Slashdot Mirror
Phreaking Not Dead Yet
santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."
We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit
IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
Interesting read, just the same.
--
Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.
--sig fault--
It's just a flesh wound!
It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.
Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.
Only paying 30% of a scam like this is shameful.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
For more about Fone Phreaking, check out the grand master... Phone Losers of America
"Sic Semper Tyrannosaurus Rex."
can't get the site up, u figure wired could handle the traffic after only 7 posts
Eff this isnt it, i will cauterize my scrotal arteries and BBQ them.
Owch! How committed art thou to geekdom? First Post? Not by a long shot. See the First Cowboy Neal Post,dummbass.
I don't really understand why someone would do this, other than to harass the target. Sure, they get a free phone call, but it's not a phone call to talk to somebody. They are calling and just leaving the line open. Why would anyone bother?
If tits were wings it'd be flying around.
Why would'nt the providers be concerned? Let's see, because they might lose money? Hmm..
The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.
For a second I thought this meant all my friends with dialers would start calling me long distance. I hated that every five minutes.
please insert more money
hang on dude (holding dialer to hand set)
waiting as dialer mimics the sound of one quarter at a time
#1 --> "Victims say that AT&T and SBC know about the scam and are taking no
:
concrete action to protect consumers from it."
OR
#2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
in stopping the scam."
CLUE
"Later Hatcher was told that AT&T would take 35 percent off her bill,
but she'd have to pay $8,000"
HMMMM.......
Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.
We have a classic case of stupid users.
It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.
Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.
levine
It works because the ATT system is automated. Did you even read the article?
...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.
This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!
Sad, sad world...
...when I ordered a calling card from ATT. They embossed my PIN *ON THE CARD* along with the rest of the needed to change a call to my home phone number. Unbelievable.
Going from what I'm reading here it looks like they are using the default password that are shipped with systems. A quick search of google will chuck up the default for loads of systems. So bascically the adminstrators of the system aren't doing the job correctly or am I just misreading this?
Rus
Cheap UK and US VPS
Why can other systems (telemarketers, for example) tell that you've got an answering machine, but the phone company's can't?
And the article claims that they're happy with it that way:
I'll bet the people with the $12k bills wouldn't describe it as "extremely reliable"...
-Zipwow
I don't know which is more depressing, that 2/3 didn't care enough to vote, or that 1/2 of those that did are crazy.
Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".
--Chag
> "That AT&T would permit third-party phone charges
> based only on the authority of a recorded message
> is beyond belief," Sherry fumed. "Third-party
> billing should be allowed only when a real person
> answers the phone and is able to verify that they
> approve the charges."
How? By saying something? Talk about a frequently occuring Turing Test!!!
Jackass.
My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.
Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.
they can barely get users to change a default password, just think of how hard it would be explaing how to change a random one .....
I would think that something simple, like yahoo uses for account creation. Instead of "please say yes", it should be "please say XXXXX" where XXXX is randomly selected.
There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.
Fix the problem and the rest will fall into place.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.
Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.
There's 10 types of people in this world, those who understand binary and those who don't.
Wow! You too, huh?
There was, and still is, great fun to be had with a 7/16" hex wrench.
I'm not old enough to have played with the Blue Boxes, but I sure got my kicks from Red Boxing calls all over the planet, and screwing with the COSMOS system.
aÍÍ©ÍÌÍ£Ì'̽ͩÌÍzÍYÌÍÌY
The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."
/. article... THAT'S WHAT DISCUSSION IS FOR. report the story, let us decide how to analyze it.
yet another example of some moron analyzing in a
wtf..
Hmmmmm ... Who's to say AT&T really WANTS to fix this problem.
;o)
Every time someone pulls this scam (not Phreak) AT&T makes money. In the two cases cited each one is worth about $8000 to AT&T.
Yes, some will fight the bill, and even win out against AT&T and SBC, but for every one who fights the charge hard enough to win, I'll bet that ten more just swallow and pay.
Uh, who knows, maybe SBS and AT&T are even making the calls, eh?
If this happened to me, I'd just tell the collection agency to take it to court. Then I'd explain what happened to a jury. Do you really think the average person would "buy" the argument from AT&T?
Also, they should be warned that they're sitting on a customer relations/marketing disaster. How many customers are they going to lose once everyone starts hearing about these antics? Just another example of monumental corporate stupidity.
IAAL
You think you took money out of Michael Jordan's wallet by doing that? Nope! More likely you took food out of the mouths of those poor sweatshop kids.
To atone and realign your karma, you must break into Kathie Lee Gifford's house when she's away and make some lengthy long distance calls.
then they'd be hard pressed to find out where to change the password. I haven't changed my xxx@attbi.com pw (which is "password"!), because I never found the place to do it - and I did look.
(Didn't care that much, since I didn't intend to use it - I have a mac.com account)
When you pay money for a service that is password protected, an average non-paranoid person will take it for granted. The fact is AT&T or whoever could have easily made it so you can't use the service until you change the password.. I mean, when I got my ATM card, I couldn't use it until *I* set a pin number and such for it.. Why can't the voicemail service people do the same thing? On the other hand.. If a thief picks my lock, I can't sue the lock company.. So I agree, at&t shouldn't be held fully accountable, but still..
The thing is, even if you do change your password this kind of exploit is still wide open. A dedicated phreak can set up a wardialer (a program that will call repeatedly if necessary and perform simply touch tone codes to a number) to try all possible combinations. Just have it play something like 00010020030040050060070080090110120130140150160170 18019021022023024025025026028....etc and all possible three or four digit numbers will be hit, thereby cracking the code. A lot of VMBs have it so you can only try one set then call back for another, but this is no problem. Just set the wardialer to try four, then call back and try the next four. Many VMBs have been seized through this method.
Did they make it clear it was a default that needed to be changed? Or did the users think it was like your ATM password, which is unchangeable?
From the article, it didn't seem like the users knew it was a default.
Isn't the price of forcing low security (in order to ease the espionage) higher when it exposes us to more frauds?
Is why anyone would ever bother to do this. I mean, one guy mentioned confrence calls, but the calls should end up stored on the answering machine so you couldn't talk about anything identifying... It seems amazingly pointless to me.
I can't belive ATT really wants to soak these people for $8k or whatever. it's idiotic.
autopr0n is like, down and stuff.
Let me get this straight. Person A orders voice mail. Said person: 1. never changes his password 2. never changes his voice message 3. never =listens= to his voice message 4. never gets told by his family/friends that he has an odd message, probably because he... 5. never receives calls May I ask why these people are ordering voice mail service in the first place?!
I agree, open relays are the fault of their owners. But this is not the same thing, this is a consumer product. You should not have to assume a $10,000 liability for operating a voicemail box!
This is new?? I remember this 10 YEARS ago! Jeeze, AT&T is stupid at best, but still???
:)
Just sue the bastards and put em out of business for 10 YEARS of fraud charges.
Instant solution to open up the last mile of the telephone system heh, heh...
geez, kids these days...
- colin
but I know a certain phone company that got significant profit from such freaks.
You can't judge a book by the way it wears its hair.
If you get Bell's voicemail, when you set it up, you are required to enter a new password. It won't let you proceed unless you enter a new password.
How hard would this be for AT&T et al. to set this up?
(seems like Wired actually got /.ed?)
We have had something like this happen at our company. The problem is not just the default password here...here is what happened (and yeah, this could be offtopic, but I found it interesting so maybe you will too)
Precursors to the condition:
1. We have multiple 800 numbers running into our phone bank.
2. Phones may be set up to forward phone calls to a remote number, including numbers overseas, if the user has the 4-digit password. (Yes, we actually have a need for that - we're UK-owned)
Here's what happened:
We had someone war-dialing our system to hack the passwords for users. (I am assuming they were using war-dialing since they hit extension 201 first, then 202, etc.) They were calling in on our 800 number, then brute-forcing the 4-digit password.
When the hacker got the password, he/she would set up the phone so that the phone automatically forwarded all incoming calls to somewhere overseas (Pakistan and Taiwan, to name a couple of places).
The hacker then called back and dialed the extension, which automatically forwarded the call to the pre-selected number.
The only solution our IS/IT department came up with was to start requiring everyone to use 8-digit passwords which must be approved for complexity by their department. The calls in to our 800 number didn't stop for a long time.
Denver Isuzu Suzuki
my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)
The rest of the world doesn't have time to play 'secure the box' against even simple attacks. Yes the users are at a percentage of fault, but its very small and their only out of pocket should only be the time in calling their provider to dispute and eliminate the bill. Alot of us around here are used to learning things the hard way, (there was a time when you could boot a machine without a cooling fan you know).
To the savy default password is the same as no password. But for the rest of the world there is a big difference when you assume how secure something is.
You can use a radioshack scanner and plug it into a computer running pd with a DTMF decoder patch and get anyone's voicemail password who has a cordless phone. For some cordless phones, you can even use an old TV set that goes up to channel 83!
You can also get long distance calling cards this way too, I'm paranoid and I now dial these on the cord phone, then pick up the cordless. Are user's responsible for using encrypted phones?
AT&T is clearly at fault for accepting the charges. That is the part of the system that is the weak link, not the voicemail passwords. Someone could have hung an answering machine on their phone line. It's a ridiculous hole.
As for SBC, Their system asks you for your password BEFORE your mailbox number, and if it's right for the phone you're using, it doesn't ask for the mailbox. So, if you have the same password as the person whose phone you're using, you hear THEIR messages, and there is no way to listen to your own! It's rare, but it happens. Telcos are lame.
=Rich
BTW, pd is the greatest, coolest, amazingest piece of linux software there is and hardly anyone seems to use it. You can make a DTMF decoder in no time, or generate any tones you need, and so much more! See the examples.....
Saddam:hallo
Woman:hello who is this?
Saddam:Saddam Hussein
Woman:Howd ye get numba?
Saddam:Georgie Bush's Voicemail tee hee
Dialtone..............
As a company, just leave one of your box's passwords unchanged and perform the described exploit with the message and USE THE EXPLOIT yourself! 30% savings from AT&T!
Simply saying "Yes, yes I'll accept" is way, way not legally binding in the first place. There has got to be some kind of legislation that places liability on the consumer in this case, or no one would ever have any reason to ever pay a bill for a collect call.
Until someone explains the contractual obligation involved, we're just talking crap.
There are no trails. There are no trees out here.
Just today I forgot my online banking password. All I had to do was call the bank give them my ss#, date of birth, and mother's maiden name and bingo, they gave me a new password. This is information that plenty of ex-wives/girfriends would have access to, not to mention the person from the bank I just told.
A couple of years ago someone apparently printed out checks from a laser printer with my name on them. Any jack-ass with a descent laser printer can make checks and a fake id.
Also today my wife's purse was stolen. I was helping her call credit card companies to cancel her cards. But the credit card companies wouldn't let me cancel them because I obviously wasn't my wife even though I had the answers to all their lame "security" questions.
The whole entire system is fucked up and easily beaten.
is using a blind security system WITH no sort of verification. That is stupid insecure and bordeline criminal. As for not changing your SBC password, well DUH, sorry I have NO SYMPATHY for anyone who would use an issued password.
errr....umm...*whooosh* *whoosh* Is this thing on ?
What kind of moron would leave their temporary password at it's default setting? What kind of moron would blame the company that's being exploited for making it easy for customers to setup their voicemail? What kind of moron would expect a company to hold their customers to fraudulent charges caused by some wannabe hacker fucking around with some poor saps voicemail?
I'm leasing a car. I don't have time to play 'lock the door'. It got stolen. Damn car dealer!
and we always used to say "We're not their parents" and sustain the charges. But yeah, it IS possible to force the user to make up their own password the first time they use it. Doesn't make it any less difficult to guess most passwords though.
What's annoying in these situations is the user's automatic assumption that somebody else owes THEM something. People act like they have a fundamental right to be lazy and/or stupid and it's someone else's fault when things go wrong.
O~ Him that studies revenge keeps his own wounds green. -- Francis Bacon
Here's a good story, a friend of owned a cellphone with AT&T m-life service. She had it for only 3 months and she found these incoming call charges on her statement. She could beleave that she got charged for calls that she did not receive while her phone was on. I mean AT&T is very evil when it comes to billing. She was very upset about the whole ordeal. After further investigation it seem that telemarketers actually target cellphone users on the m-life service. This creates the problem that AT&T can't handle or won't stop this type of victim hunting. Anyways the point of the story is this "Don't Trust a phone company unless you did research on it"
All phreakers should get put to death. Stealing telephone service is a crime. Anyone who says different is probably a terrorist. Notify your local FBI branch immediately. And don't even THINK about freaking to make that call.
I never call back numbers that I don't recognize. If it's important, they'll call me again.
Yawn.
- IP
Well, here's the thing- in this case, it's a consumer *service,* not a physical product. My mother just got sold on the "Works Package" whilst ordering DSL. Presumably, some cluebies could even be paying the fees without being aware they *have* voicemail on their line- SBC sends you a setup packet, but you're expected to purchase your own voicemail light, which now comes built in on some (mostly SBC-branded) handsets.
In other words, this is directly comparable to an ISP setting all ftp passwords to "username/username" by default; plenty of users are wholly unaware they *have* ftp accounts, and it pushes the problem domain into the 'helpless consumer' sphere, rather than the 'business should've hired a security consultant' one.
Of course, it does give you the option of choosing a different password on first use, but I bet that, at present, it's not checking the origin of 'first use' calls- allowing these guys to 'snipe' recently activated accounts.
There's also a UI issue here; the "login"/outgoing message procedure for multiple mailboxes is poorly documented*- which means that even techies like myself have been slack in enabling multiple boxes for other family members. When you're sharing a mailbox- especially with clueless types- you tend to restrict the password to something everyone can remember... which, if you're a lazy slacker, is the default, since they've already got it written down.
There's also a basic UI issue that forces people to pick weak passwords- what would be one keystroke on an answering machine becomes four with voicemail, and that'd be with speed dial for the voicemail number, and a one-digit password. (Yes, it actually makes you press two digits to check your messages, and there's no option to make it default to shutting up and playing them back after login, even for someone well-versed in the system.)
*Okay, maybe I didn't RTFM closely enough, but nothing tells you what tones to tell people to press if you use a 'custom' outgoing message. Apparently it's just the number of the mailbox.
I've seen this kind of scam done to the main spanish phone company, Telefonica. This case was even more embarassing, since the voice mail systems used were owned by the phone company itself. This meant that by the end of the month, nobody reviewed a monthly/bimonthly bill,so finding one single vioce mailbox was enough to call for months!. I suppose that Telefonica's fraud protection system has improved since then. If not, at least this explains their outrageous long distance rates!
Who the hell spends ungodly amounts on linemans sets from catalogs, i think the cheapest "test set" in the telephony section of MCM was like $150, its much easier and cheaper to either steal a real one, or make your own damn beige box with a cheap fone and some gator clips.
"Sic Semper Tyrannosaurus Rex."
there is legislation about this, it is called contract law. there exists and agreement between you and your telco to provide service for a fee and you agree to pay charges that you accept. since your voicemail is not you you did not agree to accept the service, since you did not agree to the service you are not responsible for the charges. end of story. let them take you to court. the password doesnt matter, you could put your password on the wall of the subway and att doesn't have a claim. one place where the password *MIGHT* matter is if the password was essential to agreeing to the service. (ie. a webpage or such) but in the case of collect calls your person is what matters. it doesnt matter if the person really sounds like you.
Better link here
One of the paragraphs from the article:
Okay, aside from "say this random word" (which so far is the best idea for how to stop this), exactly how does this person expect an automated system to tell the difference between a real person and an automated system? The audio quality of someone's voice transferred over phone lines is such that I doubt it'd be easy to tell the difference between a voice transferred once and a voice transferred twice (once to the recording, once back).
The trouble with the random word method is that the words would have to be sufficiently different, perhaps containing different numbers of syllables, so that no two words would sound alike. Of course, even with words with different numbers of syllables, one syllable can sound like two with certain accents' pronunciation of dipthongs. Even "toast" can sound like "flower", if you butcher it enough. And I'd be willing to bet that most of the voice recognition, at least for the level that phone companies currently require, is based on vowel sounds rather than consonants. I expect vowels are easier to process.
AT&T screwed up with deploying voice recognition for this purpose (and presumably continuing to charge operator assist rates); that's their problem. I hope the lawyers are going to have a field day with them.
People in the U.S. should call their state's PUC (Public Utilities Comission) if they have a problem like this with their phone company. The PUC is responsible for regulating telephone service, and from what I've heard, the phone company will become very interested in fixing your problem when they find out the PUC is involved.
I have recently seen a good example of such bogus security with scary implications. I use a phone system to schedule work. Once you call in all you need is a six digit code to schedule people for work, remove people from scheduled work, etc. A person who guesses a code could cause a lot of trouble, maybe even getting someone else fired. I myself have run across a code or two just by accident. This is a very expensive system, presumable designed by competent professionals. Yet they make such a fundamental mistake. Again, the vendor loses no money as a result of amateur security, and as long as all vendors have such a low level of security, there is no incentive to improve.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
As long as there's a donkey dick on the telephone pole to cut into with a buttset, phreaking will not be dead.
http://www.consumer.att.com/contact/
===
I just read Wired article about AT&T's charging customers for a voicemail exploit which allowed overseas "hackers" to make fraudulent collect calls.
http://www.wired.com/news/infostructure/0,1377,585 17,00.html
I am appalled that AT&T would try to charge the customers for a mistake that is clearly AT&T's. It is AT&T's fault that the automated system accepted a long distance collect call without proper "real" authorization. AT&T was tricked into accepting a fraudulent call, not the customer. The customer did not choose to be involved in this automated system designed by AT&T. Therefore it is AT&Ts fault and it must not charge the customer! Expect a lot more comments on this subject if AT&T doesn't get a conscience soon.
===
[news for me, stuff that doesn't matter]
I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."
That's just stupid and shortsighted.
People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.
Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.
Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)
Search 2010 Gen Con events
I'm leasing a car. I don't have time to play 'lock the door'. It got stolen. Damn car dealer!
That is a stupid analogy.
I rented a car just last week. The guy at the counter didn't say to me, "This car comes with a lock, but it doesn't really lock the car, so make sure you replace the lock right away with a better one." When a rental car is locked, it's locked. It isn't my responsibility to replace the lock. The lock that the car comes with might not be as good as a lock I can replace it with, but failing to replace the lock is not tantamount to leaving the car unlocked. That would be unacceptable. Is a default password that isn't easily guessed too much to ask?
Geeks hear the phrase "default password" and they instantly want to unload on the user regardless of the situation. I can understand an Oracle DBA catching hell for relying on the "scott/tiger" password default. But this amount of responsibility is too much bullshit to unload on the general public. I must have somewhere between ten and twenty passwords to keep track of. Phone companies, ISPs, utilities, banks, web sites, and a whole host of other businesses are always offering products and services that I am not even interested in. A lot of them sign you up automatically. As the economy tanks, the number of gimmicks increases. Companies merge, combine their databases with information about you, alter their privacy policies, and enroll you in stupid programs you don't even know you're in. How the hell should I know if I have a default password set on some stupid account somewhere that I don't even know about? I probably do! Why is it MY responsibility to make sure that no corporate idiots leave my digital ass flapping in the wind?
Besides, we're talking about a password to protect an answering machine. Big deal! If somebody changes my message, I'll just change it back. Only my mother leaves me messages, and if they really want to listen to her, so what? A lot of people wouldn't even bother changing their password on something like this.
In this particular case, it's clear that the Corporate Idiots are at AT&T, and it's hard to blame the hapless fools at SBC for pointing this out. What if I want to have a legitimate answering machine message where I go "Yes... yes... yes... yes I'll accept the charges... yes..."? Now I'm responsible for leaving a message that won't fool AT&T's cheap-ass billing system? (A system whose entire purpose, BTW, was to eliminate human operators with their irritating pay, and benefits, and common sense! This stuff would never have happened twenty years ago, before AT&T decided they didn't want to pay the costs of handling their collect calls with the level of intelligence required to pass a Turing Test.) At no point have I ever consented to collect charges from AT&T. I'm answering questions that haven't been asked of me yet. What could they possibly be thinking? That I have a daughter who ran away from home, and I'm hoping she'll leave a message if she tries to call me collect while I'm gone? Are they on acid?
If you don't consent to charges, you are responsible for 0% of them. Apparently AT&T thinks it means you get 35% off.
Red boxing is still alive and well in Missouri, Kansas, Illinois, and Wisconsin. I'm sure it still works in other states too, but those are the only ones I have been to recently. Remote beige boxing has become more popular over the years as cordless phones get cheaper. I've seen them around for under $10. All of the old tricks are still around in some form.
Back in the day, I used to pull off the following scam (DISCLAIMER: I was young and foolish then. I'm a good, law abiding citizen now):
:) It would be unfortunate if I got busted for crimes I commited a long time ago, and wouldn't consider doing now.
COCOTs (Customer Owned Coin Operated Telephones, ie. payphones not owned by the local phone company) were programmed to recognize certain long distance codes (like 1010220 and all the other ones you see dumb comercials for). This was required by law. Unfortunately (for the COCOT owner) these payphones were infrequently maintaned. It used to be that all long distance access codes were 5 digits. At the time, the FCC had just added 7 digit access codes. Many COCOTs were not programmed to understand the new 7 digit codes. So if you simply dialed 10108 (pause) 05, the payphone would interpret this as entering the 10108 LD access code, then 0 (for an operator, which is free). It would dutifully dial 1010805, which got a long distance line, thinking you were talking to an operator. You could then merrily dial any long distance number you wanted, and talk for free.
I'm also reminded of my first Blue Box, a radio shack autodialer modified with a switch and a replacement crystal (stuck to the side with a huge wad of epoxy). Then they started selling these digital voice recorders, which could replay a tone with perfect (enough) fidelity forever.
The thing about these illegal exploits was that I didn't *need* to steal long distance service. It was more about fun and interesting techincal exploits than stealing. This isn't an excuse, just an explanation. It wouldn't have been as much fun if this "youthful indiscression" didn't increase my knowledge of a rather amazing system. For this, I thank the telephone companies. I think I share this viewpoint with a lot of people accused of "just being thieves". True, it is stealing, but at least the motives were more interesting and noble than "just stealing".
And it wasn't all just for personal gain...I remember working with a friend (he did most of the work) to redirect a spanish-speaking 1-800 porn chat line to a notorious spammer at the time....lets see... "Eunuchs Incorportated" IIRC. End result: The spammer's phone was inundated with hot and horny mexican men. That excercised the social engineering aspect of things. We called the 800# provider and convinced them that we were the owners of the 800#. Just had them redirect the line to a different number. Incidentally, this only works with a certain type of 800#'s (The ones that are redirected to standard phone lines).
Anyway, I really hope that 1) the statute of limitations has run out on my crimes and 2) My posting as AC will dissuade investigation.
Personally I don't worry about nostalgia today but I laugh at what is consdidered useful knowledge. We could manually setup BBS systems including all the hardware, networking, etc back then. Today we have people who wrote a couple of Perl scripts to show thumbnails of enumerated porn pics on websites and they consider themselves a computer scientist or engineer.
People DO behave like they are entitled but yet you cannot blame them for something outside their control. If they call up bitching about their voicemail box being "hacked" and vulgarity replacing their sugary sweet greeting then feel free to tell them that is their own fault. This is something a bit more and a bit outside of expectations of users.