Phreaking

Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, like equipment and systems connected to public telephone networks. The term "phreak" is a portmanteau of the words "phone" and "freak". It may also refer to the use of various audio frequencies to manipulate a phone system. "Phreak", "phreaker", or "phone phreak" are names used for and by individuals who participate in phreaking. Additionally, it is often associated with computer hacking. This is sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking).

History of phreaking

The precise origins of phone phreaking are unknown, although it is believed that phreak-like experimentation began with widespread deployment of automatically switched telephone networks. Modern day phreaking is more likely to be traced to the United States in the mid-to-late 1950s when AT&T began introducing fully automatic direct-dial long distance and certain forms of trunking carriers which used in-band signalling.Fact|date=February 2007 At this time, phone system experimentation began, similar to the way modern-day hackers use the Internet.

In approximately 1957, a blind seven-year old named Joe Engressia, who as an adult changed his name to "Joybubbles", skilled with perfect pitch, discovered that whistling the fourth E above middle C (a frequency of 2600 Hz) would stop a dialed phone recording. Engressia had stumbled on the tone that would cause a trunk to reset itself, though the seven-year-old didn't realise this at first. The 2600 Hz frequency was an internal telephone company signal to take control of a trunk line, which opened up almost limitless possibilities for routing calls without charges. Unaware of what he had done, Engressia called the phone company and asked why the recordings had stopped. This was the beginning of his love of exploring the telephone system. [cite web|url = http://www.robson.org/gary/writing/phreaking.html |title = The Origins of Phreaking |accessdate = 2008-06-21]

Other early phreaks, such as "Bill from New York", began to develop a rudimentary understanding of how phone networks worked. "Bill" discovered that a recorder he owned could also play a tone at 2.6 kHz with the same effect. John Draper discovered through his friendship with "Joybubbles" that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allowed control of phone systems that worked on SF, or Single Frequency, controls. One could sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers. This process later led to MFing.

While SF worked on certain phone routes, the most common signalling on the then long distance network was MF, or Multi-Frequency Controls. The specific frequencies required were unknown until 1964, when Bell Systems published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for inter-office signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the 'keys to the kingdom', and the intricacies of the phone system were at the disposal of anyone with a cursory knowledge of electronics. Fact|date=February 2007

The second generation of phreaks arose at this time, including the New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell", "Ben" and "Neil" formed a group of phreaks known as Group Bell. Mark Bernay initiated a similar group named the Mark Bernay Society. Both Mark and Evan received fame amongst today's phone phreakers for Internet publication of their collection of telephone exploration recordings. These recordings, conducted in the 60s, 70s, and early 80s are available at Mark's website "Phone Trips." [cite web|url = http://www.wideweb.com/phonetrips |title = Phone Trips |accessdate = 2008-06-21]

In October 1971, phreaking was introduced to the masses when Esquire Magazine published a story called "Secrets of the Little Blue Box" [cite web|url = http://www.webcrunchers.com/crunch/stories/esq-art.html |title = Secrets of the Little Blue Box |accessdate = 2008-06-21] by Ron Rosenbaum. This article featured Joybubbles and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs who went on to found Apple Computer [cite web|url = http://www.woz.org/letters/general/03.html |title = Welcome to Woz.org |accessdate = 2008-06-21] .

1971 also saw the beginnings of YIPL (Youth International Party Line), a publication started by Abbie Hoffman and Al Bell to provide information to Yippies on how to "beat the man," mostly involving telephones. In 1973, Al Bell would move YIPL over and start TAP (Technology Assistance Program). TAP would develop into a major source for subversive technical information among phreaks and hackers all over the world. TAP ran from 1973 to 1984, with Al Bell handing over the magazine to "Tom Edison" in the late 70's. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison's residence in 1983 [cite web|url = http://cheshirecatalyst.com/tap.html |title = Cheshire's Book - TAP.HTML |accessdate = 2008-06-21] . Cheshire Catalyst then took over running the magazine for its final (1984) year.

A controversially suppressed article "How to Build a 'Phone Phreaks' box" in Ramparts Magazine, (June, 1972) touched off a firestorm of interest in phreaking.This article published simple schematic plans of a "black box" used to receive free long distance phone calls, and included a very short parts list that could be used to construct one. Bell sued Ramparts which forced the magazine to pull all copies from shelves, but not before numerous copies were sold and many regular subscribers received them.

In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly AT&T was forced into divestiture. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.

In the early 1990s H/P groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.

Into the turn of the 21st century, phreaks began to focus on the exploration and playing with the network, and the concept of toll fraud became widely frowned on among serious phreakers, primarily under the influence of the website Phone Trips, put up by second generation phreaks Mark Bernay and Evan Doorbell.

2600 Hz

In the original analog networks, short-distance telephone calls were completed by sending relatively high-power electrical signals through the wires to the end office, which then switched the call. This technique could not be used for long-distance connections, because the signals would be filtered out due to capacitance in the wires. Long-distance switching remained a manual operation years after short-distance calls were automated, requiring operators at either end of the line to set up the connections.

Bell automated this process by sending "in-band" signals. Since the one thing the long-distance trunks were definitely able to do was send voice-frequency signals, the Bell system used a selection of tones sent over the trunks to control the system. When calling long-distance, the local end-office switch would first route the call to a special switch (this is why it is necessary to dial "1" in North America or "0" in most of Europe for long-distance calls) which would then convert further dialing into tones and send them over an appropriately selected trunk line (selected with the area code). A similar machine at the far end of the trunk would decode the tones back into electrical signals, and the call would complete as normal.

In addition to dialing instructions, the system also included a number of other tones that represented various commands or status. 2600 Hz, the key to early phreaking, was the frequency of the tone sent by the long-distance switch indicating that the user has gone on-hook (hung up the phone). This normally resulted in the remote switch also going on-hook, freeing the trunk for other uses. In order to make free lines easy to find, the 2600 Hz tone was continually played into free trunks. Engressia's whistling had triggered the remote switch to go on-hook, but critically, the "local" switch knew he was still off-hook because that was signaled electrically. The system was now in an inconsistent state, leaving him connected to an operational long-distance trunk line. With further experimentation, the phreaks learned the rest of the signals needed to dial on the remote switch.

Normally long-distance calls are billed locally. Since the "trick" required a long distance call to be placed in order to connect to the remote switch, it would be billed like normal. However there are a class of calls that have either no billing, like calls to directory service, or reverse the billing, like WATS lines (1-800 numbers). By dialing one of these numbers the user was connected to a remote switch as normal, but no billing record was made locally. A number of people in the 1960s discovered a loophole that resulted from this combination of features that allowed free long distance calls to be made. First you would dial a toll-free number in the area code you wanted to connect to, then play the 2600 Hz tone into the line to return the remote switch to on-hook, and then use a blue box to dial the number you wanted to connect to. The local Bell office would have no record of the call.

As knowledge of phreaking spread, a minor culture emerged from the increasing number of phone phreaks. Sympathetic (or easily social-engineered) telephone company employees began to provide the various routing codes to use international satellites and trunk lines. At the time it was felt that there was nothing Bell could do to stop this. Their entire network was based on this system, so changing the system in order to stop the phreakers would require a massive infrastructure upgrade.

In fact, Bell responded fairly quickly, but in a more targeted fashion. Looking on local records for inordinately long calls to directory service or other hints that phreakers were using a particular switch, filters could then be installed to block efforts at that end office. Many phreakers were forced to use pay telephones as the telephone company technicians regularly tracked long-distance toll free calls in an elaborate cat-and-mouse game. AT&T instead turned to the law for help, and a number of phreaks were caught by "The Man".

Eventually, the phone companies in North America did, in fact, replace all their hardware. They didn't do it to stop the phreaks, but simply as a matter of course while moving to fully digital switching systems. Unlike the crossbar, where the switching signals and voice were carried on the same lines, the new systems used separate lines for signalling that the phreaks couldn't get to. This system is known as Common Channel Interoffice Signaling. Classic phreaking with the 2600 Hz tone continued to work in more remote locations into the 1980s, but was of little use in North America by the 1990s.

Toll fraud era

The 1984 AT&T breakup gave rise to many small companies intent upon competing in the long distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.

6-digit calling card numbers only offer 1 million combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would have a good chance of doing so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier. "Code hack" programs were developed for computers with modems. The modems would dial the long distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Utilizing this methodology, code hacking programs would turn up hundreds (or in some cases thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.

Worse yet, there was no way for these small phone companies to identify the culprits of these brute-force hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long distance companies were able to offer standard 1+ dialing without the use of an access number.

Another method of obtaining free phone calls involved the use of so-called "diverters". Call forwarding was not an available feature for many business phone lines in the 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. Unfortunately, the switching equipment would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, he could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the business' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the phone line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of phreaking died.

By the late 1990s, the fraudulent aspect of phreaking all but vanished. Most cellular phones offered unlimited domestic long distance calling for the price of standard airtime (often totally unlimited on weekends), and flat-rate long-distance plans appeared offering unlimited home phone long distance for as little as $25 per month. International calling could be made very cheaply, as well. Between the much higher risk of being caught (due to advances in technology) and the much lower gain of making free phone calls, toll fraud started to become a concept associated very little with phreaking.

Voice mail boxes and bridges

Prior to the BBS era of the 1980s, phone phreaking was more of a solitary venture, as it was difficult for phreaks to connect with one another. In addition to communicating over BBSs, phone phreaks discovered voice mail boxes and party lines as ways to network andkeep in touch over the telephone. It was rare for a phone phreak to legally purchase access to voice mail. Instead, they usually would appropriate unused boxes that were part of business or cellular phone systems. Once a vulnerable mailbox system was discovered, word would spread around the phreak community, and scores of them would take residence on the system. They would use the system as a "home base" for communication with one another, until the rightful owners would discover the intrusion and wipe them off. Voice mailboxes also provided a safe phone number for phreaks to give out to one another, as home phone numbers would allow the phreak's identity (and home address) to be discovered. This was especially important, given that phone phreaks were breaking the law.

Phreakers also used "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together, giving the effect of a party-line. Eventually all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.

The popularity of the Internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day, bridges are still very popular with phreakers, yet with the advent of VoIP, the use of telephone company owned bridges has decreased slightly in favor of phreaker-owned conferences.

End of MF

The end of MF phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the continental United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota. Many phone phreaks from across North America and the world made calls into what was the last group of MF-able inward trunks in the continental United States. A message board was set up for Paul Revere on +1 (218) 488-1307, for phone phreaks across the world to "say their goodbyes" to MF signalling and the N2 in Wawina.

During the days prior to the cut over, many famous phone phreaks such as Mark Bernay, Joybubbles, Bob Bernay, and Captain Crunch could be heard leaving their comments on the message board. The official date for the cutover from N2 to T-carrier was Wednesday, June 14. As early as June 7, there was a noticeable static on what had previously been clear lines.Or|date=February 2008 By Monday, June 12, many numbers were unreachable, and the static had peaked.Or|date=February 2008 The recording on +1 (218) 488-1307 was generally inaccessible, and MFing through the switch was becoming increasingly difficult due to the increased static.Or|date=February 2008 On June 15, at around 1:40 am, Eastern Daylight Time, any new incoming calls were unreachableFact|date=February 2007. As of July 29, the message played at +1 (218) 488-1307 was simply the current time and air temperature for Wawina, Minnesota.

Famous phone phreaks

* John Draper ("Captain Crunch")
* Mark Abene ("Phiber Optik")
* Mark Bernay
* Evan Doorbell
* Joybubbles (Joe Engressia, "The Whistler")
* Justin Peterson ("Agent Steal")
* Patrick Kroupa ("Lord Digital")
* Kevin Mitnick ("Condor")
* Kevin Poulsen ("Dark Dante")
* Steve Wozniak ("Berkeley Blue")
* Boris Floricic ("Tron")
* yahya soliman ("Cold Ice")

ee also

*
* BlueBEEP
* Busy line interrupt
* In-Band Signalling
* Hacking
* Phone Losers of America
* Phrack
* Phreaking Boxes
* Social engineering (security)
* Cracking

Notes

External links

* [http://andhrahackers.com/Forum/index.php/board,56.0.html Mobile Hacking and Security Discussions]
* [http://myoldmac.net/FAQ/TheBlueBox-1.htm Secrets of the Little Blue Box - article with photos]
* [http://www.dmine.com/phworld/sounds/wawina/ Telephone World - Sounds & Recordings of Wawina, Minnesota]
* [http://www.textfiles.com/phreak/ Textfiles.com / phreak] Large collection of phreaking related text files. See also, [http://audio.textfiles.com/conferences/ audio conferences] .
* [http://www.nettwerked.net Nettwerked Dot Net]
* [http://www.phreak.org/ Digital Information Society]
* [http://www.historyofphonephreaking.org/index.php The History of Phone Phreaking]