GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-11+1


archive:bbs:author
     Words from the author:
         Over the last 12 years I have worn many hats.  That of a
     Phone Phreak/Hacker, Sysop of one of the oldest BBS's in the
     world, and that of technical security consultant. To some there
     might seem a conflict of interest in the hats I have worn.  But,
     my belief is that the material found in the underground computer
     sub-culture of Hackers & Phone Phreaks should be considered a form
     of educational service to systems designers/administrators, as
     well as programmers, law enforcement and others involved in the
     design, improvement, and policeing of the electronic frontier.
         True, there will always be that certain percentage of people
     who would use this (or any other information) maliciously.  It
     is also my belief that these people are in the minority. These
     people while usually teenagers with more ego than intellect can
     if desired find the majority of this information in any library,
     magazine, or newsletter already in print. Most of this style of
     material doesnt originate on underground BBS's, but rather ends
     up there as a compilation of like materials. However to some,
     such as law enforcement for example, a threat is perceived and
     derived from seeing the compilation of this style material all
     in one place and accessable via computer. Just the fact that it
     comes from a computer some how makes it more ominous than if read
     from some obscure techno underground newsletter. This is nothing
     more than a perception problem.
         A case in point is the Craig Neidorf case where he was raided
     and had all of his personal computer equipment taken and charged
     with tens of thousands of damage and losses, because of releaseing
     what was at the time 'perceived' as critical 911 services
     information. Only to have the case thrown out later and discovering
     the self same 911 material was available publicly (if you knew where
     to look) for $30 dollars. While I personally have no great love
     for Craig and was badly and unjustly chastised by him once, he still
     should not have been left with the loss of thousands in personal
     property/equipment, not to mention a hundred thousand (I think that
     was the figure I heard quoted) in attorney's fees. This doesnt
     include the hundreds of thousands in lost tax payer dollars that
     were needlessly squandered on that case.
         My point is that the first thing that needs done is to clean up
     the problem, not the person. For example, my first major systems
     consulting contract was for a long distance telco who was lossing
     $450,000 a month in New York City alone. When hired, the first words
     out of my mouth were 'I'm not a head hunter', as this practice would
     only cost them 3-5 more dollars in investigative and legal fees in
     order to aquire and prosecute for every dollar they lost in fraud.
     The solution I offered was to fix the problem at its source (their
     system).
         After reviewing their setup from top to bottom It didnt
     take long to discover their billing code/PIN structure was at the
     heart of the problem. They had given a secretary a pad and pencil
     and said, we need some codes, here's how many digits they need to be
     so write down some and turn them in for use. In addition they were
     only using 4 digit codes at the time. To make matters worse the codes
     were only spaced a few digits apart thanks to the secratary who had
     no idea the significance of what she was doing. All this by a branch
     of what was then the 4th largest long distance company in the
     country. Gross negligence at best. But, who is the first to cry foul
     when their ineptitude was taken advantage of.
         From someone such as myself who bore the title of Phone Phreak
     proudly, this entire situation was nothing short of hilarious.
     However it was quite simple to fix. I needed only apply basic
     and common knowledge I had aquired from my studies around the
     computer/telecomm subculture. A task that should be promoted by the
     security powers that be, inorder to educate themselves, instead
     of going out and hiring ex-FBI and Ex-Police officers with an
     investigative/rubber hose mentality who didnt even have a true
     understanding of the problem they were hired to fix, to run their
     security departments. Who often like the very people they were
     chasing were operating on ego rather than intellect (not to mention
     authority). As potentially dangerous a combination to individual rights
     enjoyed in this country as the dangers provided by the malicious types
     within the computer underground itself. The point here is that
     there are problems within both the law enforcement and underground.
         Let me now give a couple of examples of how I used underground
     experience to fix this monumental snafu. First the obvious. Myself
     and a programmer friend (The Researcher) sat down and designed and
     wrote software to generate a new code network which was not 4 but
     but 7 digits in length, and only permitted one 'possible'
     (if assigned) good code in every 10,000 possible combinations.
     Ironically this software was written and tested and run on the very
     BBS machine that ran what was at the time (and still is) the oldest
     underground BBS in the world (P-80 Systems).
         Next, knowing that computers were used to do the majority of
     the code hacking at this time, it made the task simple to fix the
     switching equipment. Before I tell you how this was accomplished,
     a little advance training is in order. When you are dialing a number
     through any phone company local or national when you do something
     wrong (or even right for that matter) you get whats called a
     'treatment' such as a recording or a 'fast busy' signal. With
     this in mind I first had to deal with the problem of the existing
     older codes that had not been converted to my 7 digit system and
     were still highly open to to fraud (it takes awhile to assign
     thousands of customers new codes). This was done by adding 6 new
     treatment ports to the switching equipment. On the first two ports
     I put ring generators (the device that provides the sound of the
     phone ringing in your earpiece) to create a ring with no possible
     answer situation when a bad code was dialed. Since the fraudulent
     codes were being reassigned on a daily basis with new 7 digit codes
     it provided a lot confusion for people still in posession of the
     older 4 digit codes. they couldnt tell if it was a dead code or
     the person they were calling just wasnt home, while not hampering
     the legitimate customer who simply misdialed his code. On the next
     2 treatment ports I placed Hayes modems, which were like the other
     two ports in so much as they were a two in 6 chance of being aquired
     as a treatment for a bad code being dialed. This action gave the most
     effective security of the time due to the fact that people hacking via
     computer relied on a modem carrier to distinguish when they had gotten
     a good code. SO I GAVE THEM ONE. This made it almost impossible to
     distinguish a good code from a false carrier I was sending out.
     Thus making it difficult and near (but not) impossible to hack
     codes from that network. It also provided nothing more than a
     'hey I wonder what I did wrong' thought to a legit customer who just
     misdialed and simply dials again as they normally would. Also one
     of there big problems was New York City was so big, that a call to
     another part of town could be long distance. New York City alone had
     five area codes. This meant that by simply blocking any calls who's
     area code is 'local or local long distance' I.E. in the city but a
     long distance call,  which they should have been doing anyway in order
     not to be trafficing local calls (a big nono in the long distance world)
     they could stop this problem and significantly reduce the impact of the
     of the old 4 digit codes already comprimised and being used
     specifically for the purpose of local calls at the same time.
          Within 6 months their losses went from $450,000 a month to zero.
     The net cost in equipment for switch changes, and the new code network
     was about $5,000. Pennies for an operation of this size. When compared
     against the hundreds of thousands in investigative and legal fee's
     as well as tax dollars and additional taxation of the court system,
     which is already overburdoned. How many people are not in jail and
     being supported by the american tax dollar. I guess the moral to
     the story is work smart not hard. Someone took the time to
     trust me and to take a look at themselves and make the decision to use
     the underground as a tool for solving the 'real' problem rather than
     using it to track and apprehend people (which in case no one caught on,
     doesnt fix the problem in the example above).  At the risk of stating
     the obvious, many of these people could be of great benifit to society
     if properly utilized (as opposed to stigmatized). If the time was
     taken to invite them in the front door, your less likely to see them
     around at the back door. As a matter of fact they might be quite an
     appropriate individual to protect the back door. Most of these guys
     would jump at the chance.....
         In closing I would like to take time to repeat the warning voiced
     elsewhere on this disk, Please DO NOT attempt to use any material
     found on this disk unless you are certain it is both legal and safe.
                                              Scan Man
                      Acknowledgements:
   There are many thanks that should go out here as this material, both
   good and bad have come from many sources. But would still like to take
   a moment to thank the people most involved. I'll start with a big
   thanx to S & S Publishing, Inc. who will be distributing this
   product. Next, while most of the material from this disk comes from
   P-80 International Information Systems BBS, a large piece of recent
   material was donated by Invalid Media of the Unfamiliar Territory BBS.
   Inumerable thanks are in order for THE RESEARCHER for the many years
   of friendship and keyboard comradery. We have had many happy hours with
   uncountable programs, devices, pyrotechnical formulea and technical
   achievments many will only dream of. The Researcher is also the author
   of not only the loader/viewer program you are reading this with, but
   many of the articles within as well as most of the util's that run P-80.
   So if anyone is in need of a brilliant C (and others) programmer, then
   drop him a line here on P-80.  Thanx to the hundreds of thousands of
   both members and callers of P-80. And the proverbial last but not
   least my wife and family for putting up with the countless hours at
   the computer for the production of not only this disk but the BBS.
/data/webs/external/dokuwiki/data/pages/archive/bbs/author.txt · Last modified: 2001/04/06 22:12 (external edit)