, whirrs and kachinks he could hear on his lines. He learned he could shift himself around the switching relays of the L.A. area code in a not-too-predictable fashion by interspersing his own hook-switch clicks with the clicks within the line. (Independent phone companies -- there are nineteen hundred of them still left, most of them tiny island principalities in Ma Bell's vast empire -- have always been favorites with phone phreaks, first as learning tools, then as Archimedes platforms from which to manipulate the huge Bell system. A phone phreak in Bell territory will often M-F himself into an independent's switching system, with switching idiosyncrasies which can give him marvelous leverage over the Bell System.
"I have a real affection for Automatic Electric Equipment," Bernay told me. "There are a lot of things you can play with. Things break down in interesting ways."
Shortly after Bernay graduated from college (with a double major in chemistry and philosophy), he graduated from phreaking around with G.T.&E. to the Bell System itself, and made his legendary sticker-pasting journey north along the coast, settling finally in Northwest Pacific Bell territory. He discovered that if Bell does not break down as interestingly as G.T.&E., it nevertheless offers a lot of "things to play with."
Bernay learned to play with blue boxes. He established his own personal switchboard and phone-phreak research laboratory complex. He continued his phone-phreak evangelism with ongoing sticker campaigns. He set up two recording numbers, one with instructions for beginning phone phreaks, the other with latest news and technical developments (along with some advanced instruction) gathered from sources all over the country.
These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately I've been enjoying playing with computers more than playing with phones. My personal thing in computers is just like with phones, I guess -- the kick is in finding out how to beat the system, how to get at things I'm not supposed to know about, how to do things with the system that I'm not supposed to be able to do."
As a matter of fact, Bernay told me, he had just been fired from his computer-programming job for doing things he was not supposed to be able to do. He had been working with a huge time-sharing computer owned by a large corporation but shared by many others. Access to the computer was limited to those programmers and corporations that had been assigned certain passwords. And each password restricted its user to access to only the one section of the computer cordoned off from its own information storager. The password system prevented companies and individuals from stealing each other's information.
"I figured out how to write a program that would let me read everyone else's password," Bernay reports. "I began playing around with passwords. I began letting the people who used the computer know, in subtle ways, that I knew their passwords. I began dropping notes to the computer supervisors with hints that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting cleverer and cleverer with my messages and devising ways of showing them what I could do. I'm sure they couldn't imagine I could do the things I was showing them. But they never responded to me. Every once in a while they'd change the passwords, but I found out how to discover what the new ones were, and I let them know. But they never responded directly to the Midnight Skulker. I even finally designed a program which they could use to prevent my program from finding out what it did. In effect I told them how to wipe me out, The Midnight Skulker. It was a very clever program. I started leaving clues about myself. I wanted them to try and use it and then try to come up with something to get around that and reappear again. But they wouldn't play. I wanted to get caught. I mean I didn't want to get caught personally, but I wanted them to notice me and admit that they noticed me. I wanted them to attempt to respond, maybe in some interesting way." Finally the computer managers became concerned enough about the threat of information-stealing to respond. However, instead of using The Midnight Skulker's own elegant self-destruct program, they called in their security personnel, interrogated everyone, found an informer to identify Bernay as The Midnight Skulker, and fired him.
"At first the security people advised the company to hire me full-time to search out other flaws and discover other computer freaks. I might have liked that. But I probably would have turned into a double double agent rather than the double agent they wanted. I might have resurrected The Midnight Skulker and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole idea down."
You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own Home, Perhaps.
Computer freaking may be the wave of the future. It suits the phone-phreak sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone phreak, has also gone on from phone-phreaking to computer-freaking. Before he got into the blue-box business Gilbertson, who is a highly skilled programmer, devised programs for international currency arbitrage.
But he began playing with computers in earnest when he learned he could use his blue box in tandem with the computer terminal installed in his apartment by the instrumentation firm he worked for. The print-out terminal and keyboard was equipped with acoustical coupling, so that by coupling his little ivory Princess phone to the terminal and then coupling his blue box on that, he could M-F his way into other computers with complete anonymity, and without charge; program and re-program them at will; feed them false or misleading information; tap and steal from them. He explained to me that he taps computers by busying out all the lines, then going into a verification trunk, listening into the passwords and instructions one of the time sharers uses, and them M-F-ing in and imitating them. He believes it would not be impossible to creep into the F.B.I's crime control computer through a local police computer terminal and phreak around with the F.B.I.'s memory banks. He claims he has succeeded in re-programming a certain huge institutional computer in such a way that it has cordoned off an entire section of its circuitry for his personal use, and at the same time conceals that arrangement from anyone else's notice. I have been unable to verify this claim.
Like Captain Crunch, like Alexander Graham Bell (pseudonym of a disgruntled-looking East Coast engineer who claims to have invented the black box and now sells black and blue boxes to gamblers and radical heavies), like most phone phreaks, Gilbertson began his career trying to rip off pay phones as a teenager. Figure them out, then rip them off. Getting his dime back from the pay phone is the phone phreak's first thrilling rite of passage. After learning the usual eighteen different ways of getting his dime back, Gilbertson learned how to make master keys to coin-phone cash boxes, and get everyone else's dimes back. He stole some phone-company equipment and put together his own home switchboard with it. He learned to make a simple "bread-box" device, of the kind used by bookies in the Thirties (bookie gives a number to his betting clients; the phone with that number is installed in some widow lady's apartment, but is rigged to ring in the bookie's shop across town, cops trace big betting number and find nothing but the widow).
Not long after that afternoon in 1968 when, deep in the stacks of an engineering library, he came across a technical journal with the phone tone frequencies and rushed off to make his first blue box, not long after that Gilbertson abandoned a very promising career in physical chemistry and began selling blue boxes for $1,500 apiece.
"I had to leave physical chemistry. I just ran out of interesting things to learn," he told me one evening. We had been talking in the apartment of the man who served as the link between Gilbertson and the syndicate in arranging the big $300,000 blue-box deal which fell through because of legal trouble. There has been some smoking.
"No more interesting things to learn," he continues. "Physical chemistry turns out to be a sick subject when you take it to its highest level. I don't know. I don't think I could explain to you how it's sick. You have to be there. But you get, I don't know, a false feeling of omnipotence. I suppose it's like phone-phreaking that way. This huge thing is there. This whole system. And there are holes in it and you slip into them like Alice and you're pretending you're doing something you're actually not, or at least it's no longer you that's doing what you thought you were doing. It's all Lewis Carroll. Physical chemistry and phone-phreaking. That's why you have these phone-phreak pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's something about phone-phreaking that you don't find in physical chemistry." He looks up at me:
"Did you ever steal anything?"
"Well yes, I..."
"Then you know! You know the rush you get. It's not just knowledge, like physical chemistry. It's forbidden knowledge. You know. You can learn about anything under the sun and be bored to death with it. But the idea that it's illegal. Look: you can be small and mobile and smart and you're ripping off somebody large and powerful and very dangerous."
People like Gilbertson and Alexander Graham Bell are always talking about ripping off the phone company and screwing Ma Bell. But if they were shown a single button and told that by pushing it they could turn the entire circuitry of A.T.&T. into molten puddles, they probably wouldn't push it. The disgruntled-inventor phone phreak needs the phone system the way the lapsed Catholic needs the Church, the way Satan needs a God, the way The Midnight Skulker needed, more than anything else, response.
Later that evening Gilbertson finished telling me how delighted he was at the flood of blue boxes spreading throughout the country, how delighted he was to know that "this time they're really screwed." He suddenly shifted gears.
"Of course. I do have this love/hate thing about Ma Bell. In a way I almost like the phone company. I guess I'd be very sad if they were to disintegrate. In a way it's just that after having been so good they turn out to have these things wrong with them. It's those flaws that allow me to get in and mess with them, but I don't know. There's something about it that gets to you and makes you want to get to it, you know."
I ask him what happens when he runs out of interesting, forbidden things to learn about the phone system.
"I don't know, maybe I'd go to work for them for a while."
"In security even?"
"I'd do it, sure. I just as soon play -- I'd just as soon work on either side."
"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's game."
"Yes, that might be interesting. Yes, I could figure out how to outwit the phone phreaks. Of course if I got too good at it, it might become boring again. Then I'd have to hope the phone phreaks got much better and outsmarted me for a while. That would move the quality of the game up one level. I might even have to help them out, you know, 'Well, kids, I wouldn't want this to get around but did you ever think of -- ?' I could keep it going at higher and higher levels forever."
The dealer speaks up for the first time. He has been staring at the soft blinking patterns of light and colors on the translucent tiled wall facing him. (Actually there are no patterns: the color and illumination of every tile is determined by a computerized random-number generator designed by Gilbertson which insures that there can be no meaning to any sequence of events in the tiles.)
"Those are nice games you're talking about," says the dealer to his friend. "But I wouldn't mind seeing them screwed. A telephone isn't private anymore. You can't say anything you really want to say on a telephone or you have to go through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, people are going to start putting together their own private telephone companies if they want to really talk. And you know what else. You don't hear silences on the phone anymore. They've got this time-sharing thing on long-distance lines where you make a pause and they snip out that piece of time and use it to carry part of somebody else's conversation.Instead of a pause, where somebody's maybe breathing or sighing, you get this blank hole and you only start hearing again when someone says a word and even the beginning of the word is clipped off. Silences don't count -- you're paying for them, but they take them away from you. It's not cool to talk and you can't hear someone when they don't talk. What the hell good is the phone? I wouldn't mind seeing them totally screwed."
The Big Memphis Bust
Joe Engressia never wanted to screw Ma Bell. His dream had always been to work for her.
The day I visited Joe in his small apartment on Union Avenue in Memphis, he was upset about another setback in his application for a telephone job.
"They're stalling on it. I got a letter today telling me they'd have to postpone the interview I requested again. My landlord read it for me. They gave me some runaround about wanting papers on my rehabilitation status but I think there's something else going on."
When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when he has guests -- it looked as if there was enough telephone hardware to start a small phone company of his own.
There is one phone on top of his desk, one phone sitting in an open drawer beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F device with big toggle switches, and next to that is some kind of switching and coupling device with jacks and alligator plugs hanging loose. Next to that is a Braille typewriter. On the floor next to the desk, lying upside down like a dead tortoise, is the half-gutted body of an old black standard phone. Across the room on a torn and dusty couch are two more phones, one of them a touch-tone model; two tape recorders; a heap of phone patches and cassettes, and a life-size toy telephone.
Our conversation is interrupted every ten minutes by phone phreaks from all over the country ringing Joe on just about every piece of equipment but the toy phone and the Braille typewriter. One fourteen-year-old blind kid from Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to Joe about girl friends. Joe says they'll talk later in the evening when they can be alone on the line. Joe draws a deep breath, whistles him off the air with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he looked worried and preoccupied that evening, his brow constantly furrowed over his dark wandering eyes. In addition to the phone-company stall, he has just learned that his apartment house is due to be demolished in sixty days for urban renewal. For all its shabbiness, the Union Avenue apartment house has been Joe's first home-of-his-own and he's worried that he may not find another before this one is demolished.
But what really bothers Joe is that switchmen haven't been listening to him. "I've been doing some checking on 800 numbers lately, and I've discovered that certain 800 numbers in New Hampshire couldn't be reached from Missouri and Kansas. Now it may sound like a small thing, but I don't like to see sloppy work; it makes me feel bad about the lines. So I've been calling up switching offices and reporting it, but they haven't corrected it. I called them up for the third time today and instead of checking they just got mad. Well, that gets me mad. I mean, I do try to help them. There's something about them I can't understand -- you want to help them and they just try to say you're defrauding them."
It is Sunday evening and Joe invites me to join him for dinner at a Holiday Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a favorite for Joe ever since he made his first solo phone trip to a Bell switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. He likes to stay at Holiday Inns, he explains, because they represent freedom to him and because the rooms are arranged the same all over the country so he knows that any Holiday Inn room is familiar territory to him. Just like any telephone.)
Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone phreak.
At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of listening to little Joe play with the phone as he always did, constantly, put a lock on the phone dial. "I got so mad. When there's a phone sitting there and I can't use it... so I started getting mad and banging the receiver up and down. I noticed I banged it once and it dialed one. Well, then I tried banging it twice...." In a few minutes Joe learned how to dial by pressing the hook switch at the right time. "I was so excited I remember going 'whoo whoo' and beat a box down on the floor."
At age eight Joe learned about whistling. "I was listening to some intercept non working-number recording in L.A.- I was calling L.A. as far back as that, but I'd mainly dial non working numbers because there was no charge, and I'd listen to these recordings all day. Well, I was whistling 'cause listening to these recordings can be boring after a while even if they are from L.A., and all of a sudden, in the middle of whistling, the recording clicked off. I fiddled around whistling some more, and the same thing happened. So I called up the switch room and said, 'I'm Joe. I'm eight years old and I want to know why when I whistle this tune the line clicks off.' He tried to explain it to me, but it was a little too technical at the time. I went on learning. That was a thing nobody was going to stop me from doing. The phones were my life, and I was going to pay any price to keep on learning. I knew I could go to jail. But I had to do what I had to do to keep on learning."
The phone is ringing when we walk back into Joe's apartment on Union Avenue. It is Captain Crunch. The Captain has been following me around by phone, calling up everywhere I go with additional bits of advice and explanation for me and whatever phone phreak I happen to be visiting. This time the Captain reports he is calling from what he describes as "my hideaway high up in the Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to "go out and get a little action tonight. Do some phreaking of another kind, if you know what I mean." Joe chuckles.
The Captain then tells me to make sure I understand that what he told me about tying up the nation's phone lines was true, but that he and the phone phreaks he knew never used the technique for sabotage. They only learned the technique to help the phone company.
"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri WATS-line flaw I've been screaming about. We help them more than they know."
After we say good-bye to the Captain and Joe whistles him off the line, Joe tells me about a disturbing dream he had the night before: "I had been caught and they were taking me to a prison. It was a long trip. They were taking me to a prison a long long way away. And we stopped at a Holiday Inn and it was my last night ever using the phone and I was crying and crying, and the lady at the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. You should always be happy here. Especially since it's your last night.' And that just made it worse and I was sobbing so much I couldn't stand it."
Two weeks after I left Joe Engressia's apartment, phone-company security agents and Memphis police broke into it. Armed with a warrant, which they left pinned to a wall, they confiscated every piece of equipment in the room, including his toy telephone. Joe was placed under arrest and taken to the city jail where he was forced to spend the night since he had no money and knew no one in Memphis to call.
It is not clear who told Joe what that night, but someone told him that the phone company had an open-and-shut case against him because of revelations of illegal activity he had made to a phone-company undercover agent.
By morning Joe had become convinced that the reporter from Esquire, with whom he had spoken two weeks ago, was the undercover agent. He probably had ugly thoughts about someone he couldn't see gaining his confidence, listening to him talk about his personal obsessions and dreams, while planning all the while to lock him up.
"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. "I told him everything...." Feeling betrayed, Joe proceeded to confess everything to the press and police.
As it turns out, the phone company did use an undercover agent to trap Joe, although it was not the Esquire reporter.
Ironically, security agents were alerted and began to compile a case against Joe because of one of his acts of love for the system: Joe had called an internal service department to report that he had located a group of defective long-distance trunks, and to complain again about the New Hampshire/Missouri WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A suspicious switchman reported Joe to the security agents who discovered that Joe had never had a long-distance call charged to his name.
Then the security agents learned that Joe was planning one of his phone trips to a local switching office. The security people planted one of their agents in the switching office. He posed as a student switchman and followed Joe around on a tour. He was extremely friendly and helpful to Joe, leading him around the office by the arm. When the tour was over he offered Joe a ride back to his apartment house. On the way he asked Joe -- one tech man to another -- about "those blue boxers" he'd heard about. Joe talked about them freely, talked about his blue box freely, and about all the other things he could do with the phones.
The next day the phone-company security agents slapped a monitoring tape on Joe's line, which eventually picked up an illegal call. Then they applied for the search warrant and broke in.
In court Joe pleaded not guilty to possession of a blue box and theft of service. A sympathetic judge reduced the charges to malicious mischief and found him guilty on that count, sentenced him to two thirty-day sentences to be served concurrently and then suspended the sentence on condition that Joe promise never to play with phones again. Joe promised, but the phone company refused to restore his service. For two weeks after the trial Joe could not be reached except through the pay phone at his apartment house, and the landlord screened all calls for him.
Phone-phreak Carl managed to get through to Joe after the trial, and reported that Joe sounded crushed by the whole affair.
"What I'm worried about," Carl told me, "is that Joe means it this time. The promise. That he'll never phone-phreak again. That's what he told me, that he's given up phone-phreaking for good. I mean his entire life. He says he knows they're going to be watching him so closely for the rest of his life he'll never be able to make a move without going straight to jail. He sounded very broken up by the whole experience of being in jail. It was awful to hear him talk that way. I don't know. I hope maybe he had to sound that way. Over the phone, you know."
He reports that the entire phone-phreak underground is up in arms over the phone company's treatment of Joe. "All the while Joe had his hopes pinned on his application for a phone-company job, they were stringing him along getting ready to bust him. That gets me mad. Joe spent most of his time helping them out. The bastards. They think they can use him as an example. All of sudden they're harassing us on the coast. Agents are jumping up on our lines. They just busted ------'s mute yesterday and ripped out his lines. But no matter what Joe does, I don't think we're going to take this lying down."
Two weeks later my phone rings and about eight phone phreaks in succession say hello from about eight different places in the country, among them Carl, Ed, and Captain Crunch. A nationwide phone-phreak conference line has been reestablished through a switching machine in --------, with the cooperation of a disgruntled switchman.
"We have a special guest with us today," Carl tells me.
The next voice I hear is Joe's. He reports happily that he has just moved to a place called Millington, Tennessee, fifteen miles outside of Memphis, where he has been hired as a telephone-set repairman by a small independent phone company. Someday he hopes to be an equipment troubleshooter.
"It's the kind of job I dreamed about. They found out about me from the publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. I'll have telephones in my hands all day long."
"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked me. "Well, I think they're going to be very sorry about what they did to Joe and what they're trying to do to us."