Owlrooster

Owlrooster

@Owlrooster

Hoot Hoot Gazooks

Any pronouns (bonus points for creativity).

Queer polymorph (ΘΔ) trying to make the most of internet time and enjoy life where it matters. Adult enough to do taxes.

My writing goes on my website; I'm here to enjoy what others make, pass along what I like, and occasionally leave a comment. Think of me as the creature in your closet giving you a thumbs-up out of the corner of your eye.

log inask
Website
owlsroost.xyz/
Profile picture credit
cohost.org/bachelorsoft
Owlrooster
@Owlrooster
sirocyl
@sirocyl
DecayWTF
@DecayWTF

So what is phone phreaking?

"Phone phreaking" is the lost art/science/pursuit/criminal enterprise/etc of hacking the phone system. This is not talking about using computers in any kind of way (or at least they aren't required) but of using the phone system's own features and mechanisms against it. To explain how this all worked, we need to talk about a little history.

The earliest phone systems - we're talking the late 19th century - were really, really simple. You basically had a pair of wires, one end connected to a phone at the customer's location, the other one connected to a manual switchboard at the telephone exchange (there was an era before exchanges but that was basically just point to point and wasn't a "telephone system" in any meaningful way). To make a call, you picked up the phone, rang the operator and asked to be patched over to whoever you were trying to call. The operator then rang the person you were calling (or another operator if the person you were calling wasn't physically connected to the same exchange) then physically patched your phone to theirs with a patch cable jumping the two connectors on the exchange's switchboard.

The limitations of this are obvious: You can only patch as many phone calls as you have operators at a time, switching is slow because it's all manual, long distance calls required complicated operator relays, and so on.

The electromechanical automatic exchange was invented in 1888, but didn't see immediate uptake. The idea of the electromechanical exchange was that electrical signalling could be used either between a phone and an automatic switchboard switchboard, or between two switchboards, to route calls automatically. The signals were electrical signals transmitted over the phone wire; the earliest mechanism for this was called pulse dialing, where the phone's dial transmitted a series of electrical pulses indicating which number was being dialed, and these electrical pulses actuated relays in the switching equipment, which cross-connected the lines appropriately. Later (much later), tone dialing was implemented, that used special tones sent by buttons on the phone to do basically the same thing. Different signals were used between exchanges, over the trunk lines, but the same basic principle applied: Electrical signals triggered behaviors in the exchange to do things like connect calls, control billing, transmit anything from caller ID to call waiting signals, and so on.

The key thing to understand is that this mechanism of doing all the signalling on the actual phone line, over the same electrical carrier as the calls themselves, called in-band signalling, was the standard for most of a century. The first out-of-band signalling systems were developed in the 1970s, and had not replaced in-band signalling in the entire world until the 1990s.

One problem with in-band signalling is what is called "falsing", where the system incorrectly interprets some sound or electrical condition on the line as signalling. For more primitive signalling mechanisms, this is a pretty easy condition to create. If you've ever had an IVR system misinterpret background noise as a button press and send you to a random menu item or disconnect you, you've been a victim of falsing (specifically a form called "talk-off").

Now, prior to the 50s, this wasn't a huge deal; you could in theory generate dial pulses from an external piece of hardware or something, but there wasn't much you could do with this and knowledge of how these systems worked was basically non-existent outside the telcos and their engineering departments. More than that, for the extremely important purpose of routing long-distance calls - the ones you had to pay for - you often still had to go through a human operator who would connect you through the long distance trunks. In the early 50s, however, came phone systems equipped for "direct distance dialing". These were very simple systems that used more or less traditional automatic switching attached to some extra hardware to collect toll data, but used special frequencies to connect trunks. Some people - famous names include Joe Joybubbles, Bill Acker, Cap"n Crunch and Glitch - independently discovered ways of generating the signalling tones, especially the 2600Hz signal that connected long distance trunks and allowed free long distance calls to be made between DDD area codes. These were the first phreakers, and they were very much underground.

Then in the early 70s, two things happened: International direct distance dialing, and the blue box.

Bell developed what was called Signalling System 5. This was an in-band signalling mechanism designed to solve the problem of allowing arbitrary exchanges to call each other, and especially to allow automatic routing of calls over intercontinental trunks, which were heavily restricted in the number of calls they could carry, had a battery of special filters and echo suppressors set up to allow such calls to... well, work, and required a lot more signalling intelligence to correctly route and bill calls between radically different phone networks.1

Suddenly, the in-band signals that couldn't do a whole lot had to be able to do everything. With the right signals, you could manipulate the operation of an entire exchange or set of exchanges, or even take over and route over a trunk line.

You can probably guess where this is going.

Around the same time, an article titled Secrets of the Little Blue Box was published in Esquire magazine. This was a very Esquire article, glamorizing the underground world of phreakers and centering on the blue box, an electronic device allowing the long distance signalling tones, starting with the master 2600Hz tone, to be generated from a little control panel instead of being whistled or otherwise manually generated. Phreaking went from underground to very visible and about as mainstream as hacking in any form ever got.

A lot of 70s computer hackers were also phreakers. Famously, Steve Wozniak dabbled in phreaking. The phreakers used all sorts of techniques to explore and take over the phone system, and build a raft of devices with which to do it.

So what could phreakers do?

  • Make long-distance calls for free, using a blue box, as described above
  • Make free calls from payphones and manipulate the billing and coin returns, using a red or green box, which generated the various signalling tones for coin operations.
  • Spoof caller ID by generating CID signalling tones with an orange box.
  • Create closed loop private conference lines using blue box signalling in other ways.
  • And just about anything else you could think to trick the telephone system into doing!

There's a lot of "get free stuff" in there, which was, obviously, illegal, and a lot of phreakers who were careless or given to running their mouths ended up arrested for fraud. But a lot didn't!

The decline of phreaking came with the decline of in-band signalling. The phone companies in the wealthier parts of the West, especially the US, Canada and Western Europe, bit the bullet starting in the late 80s to upgrade these old systems to ones that could transmit signaling information either in a different data circuit (in digital T- and E- carrier systems), multiplexed onto the phone signal in frequency bands filtered out from the end user, or through other methods like side-channel circuits. Phreaking was a big impetus to do these upgrades, but not the only one, as this also supported moving to pure digital systems. By the mid/late 90s, pretty much everywhere in the world had fully eliminated in-band signalling for phones.

The legacy of phreaking is pretty interesting, having left its own mark on computer hacker culture. 2600 Magazine is named after the all-important long distance trunk signalling tone, and a lot of old phreaker lore was still being passed around with other tales of the Heroic Age of hacking even into the 2000s.

Some of the comments were asking about some of the personalities involved, so I'll give a little background there too.

Joybubbles (also known as Whistler, born Joe Engressia) was one of the earliest phreakers. He was born blind and had absolute pitch, and discovered the techniques of switch-hooking (using the handset hook to simulate dial pulses, which among other things allowed dialing on locked-out handsets) at age four, and whistling the 2600Hz signalling tone as a seven-year-old. He was arrested for phreaking shortly before the Esquire article came out, which launched him to a certain amount of national prominence. His story is rather sad; he was a victim of CSA and spent much of his adult life working on various projects to support abused and terminally ill children, and running a non-profit helping adults rediscover their childhood. He died in 2007, at age 58.

Cap'n Crunch (John Draper) was a phreaker who famously named himself after a toy bo'sun whistle that was a prize in boxes of Cap'n Crunch cereal in the mid-60s. Phreakers discovered that the whistles produced the all-important 2600Hz switching tone. Draper himself didn't discover this; prior to his career as a phreaker, he was in the Navy and during his time in the Navy he learned some telephony basics and, more importantly, how to operate pirate radio. After leaving the Navy, he became a DJ and an engineering technician. It was another pirate radio operator, Denny Teresi (who became moderately famous radio DJ Danny Terry later on) who brought Draper into phreaking and he (and other phreakers) showed Draper the whistle and some of the ins and outs of phreaking while getting him to use his engineering and electronics knowledge to build some of the earliest blue boxes.

Draper became the primary focus of the Esquire article and ended up arrested over it. He was sentenced to five years' probation but also became nationally famous and was instrumental in getting Steve Jobs and Steve Wozniak set up for their side business of building and selling blue boxes in the late 70s. After this, Draper moved on to computer programming, with a number of companies including Autodesk but mainly in unsuccessful startups either endorsed or underwritten by Woz.

He also stayed somewhat current over the decades in hacker circles. In 2017, Defcon and several other hacker conferences banned Draper over really, really extensive allegations of sexual assault and misconduct. He, unsurprisingly, still has his fans and followers.

Bill from New York (Bill Acker) was one of the few phone phreaks whose involvement led to gainful employment as a telco engineer. He was born blind, like Joybubbles, in 1953, one year before Joybubbles learned how to whistle the 2600Hz tone. As a teenager, he learned about phreaking and especially about Joybubbles, and discovered that he could play the 2600Hz switching tone and some other control frequencies on his recorder. He became well-known to the phone company folks who had a generally warmer opinion of him than a lot of other phreakers; at the NYTel CO they had a note reading, "If you have questions, call Bill Acker" with his phone number. Later, he and his girlfriend hitchhiked from New York to California where they married and he became a 28-year career engineer with Mountain Bell (now Qwest). He was also a computer hacker later on and was heavily involved in open source and especially in accessibility, and was maintainer for many years of the Speakup Modified Red Hat distribution, a... modified Red Hat distribution which included the kernel patches and userland components from speakup, which allowed support of speech synthesizers and other blind/visually-impaired accessibility hardware for Linux at every level of the system, starting from the console. He died in 2015; his eulogy on the History of Phone Phreaking blog is still up and is where a lot of this comes from, since unlike Draper or Joybubbles he never became a hugely public figure so there's relatively little information out there.

Steve Wozniak - You know who this is.

Steve Jobs - Minor figure in the phreaking community, had a short-lived business in the late 70s selling blue boxes designed by Woz and Cap'n Crunch. Moved to computers afterward. Died of ligma in 2011.

  1. As you probably expect, this is kind of an oversimplification. A lot of the mechanisms I'm lumping together as SS5 had been deployed in piecemeal fashion over the course of a few years. It wasn't until SS5 that these were all standardized and deployed together and phreaking really took off, but if you want more detailed timelines, they're around.

You must log in to comment.

in reply to @DecayWTF's post:

elena
@elena

one thing that was fun was that there was still a US exchange you could blue box back as late as the 00s (possibly later, i can only say from experience) up in alaska

login to reply
DecayWTF
@DecayWTF

That's almost true. John Draper took on the moniker Cap'n Crunch from the whistles but he didn't discover them; he was actually a pirate radio guy that got into phreaking and helped design and build some of the earliest blue boxes. Phreakers already used the whistles.

Which sort of buries the lede that, yes, the toy whistles out of the cereal box generated pure 2600Hz tones that could cause the long distance trunks to switch.

login to reply
Ackart
@Ackart

This rules, thanks for getting this all written out

Also shoutout to Pirates of Silicon Valley teaching me about Woz and his blue box way back in the day (and the captain crunch whistle!)

login to reply
modulusshift
@modulusshift

See, if I had written this post, there's no way I would have left out that pulse dialing was what rotary phones were designed to do, firing off pulses as the wheel span back to zero, and therefore that tone dialing aligned with touch tone phones. Or the reason why Cap'n Crunch got his name, because that's both hilarious and really drove home that this didn't start out as hacking like we're familiar with. Hitting random keys on a keyboard while green text flies up a black screen is about as far as possible from playing a kid's cereal toy into a phone.

That said I accept that likely would have made my version worse lol, you definitely have more focus than I do, and got the point across. Good post. :)

login to reply
DecayWTF
@DecayWTF

I mean there is an infinite amount of additional information I could have included but it turns out writing longposts on a phone is absolute fucking torture so I ended up keeping it short lol. A mistake I will not repeat, I just need to... not leave my laptop in our production AV gear.

login to reply
oddline
@oddline

wow, this is a really good summary!

in fact, I think I might show this to people when I need something between "here's the one-minute summary" and "go read Exploding the Phone"

login to reply