home *** CD-ROM | disk | FTP | other *** search
- Words from the author:
-
- Over the last 12 years I have worn many hats. That of a
- Phone Phreak/Hacker, Sysop of one of the oldest BBS's in the
- world, and that of technical security consultant. To some there
- might seem a conflict of interest in the hats I have worn. But,
- my belief is that the material found in the underground computer
- sub-culture of Hackers & Phone Phreaks should be considered a form
- of educational service to systems designers/administrators, as
- well as programmers, law enforcement and others involved in the
- design, improvement, and policeing of the electronic frontier.
- True, there will always be that certain percentage of people
- who would use this (or any other information) maliciously. It
- is also my belief that these people are in the minority. These
- people while usually teenagers with more ego than intellect can
- if desired find the majority of this information in any library,
- magazine, or newsletter already in print. Most of this style of
- material doesnt originate on underground BBS's, but rather ends
- up there as a compilation of like materials. However to some,
- such as law enforcement for example, a threat is perceived and
- derived from seeing the compilation of this style material all
- in one place and accessable via computer. Just the fact that it
- comes from a computer some how makes it more ominous than if read
- from some obscure techno underground newsletter. This is nothing
- more than a perception problem.
- A case in point is the Craig Neidorf case where he was raided
- and had all of his personal computer equipment taken and charged
- with tens of thousands of damage and losses, because of releaseing
- what was at the time 'perceived' as critical 911 services
- information. Only to have the case thrown out later and discovering
- the self same 911 material was available publicly (if you knew where
- to look) for $30 dollars. While I personally have no great love
- for Craig and was badly and unjustly chastised by him once, he still
- should not have been left with the loss of thousands in personal
- property/equipment, not to mention a hundred thousand (I think that
- was the figure I heard quoted) in attorney's fees. This doesnt
- include the hundreds of thousands in lost tax payer dollars that
- were needlessly squandered on that case.
- My point is that the first thing that needs done is to clean up
- the problem, not the person. For example, my first major systems
- consulting contract was for a long distance telco who was lossing
- $450,000 a month in New York City alone. When hired, the first words
- out of my mouth were 'I'm not a head hunter', as this practice would
- only cost them 3-5 more dollars in investigative and legal fees in
- order to aquire and prosecute for every dollar they lost in fraud.
- The solution I offered was to fix the problem at its source (their
- system).
- After reviewing their setup from top to bottom It didnt
- take long to discover their billing code/PIN structure was at the
- heart of the problem. They had given a secretary a pad and pencil
- and said, we need some codes, here's how many digits they need to be
- so write down some and turn them in for use. In addition they were
- only using 4 digit codes at the time. To make matters worse the codes
- were only spaced a few digits apart thanks to the secratary who had
- no idea the significance of what she was doing. All this by a branch
- of what was then the 4th largest long distance company in the
- country. Gross negligence at best. But, who is the first to cry foul
- when their ineptitude was taken advantage of.
- From someone such as myself who bore the title of Phone Phreak
- proudly, this entire situation was nothing short of hilarious.
- However it was quite simple to fix. I needed only apply basic
- and common knowledge I had aquired from my studies around the
- computer/telecomm subculture. A task that should be promoted by the
- security powers that be, inorder to educate themselves, instead
- of going out and hiring ex-FBI and Ex-Police officers with an
- investigative/rubber hose mentality who didnt even have a true
- understanding of the problem they were hired to fix, to run their
- security departments. Who often like the very people they were
- chasing were operating on ego rather than intellect (not to mention
- authority). As potentially dangerous a combination to individual rights
- enjoyed in this country as the dangers provided by the malicious types
- within the computer underground itself. The point here is that
- there are problems within both the law enforcement and underground.
- Let me now give a couple of examples of how I used underground
- experience to fix this monumental snafu. First the obvious. Myself
- and a programmer friend (The Researcher) sat down and designed and
- wrote software to generate a new code network which was not 4 but
- but 7 digits in length, and only permitted one 'possible'
- (if assigned) good code in every 10,000 possible combinations.
- Ironically this software was written and tested and run on the very
- BBS machine that ran what was at the time (and still is) the oldest
- underground BBS in the world (P-80 Systems).
- Next, knowing that computers were used to do the majority of
- the code hacking at this time, it made the task simple to fix the
- switching equipment. Before I tell you how this was accomplished,
- a little advance training is in order. When you are dialing a number
- through any phone company local or national when you do something
- wrong (or even right for that matter) you get whats called a
- 'treatment' such as a recording or a 'fast busy' signal. With
- this in mind I first had to deal with the problem of the existing
- older codes that had not been converted to my 7 digit system and
- were still highly open to to fraud (it takes awhile to assign
- thousands of customers new codes). This was done by adding 6 new
- treatment ports to the switching equipment. On the first two ports
- I put ring generators (the device that provides the sound of the
- phone ringing in your earpiece) to create a ring with no possible
- answer situation when a bad code was dialed. Since the fraudulent
- codes were being reassigned on a daily basis with new 7 digit codes
- it provided a lot confusion for people still in posession of the
- older 4 digit codes. they couldnt tell if it was a dead code or
- the person they were calling just wasnt home, while not hampering
- the legitimate customer who simply misdialed his code. On the next
- 2 treatment ports I placed Hayes modems, which were like the other
- two ports in so much as they were a two in 6 chance of being aquired
- as a treatment for a bad code being dialed. This action gave the most
- effective security of the time due to the fact that people hacking via
- computer relied on a modem carrier to distinguish when they had gotten
- a good code. SO I GAVE THEM ONE. This made it almost impossible to
- distinguish a good code from a false carrier I was sending out.
- Thus making it difficult and near (but not) impossible to hack
- codes from that network. It also provided nothing more than a
- 'hey I wonder what I did wrong' thought to a legit customer who just
- misdialed and simply dials again as they normally would. Also one
- of there big problems was New York City was so big, that a call to
- another part of town could be long distance. New York City alone had
- five area codes. This meant that by simply blocking any calls who's
- area code is 'local or local long distance' I.E. in the city but a
- long distance call, which they should have been doing anyway in order
- not to be trafficing local calls (a big nono in the long distance world)
- they could stop this problem and significantly reduce the impact of the
- of the old 4 digit codes already comprimised and being used
- specifically for the purpose of local calls at the same time.
- Within 6 months their losses went from $450,000 a month to zero.
- The net cost in equipment for switch changes, and the new code network
- was about $5,000. Pennies for an operation of this size. When compared
- against the hundreds of thousands in investigative and legal fee's
- as well as tax dollars and additional taxation of the court system,
- which is already overburdoned. How many people are not in jail and
- being supported by the american tax dollar. I guess the moral to
- the story is work smart not hard. Someone took the time to
- trust me and to take a look at themselves and make the decision to use
- the underground as a tool for solving the 'real' problem rather than
- using it to track and apprehend people (which in case no one caught on,
- doesnt fix the problem in the example above). At the risk of stating
- the obvious, many of these people could be of great benifit to society
- if properly utilized (as opposed to stigmatized). If the time was
- taken to invite them in the front door, your less likely to see them
- around at the back door. As a matter of fact they might be quite an
- appropriate individual to protect the back door. Most of these guys
- would jump at the chance.....
-
- In closing I would like to take time to repeat the warning voiced
- elsewhere on this disk, Please DO NOT attempt to use any material
- found on this disk unless you are certain it is both legal and safe.
-
- Scan Man
-
-