2                                               The Boxing Book
_______________________________________________________________________
                            Chapter 2

                            Tutorials
                            ---------

ELECTRONIC TOLL FRAUD DEVICES by LEX LUTHOR
-----------------------------

     This file is designed to identify various kinds of ETF 
(Electronic Toll Fraud) devices and to describe their operation, 
according to a booklet put out by Bell entitled: THE INVESTIGA-
TION AND PROSECUTION OF ELECTRONIC TOLL FRAUD DEVICES. (For 
official use only).

     There are several different types of electronic equipment 
which may be generally classified as ETF devices. The most sig-
nificant is the 'blue box'. The characteristics of each type of 
device are discussed below.

     * Cheese Box *
     --------------

     Its design may be crude or very sophisticated. Its size 
varies; one was found the size of a half-dollar.

     A Cheese Box is used most often by bookmakers or betters to 
place wagers without detection from a remote location. The device 
inter-connects 2 phone lines, each having different #'s but each 
terminating at the same location. In effect, there are two phones 
at the same location which are linked together through a Cheese 
Box. It is usually found in an unoccupied apartment connected to 
a phone jack or connecting block. The bookmaker, at some remote 
location, dials one of the numbers and stays on the line. Various 
betters dial the other number but are automatically connected 
with the bookmaker by means of the Cheese Box inter-connection. 
If, in addition to a Cheese Box, a Black Box is included in the 
arrangement, the combined equipment would permit toll-free call-
ing on either line to the other line.

     If a police raid were conducted at the terminating point of 
the conversation --the location of the Cheese Box-- there would 
be no evidence of gambling activity. This device is sometime 
difficult to identify. Law enforcement officials have been ad-
vised that when unusual devices are found associated with tele-
phone connections, the phone company security representative 
should be contacted to assist in identification. (This probably 
would be good for a BBS, especially with the Black Box set up, 
and if you ever decide to take the board down, you wouldn't have 
to change your phone #. It also makes it so you yourself cannot 
be traced. I am not sure about calling out from one though).






_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     3
_______________________________________________________________________
     * BLUE BOX * 
     ------------

     The 'Blue Box' was so named because of the color of the 
first one found. The design and hardware used in the Blue Box is 
fairly sophisticated, and its size varies from a large piece of 
apparatus to a miniaturized unit that is approximately the size 
of a 'king size' package of cigarettes. The Blue Box contains 12 
or 13 buttons or switches that emit multi-frequency tones charac-
teristic of the tones used in the normal operation of the tele-
phone toll (long distance) switching network. The Blue Box ena-
bles its user to originate fraudulent ('free') toll calls by 
circumventing toll billing equipment. The Blue Box may be direct-
ly connected to a phone line, or it may be acoustically coupled 
to a telephone handset by placing the Blue Box's speaker next to 
the transmitter or the telephone handset. The operation of a Blue 
Box will be discussed in more detail below.

     To understand the nature of a fraudulent Blue Box call, it 
is necessary to understand the basic operation of the Direct 
Distance Dialing (DDD) telephone network. When a DDD call is 
properly originated, the calling number is identified as an 
integral part of establishing the connection. This may be done 
either automatically or, in some cases, by an operator asking the 
calling party for his telephone number. This information is 
entered on a tape in the Automatic Message Accounting (AMA) 
office. This tape also contains the number assigned to the trunk 
line over which the call is to be sent. The information relating 
to the call contained on the tape includes: called number, call-
ing number, time of call. The time of disconnect at the end of 
the call is also recorded.

     Although the tape contains info with respect to many differ-
ent calls, the various data entries with respect to a single call 
are eventually correlated to provide billing info for use by your 
Bell accounting department.

     The typical Blue Box user usually dials a number that will 
route the call into the telephone network without charge. For 
example, the user will very often call a well-known INWATTS (toll 
free) customer's number. The Blue Box user, after gaining this 
access to the network and, in effect, 'seizing' control and 
complete dominion over the line, operates a key on the Blue Box 
which emits a 2600 Hz tone. This tone causes the switching equip-
ment to release the connection to the INWATTS customer's line. 
The 2600 Hz tone is a signal that the calling party has hung up. 
The Blue Box simulates this condition. However, in fact the local 
trunk on the calling party's end is still connected to the toll 
network. The Blue Box user now operates the 'KP' (Key Pulse) key 
on the Blue Box to notify the toll switching equipment that 
switching signals are about to be emitted. The user then pushes 
the 'number' buttons on the Blue Box corresponding to the tele-
phone # being called. After doing so, he/she operates the 'ST' 
(Start) key to indicate to the switching equipment that the 
signaling is complete. If the call is completed, only the portion 


_______________________________________________________________________
                       M & M Enterprises
4                                               The Boxing Book
_______________________________________________________________________
of the original call prior to the emission of the 2600 Hz tone is 
recorded on the AMA tape. The tones emitted by the Blue Box are 
not recorded on the AMA tape. Therefore, because the original 
call to the INWATTS # is toll-free, no billing is rendered in 
connection with the call.

     Although the above is a description of a typical Blue Box 
operation using a common method of entry into the network, the 
operation of a Blue Box may vary in any one or all of the follow-
ing respects:

  (a) The Blue Box may include a rotary dial to apply the 2600 
     Hz tone and the switching signals. This type of Blue Box is 
     called a 'dial pulser' or 'rotary SF' Blue Box.

  (b) Entrance into the DDD toll network may be effected by a 
     pretext call to other toll-free # such as Universal Directo-
     ry Assistance (555-1212) or any # in the INWATTS network, 
     either inter-state or intra-state, working or non-working.

  (c) Entrance into the DDD toll network may also be in the form 
     of 'short haul' calling. A 'short haul' call is a call to 
     any # which will result in a lesser amount of toll charges 
     than the charges for the call to be completed by the Blue 
     Box. For example, a call to Birmingham from Atlanta may cost 
     $.80 for the first 3 minutes while a call from Atlanta to 
     Los Angeles is $1.85 for 3 minutes. Thus, a short haul, 3 
     minute call to Birmingham from Atlanta, switched by use of a 
     Blue Box to Los Angeles, would result in a net fraud of 
     $2.65 for a 3 minute call.

  (d) A Blue Box may be wired into the telephone line or acous-
     tically connected to the handset. The Blue Box may even be 
     built inside a regular Touch-Tone phone, using the phone's 
     pushbuttons for the Blue Box's signaling tones.

  (e) A magnetic tape recording may be used to record the Blue 
     Box tones representative of specific phone #'s. Such a tape 
     recording could be used in lieu of a Blue Box to fraudulent-
     ly place calls to the phone #'s recorded on the magnetic 
     tape.

     All Blue Boxes, except 'dial pulse' or 'rotary SF' Blue 
Boxes, must have the following 4 common operating capabilities:

  (a) It must have signaling capability in the form of a 2600 Hz 
     tone. The tone is used by the toll network to indicate, 
     either by its presence or its absence, an 'on hook' (idle) 
     or 'off hook' (busy) condition of the trunk.

  (b) The Blue Box must have a 'KP' tone that unlocks or readies 
     the multi-frequency receiver at the called end to receive 
     the tones corresponding to the called phone #.




_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     5
_______________________________________________________________________
  (c) The typical Blue Box must be able to emit MF tones which 
     are used to transmit phone #'s over the toll network. Each 
     digit of a phone # is represented by a combination of 2 
     tones. For example, the digit 2 is transmitted by a combina-
     tion of 700 Hz and 1100 Hz.

  (d) The Blue Box must have an 'ST' key which consists of a 
     combination of 2 tones that tell the equipment at the called 
     end that all digits have been sent and that the equipment 
     should start switching the call to the called number.

     The 'dial pulser' or 'rotary SF' Blue Box requires only a 
dial with a signaling capability to produce a 2600 Hz tone.

     * BLACK BOX * 
     -------------

     This ETF device is so-named because of the color of the 
first one found. It varies in size and usually has one or two 
switches or buttons. Attached to the telephone line of a called 
party, the Black Box provides toll-free calling *to* that party's 
line. A Black Box user informs other persons beforehand that they 
will not be charged for any calls placed to him. The user then 
operates the device causing a 'non-charge' condition ('no answer' 
or 'disconnect')  to be recorded on the telephone company's bill-
ing equipment. A Black Box is relatively simple to construct and 
is much less sophisticated than a Blue Box.

     * RED BOX * 
     -----------

     This device is coupled acoustically to the handset transmit-
ter of a single slot coin telephone. The device emits signals 
identical to those tones emitted when coins are deposited. Thus, 
local or toll calls may be placed without the actual deposit of 
coins.




BOXING BASICS By Dr. Pepper
-------------

     What I will provide here in a summary of the three most 
important boxes, some of the ways Ma Bell tries to catch boxers, 
and some suggestions on avoiding being caught.

     The most famous box, the blue box, is essentially like a 
portable touch-tone pad, except the tones are not touch-tone 
(DTMF)  -- they are the trunk signaling frequencies (MF). A good 
box also contains the supervision control frequency, 2600 Hz 
(SF).





_______________________________________________________________________
                       M & M Enterprises
6                                               The Boxing Book
_______________________________________________________________________
     Hackers use the box by gaining access to a DDD (or other) 
network sender (it's like a dial tone), usually by making a 800 
or 555 call. A much better access is if there are local tandems 
in your area used for non-accounted calls but allowing non-local 
outgoing calls.

     Phreaks use blue boxes because it allows the introduction of 
network dial codes other than area code and number and opened an 
incredibly complex maze to be explored and toyed with. Other 
people used blue boxes to complete calls without paying. This 
made AT&T intent on stopping the access; to them the phreaks 
tying up tandems from Kalamazoo to Moscow were a nuisance, and 
the others were thieves.

     One of the most successful means of catching blue boxers was 
and is the feature in the accounting program which calls atten-
tion to any number which shows a large number of 800 or 555 
calls. (We know of telecommunications managers on our side who 
have been called by AT&T to find out why so and so - an 
employee-- makes so many calls to the company 800 number). Other 
means include analyzing trunk trouble reports (if your box 
doesn't treat the trunk the same way AT&T's equipment does, it 
can in some cases generate trouble reports).

     Once the suspicion is there, your local Telco puts a 'pen 
recorder' on your line, and everything you dial -rotary, touch-
tone, or MF gets recorded on paper - this paper will be used as 
evidence against you. Eventually the U.S. Government prosecutes 
you for 'interstate fraud by wire' -- an extremely broad law.

     In order to eliminate blue boxing, which relies on the use 
of the MF signals on the same circuit that you talk on, Ma Bell 
is converting to a new system, Common Channel Interoffice Signal-
ing (CCIS). There are many benefits of CCIS other than eliminat-
ing blue boxing, but it will eventually eliminate blue boxing 
because it sends the network signaling information on data links 
between signal transfer points (STPS) associated with various 
switching machines.

     It will take many years for CCIS to be universally used, but 
it is going in fast. As long as there is one non-CCIS link in the 
network, the phreaks will find it and ply their hobby.

     To avoid getting caught: don't use your box from the same 
place repeatedly. Don't complete calls to friends and sit and 
gab-- if no 'signs and signals' are transmitted (you don't pass 
information -- you don't communicate) you have not committed 
fraud by wire. You may get charged with possession, if state laws 
where you are caught make boxes illegal.

     The second famous box is the black box. With the black box, 
you receive calls without the caller being charged. This is 
useless for hackers -- only the freephone people are interested. 
This works in step-by-step (SXS) offices, #1 and #5 Crossbar, and 
some non-Bell offices. Bell's ESS offices are too clever for this 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     7
_______________________________________________________________________
trick- your phone isn't connected to the incoming trunk unless 
you are off-hook.

     Ma Bell catches blank boxers by examining trunk records. Why 
was the trunk in use for so long, but not off-hook? In #5 Cross-
bar offices, there will also be funny account entries -- origi-
nate followed by disconnect -- a long time later -- with no 
answer in between. ESS offices can generate this data when audits 
are done ( a random occurrence).

     The best way to avoid being caught is to stay away from this 
one. At least keep your calls short -- the length of 15-20 rings 
or so.

     The final famous box is the red box. This is the electronic 
equivalent of the chime people used to take to a pay phone so 
that the operator thinks money is being deposited. The gongs were 
easy to record or obtain and operators could be easily fooled. 
The newer phones with the beeps made it necessary to come up with 
something more precise.

     People get caught when an operator gets suspicious and
calls security, or when the accounting info for the phone says
there isn't enough money in the coin box. Bell security then
stakes out the pay phone -- and zap. Never use the same pay
phone twice.




THE BLUE BOX AND MA BELL by Herb Friedman,
------------------------
            Communications Editor 
            Radio Electronics Magazine November 1987


     Before the breakup of AT&T, Ma Bell was everyone's favorite 
enemy. So it was not surprising that so many people worked so 
hard and so successfully at perfecting various means of making 
free and untraceable telephone calls. Whether it was a "Red Box" 
used by Joe and Jane College to call home, or a "Blue Box" used 
by organized crime to lay off untraceable bets, the technology 
that provided the finest telephone system in the world contained 
the seeds of it's own destruction.

     The fact of the matter is that the Blue Box was so effective 
at making untraceable calls that there is no estimate as to how 
many calls were made or who made them. No one knows for certain 
whether Ma Bell lost revenues of $100, $100-million, or $1-bil-
lion on the Blue Box. Blue Boxes were so effective at making 
free, untraceable calls that Ma Bell didn't want anyone to know 
about them, and for many years denied their existence. They even 
went as far as strong-arming a major consumer science magazine 
into killing an article that had already been prepared on the 
Blue and Red boxes. Further, the police records of a major city 


_______________________________________________________________________
                       M & M Enterprises
8                                               The Boxing Book
_______________________________________________________________________
contain a report concerning a break-in at the residence of the 
author of that article. The only item missing following the 
break-in was the folder containing copies of the earliest Blue-
Box designs and a Bell-System booklet that described how sub-
scriber billing was done by the AMA machine--a booklet that Ma 
Bell denied ever existed. Since the AMA (Automatic Message Ac-
counting) machine was the means whereby Ma Bell eventually 
tracked down both the Blue and Red Boxes, we'll take time out to 
explain it. Besides, knowing how the AMA machine works will help 
you to better understand "phone phreaking."

     WHO MADE THE CALL
     -----------------

     Back in the early days of the telephone, a customer's bill-
ing was originated in a mechanical counting device, which was 
usually called a "register" or a "meter." Each subscriber's line 
was connected to a meter that was part of a wall of meters. The 
meter clicked off the message units, and once a month someone 
simply wrote down the meter's reading, which was later interpo-
lated into message-unit billing for those subscriber's who were 
charged by the message unit. (Flat rate subscriber's could make 
unlimited calls only within a designated geographic area. The 
meter clicked off message units for calls outside that area.)  
Because eventually there were too many meters to read individual-
ly, and because more subscribers started questioning their month-
ly bills, the local telephone companies turned to photography. A 
photograph of a large number of meters served as an incontestable 
record of their reading at a given date and time, and was much 
easier to convert to customer billing by the accounting depart-
ment.
     
     As you might imagine, even with photographs billing was 
cumbersome and did not reflect the latest technical developments. 
A meter didn't provide any indication of what the subscriber was 
doing with the telephone, nor did it indicate how the average 
subscriber made calls or the efficiency of the information serv-
ice (how fast the operators could handle requests). So the meters 
were replaced by the AMA machine. One machine handled up to 
20,000 subscribers. It produced a punched tape for a 24-hour 
period that showed, among other things, the time a phone was 
picked up (went off-hook), the number dialed, the time the called 
party answered, and the time the originating phone was hung up 
(placed on-hook).

     One other point, which will answer some questions that 
you're certain to think of as we discuss the Red and Blue boxes: 
Ma Bell did not want persons outside their system to know about 
the AMA machine. The reason? Almost everyone had complaints 
--usually unjustified-- about their billing. Had the public been 
aware of the AMA machine, they would have asked for a monthly 
list of their telephone calls. It wasn't that Ma Bell feared 
errors in billing; rather, they were fearful of being buried 
under an avalanche of paperwork and customer complaints. Also, 
the public believed their telephone calls were personal and 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     9
_______________________________________________________________________
untraceable, and Ma Bell didn't want to admit that they knew 
about the who, when, and where of every call. And so Ma Bell 
always insisted that billing was based on a meter unit that 
simply "clicked" for each message unit; that there was no record, 
other than for long-distance calls, as to who called whom. Long 
distance was handled by, and the billing information was done by 
an operator, so there was a written record Ma Bell could not 
deny.

     The secrecy surrounding the AMA machine was so pervasive 
that local, state, and even federal police were told that local 
calls made by criminals were untraceable, and that people who 
made obscene telephone calls could not be tracked down unless the 
person receiving the calls could keep the caller on the line for 
some 30 to 50 minutes so the connections could be physically 
traced by technicians. Imagine asking a woman or child to put up 
with almost an hours worth of the most horrendous obscenities in 
the hope someone could trace the line. Yet in areas where the AMA 
machine had replaced meters, it would have been a simple, though 
perhaps time-consuming task, to track down the numbers called by 
any telephone during a 24-hour period. But Ma Bell wanted the AMA 
machine kept as secret as possible, and so many a criminal was 
not caught, and many a woman was harried by the obscene calls of 
a potential rapist, because existence of the AMA machine was 
denied.

     As a sidelight as to the secrecy surrounding the AMA ma-
chine, someone at Ma Bell or the local operating company decided 
to put the squeeze on the author of the article on Blue Boxes, 
and reported to the Treasury Department that he was, in fact, 
manufacturing them for organized crime--the going rate in the mid 
1960's was supposedly $20,000 a box. (Perhaps Ma Bell figured the 
author would get the obvious message: Forget about the Blue Box 
and the AMA machine or you'll spend lots of time, and much money 
on lawyer's fees to get out of the hassles it will cause.) The 
author was suddenly visited by his place of employment by a 
Treasury agent. Fortunately, it took just a few minutes to con-
vince the agent that the author was really just that, and not a 
technical wizard working for the mob. But one conversation led to 
another, and the Treasury agent was astounded to learn about the 
AMA machine. (Wow! Can an author whose story is squelched spill 
his guts.) According to the Treasury agent, his department had 
been told that it was impossible to get a record of local calls 
made by gangsters: The Treasury department had never been in-
formed of the existence of automatic message accounting. Needless 
to say, the agent left with his own copy of the Bell System 
publication about the AMA machine, and the author had an appoint-
ment with the local Treasury Bureau director to fill him in on 
the AMA Machine. That information eventually ended up with Sena-
tor Dodd, who was conducting a congressional investigation into, 
among other things, telephone company surveillance of subscriber 
lines--which was a common practice for which there was detailed 
instructions, Ma Bell's own switching equipment ("crossbar") 
manual.



_______________________________________________________________________
                       M & M Enterprises
10                                               The Boxing Book
_______________________________________________________________________
     THE BLUE BOX
     ------------

     The Blue Box permitted free telephone calls because it used 
Ma Bell's own internal frequency-sensitive circuits. When direct 
long-distance dialing was introduced, the crossbar equipment knew 
a long-distance call was being dialed by the three-digit area 
code. The crossbar then converted the dial pulses to the CCITT 
tone groups, that are used for international and trunkline sig-
nalling. (Not that those do not correspond to Touch-Tone frequen-
cies.) The tone groups represent more than just numbers; among 
other things there are tone groups identified as KP (prime) and 
ST (start)--keep them in mind. When a subscriber dialed an area 
code and a telephone number on a rotary-dial telephone, the 
crossbar automatically connected the subscriber's telephone to a 
long-distance truck, converted the dial pulses to CCITT tones 
sent out on the long-distance trunk that set up or selected the 
routing and caused electro-mechanical equipment in the target 
city to dial the called telephone.

     Operator-assisted long-distance calls worked the same way. 
The operator simply logged into a long-distance trunk and pushed 
the appropriate buttons, which generated the same tones as direct 
dial equipment. The button sequence was KP (which activated the 
long-distance equipment), then the complete area code and tele-
phone number. At the target city, the connection was made to the 
called number but ringing did not occur until the operator there 
pressed the ST button. The sequence of events of early Blue Boxes 
went like this: The caller dialed information in a distant city, 
which caused his AMA machine to record a free call to informa-
tion. When the information operator answered, he pressed the KP 
key on the Blue Box, which disconnected the operator and gave him 
access to a long-distance trunk. He then dialed the desired 
number and ended with an ST, which caused the target phone to 
ring. For as long as the conversation took place, the AMA machine 
indicated a free call to an information operator. The technique 
required a long-distance information operator because the local 
operator, not being on a long-distance trunk, was accessed 
through local wire switching, not the CCITT tones.

     CALL ANYWHERE
     -------------

     Now imagine the possibilities. Assume the Blue Box user was 
in Philadelphia. He would call Chicago information, disconnect 
from the operator with a KP tone, and then dial anywhere that was 
on direct-dialing service: Los Angeles, Dallas, or anywhere in 
the world the Blue Boxer could get the international codes.

     The legend often told of one Blue Boxer who, in the 1960's, 
lived in New York and had a girlfriend at a college near Boston. 
Now back in the 1960's, making a telephone call to a college town 
on the weekend was even more difficult than it is today to make a 
call from New York to Florida on a reduced-rate holiday using one 
of the cut-rate long-distance carriers. So our Blue Boxer got on 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     11
_______________________________________________________________________
an international operator's circuit to Rome, Blue Boxed through 
to a Hamburg operator, and asked Hamburg to patch through to 
Boston. The Hamburg operator thought the call originated in Rome 
and inquired as to the "operator's" good English, to which the 
Blue Boxer replied that he was an expatriate hired to handle 
calls by American tourists back to their homeland. Every weekend, 
while the Northeast was strangled by reduced-rate long-distance 
calls, our Blue Boxer had no trouble sending his voice almost 
7,000 miles for free.

     VACUUM TUBES
     ------------

     Assembly plans for Blue Boxes were sold through classified 
advertisements in the electronic-hobbyist magazines. One of the 
earliest designs was a two-tube portable model that used a 1.5-
volt "A" battery for the filaments and a 125-volt "B" battery for 
the high-voltage (B+) power supply. It consisted of two phase-
shift oscillators sharing a common speaker that mixed the tones 
from both oscillators. The user placed the speaker over the 
telephone handset's transmitter and simply pressed the buttons 
that corresponded to the desired CCITT tones. It was just that 
simple.

     Actually, it was even easier then it reads because Blue 
Boxers discovered they did not need the operator. If they dialed 
an active telephone located in certain nearby, but different, 
area codes, they could Blue Box just as if they had Blue Boxed 
through an information operator's circuit. The subscriber whose 
line was blue Box conversation was short, the "dead" phone sud-
denly came to life the next time it was picked up. Using a list 
of "distant" numbers, a Blue Boxer would never hassle plain to 
the telephone company. The difference between Blue Boxing off a 
subscriber rather than an information operator was that the Blue 
Boxer's AMA tape indicated a real long-distance telephone call 
--perhaps costing 15 or 25 cents--instead of a freebie. Of 
course, that is the reason why when Ma Bell finally decided to go 
public with "assisted" newspaper articles about the Blue Box 
users they had apprehended, it was usually about some college kid 
or "phone phreak." One never read of a mobster being caught. 
Greed and stupidity were the reasons why the kid's were caught.  
It was the transistor that led to Ma Bell going public with the 
Blue Box. By using transistors and RC phase-shift networks for 
the oscillators, a portable Blue Box could be made inexpensively, 
and small enough to be used unobtrusively from a public tele-
phone. The college crowd in the many technical schools went crazy 
with the portable Blue Box; they could call the folks back home, 
their friends, or get a free network (the Alberta and Carolina 
connections--which could be a topic for a whole separate article) 
and never pay a dime to Ma Bell. Unlike the mobsters who were 
willing to pay a small long-distance charge when Blue Boxing, the 
kids wanted it, wanted it all free, and so they used the informa-
tion operator routing, and would often talk "free-of-charge" for 
hours on end.



_______________________________________________________________________
                       M & M Enterprises
12                                               The Boxing Book
_______________________________________________________________________
     Ma Bell finally realized that Blue Boxing was costing them 
big bucks, and decided a few articles on the criminal penalties 
might scare the Blue Boxers enough to cease and desist. But who 
did Ma Bell catch?  The college kids and the greedies. When Ma 
Bell decided to catch the Blue Boxers she simply examined the AMA 
tapes for calls to an information operator that were excessively 
long. No one talked to an operator for 5, 10, 30 minutes, or 
several hours. Once a long call to an operator appeared several 
times on an AMA tape, Ma Bell simply monitored the line and the 
Blue Boxer was caught. (Now do you understand why we opened with 
an explanation of the AMA machine?) If the Blue Boxer worked from 
a telephone booth, Ma Bell simply monitored the booth. Ma Bell 
might not have known who originated the call, but she did know 
who got the call, and getting that party to spill their guts was 
no problem. The mob and a few Blue Box hobbyists (maybe even 
thousands) knew of the AMA machine, and so they used a real 
telephone number for the KP skip. Their AMA tapes looked perfect-
ly legitimate. Even if Ma Bell had told the authorities they 
could provide a list of direct-dialed calls made by local mob-
sters, the AMA tapes would never show who was called through a 
Blue Box. For example, if a bookmaker in New York wanted to lay 
off some action in Chicago, he could make a legitimate call to a 
phone in New Jersey and then Blue Box to Chicago. Of course, 
automatic tone monitoring, computerized billing, and ESS (Elec-
tronic Switching Systems) now make that all virtually impossible. 
but that's the way it was.

     You might wonder how Ma Bell discovered the tricks of the 
Blue Boxers. Simple, they hired the perpetrators as consultants. 
While the initial newspaper articles detailed the potential jail 
penalties for apprehended Blue Boxers, except for Ma Bell employ-
ees who assisted a Blue Boxer, it is almost impossible to find an 
article on the resolution of the cases because most hobbyist Blue 
Boxers got suspended sentences and/or probation if they assisted 
Ma Bell in developing anti-Blue Box techniques. It is asserted, 
although it can't be easily proven, that cooperating ex-Blue 
Boxers were paid as consultants. (If you can't beat them, hire 
them to work for you.)

     Should you get any ideas about Blue Boxing, keep in mind 
that modern switching equipment has the capacity to recognize 
unauthorized tones. It's the reason why a local office can leave 
their subscriber Touch-Tone circuits active, almost inviting you 
to use the Touch-Tone service. A few days after you use an unau-
thorized Touch-Tone service, the business office will call and 
inquire whether you'd like to pay for the service or have it 
disconnected. The very same central-office equipment that knows 
you're using Touch-Tone frequencies knows if your line is origi-
nating CCITT signals.








_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     13
_______________________________________________________________________
     THE RED BOX
     -----------

     The Red Box was primarily used by the college crowd to avoid 
charges when frequent calls were made between two particular 
locations, say the college and a student's home. Unlike the 
somewhat complex circuitry of the Blue Box, a Red Box was nothing 
more than a modified telephone; in some instances nothing more 
than a capacitor, a momentary switch, and a battery. As you 
recall from our discussion of the Blue Box, a telephone circuit 
is really established before the target phone ever rings, and the 
circuit is capable of carrying an AC signal in either direction. 
When the caller hears the ringing in their handset, nothing is 
happening at the receiving end because the ringing signal he 
hears is really a tone generator at his local telephone office.  
The target (called) telephone actually gets it 20 pulses-per-
second ringing voltage when the person who dialed hears nothing 
--in the "dead" spaces between hearing the ringing tone. When the 
called phone is answered and taken off hook, the telephone com-
pletes a local-office DC loop that is the signal to stop the 
ringing voltage. About three seconds later the DC loop results in 
a signal being sent all the way back to the caller's AMA machine 
that the called telephone was answered. Keep that three-second 
AMA delay in mind. 

     Now as we said earlier, the circuit can actually carry AC 
before the DC loop is closed. The Red Box is simply a device that 
provides a telephone with a local battery so that the phone can 
generate an AC signal without having a DC connection to the 
telephone line. The earliest of the Red Boxes was the surplus 
military field telephone, of which there were thousands upon 
thousands in the marketplace during the 1950's and 1960's. The 
field telephone was a portable telephone unit having a manual 
ringer worked by a crank--just like the telephone Grandpa used on 
the farm--and two D-cells. A selector switch set up the unit so 
that it could be connected to a combat switchboard, with the DC 
power supplied by the switchboard. But if a combat unit wasn't 
connected to a switchboard, and the Lieutenant yelled "Take a 
wire," the signalman threw a switch on his field telephone that 
switched in the local batteries. To prevent the possibility of 
having both ends of the circuit feeding battery current into the 
line in opposite polarity--thereby resulting in silence--the 
output from the field telephone when running from its internal 
batteries was only the AC representing the voice input, not 
modulated DC. 

     PRESS ONCE TO TALK
     ------------------

     The Red Box was used at the receiving end; let's assume it's 
the old homestead. The call was originated by Junior (or Sis) at 
their college 1000 miles away from home. Joe gave the family one 
ring and then hung up, which told them that he's calling. Pop set 
up the Red Box. Then Junior redialed the old homestead. Pop 
lifted the handset when the phone rang. Then Pop closed a momen-


_______________________________________________________________________
                       M & M Enterprises
14                                               The Boxing Book
_______________________________________________________________________
tary switch for about a half-second, which caused the local 
telephone office to silence the ringing signal. When Pop released 
the switch, the folks can talk to Junior without Junior getting 
charged because his AMA tape did not show his call was answered 
(the DC loop must be closed for at least three-seconds for the 
AMA tape to show Junior's call was answered). All the AMA tape 
showed is that Junior let the phone ring at the old homestead for 
almost 30 minutes; a length of time that no Bell Operating Compa-
ny is likely to believe twice!

     A modern Red Box is simply a conventional telephone that's 
been modified to emulate the vintage 1940 military field tele-
phone. Aside from the fact that the operating companies can now 
nail every Red Box user because all modern billing equipment 
shows the AMA information concerning the length of time a caller 
let the target phone ring, it's use has often put severe psycho-
logical strain on the users.

     There are no hard facts concerning how many Red Boxes were 
in use, or how much money Ma Bell lost, but one thing is known: 
she had little difficulty in closing down Red Boxes in virtually 
all instances where the old folks were involved because Mom and 
Pop usually would not tolerate what to them was stealing. If you 
as a reader have any ideas about using a Red Box, bear in mind 
that the AMA machine (or it's equivalent) will get you every 
time, even if you use a phone booth, because the record will show 
the number being called, and as with the Blue Box, the people on 
the receiving end will spill their guts to the cops.



HOW BELL CATCHES BLUE BOXERS By LEX LUTHOR AND THE LEGION OF DOOM
----------------------------

 UPDATED: 25-JUNE-84

     This article describes the investigative procedures used by 
the security department of Ma Bell. Most of the file will talk 
about blue box investigations because of the frequency of the 
blue box cases referred to law enforcement officials for prosecu-
tion.

     The security department may first discover evidence of 
boxing activity from looking at calling patterns to particular 
numbers. Such analyses may reveal abnormal calling patterns which 
possibly are the result of box activity (such as 122 hour calls 
to dir. assist). Also, cases of suspected boxing are referred to 
the security department from the various operating departments of 
Bell, from other telephone companies , or from law enforcement 
officials. In some instances, detection and identification of a 
calling station originating suspected blue box tones can be 
provided by use of a special non-monitoring test equipment.





_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     15
_______________________________________________________________________
     If initial indications are that there is a good possibility 
that a blue box is being used on a particular phone line, the 
security department determines certain information about the 
line. The name of the subscriber to that line is identified, and 
an inventory is made of the line and station equipment being 
provided to him. A discreet background investigation (record) is 
conducted to establish the subscriber's identity. After this 
preliminary data is gathered, blue box detection units are in-
stalled on the suspected line to establish "probable cause" for 
further investigation. If the "probable cause" equipment indi-
cates repeated blue box activity on the line, other equipment is 
then installed to document such activity.

     The "probable cause" equipment ascertains the presence of 
multi-frequency tones on the subscribers end of the line which 
would not be present in normal usage. The "probable cause" device 
now being used by some Bell central offices register each and 
every application of 2600hz tones in single-frequency (sf) sig-
naling and or 2600hz tone followed by kp tones used in multi-
frequency (mf) signaling. As previously stated, such tones should 
not normally be present on the line.

     If "probable cause" is established, other detection, identi-
fication and documentation equipment is installed. The primary 
equipment now being used is the dialed number recorder (DNR), 
coupled with an auxiliary tape recorder. The DNR is activated 
when the suspect subscriber's phone goes "off-hook" and prints on 
paper tape the following information concerning the call: the 
date and time of the call and the digits dialed over the suspects 
line. Moreover, the DNR records on the paper tape an indicator of 
the presence of 2600hz tones on the line and the presence of 
multi-frequency signaling tones on the subscriber's line. The 
auxiliary tape recorder is activated *only* after the presence of 
2600hz tone on the line is detected by the DNR (indicating the 
use of a blue box). Once the tape recorder is activated, it 
records the tones being emitted by the blue box, other signaling 
tones, and the ringing cycle on the called end . It also records 
a minimum amount of ensuing conversation for the purpose of:

     (1) establishing that the fraudulent call was consummated

     (2) establishing the identity of the fraudulent caller. 

     The timing duration of the tape recorder is pre-set. A time 
of one-minute (including pulsing, ringing and conversation) is 
the standard setting; however, if the blue box user is suspected 
of making overseas calls, the timing may be set for 2 minutes 
because of the greater time required by the blue box user to 
complete the call. Upon termination of the call, the DNR automat-
ically prints the time of termination and the date. It should be 
pointed out that the presence of 2600hz tones *plus* multi-fre-
quency signaling tones on a subscriber's line positively estab-
lishes that a blue box is being used to place a fraudulent call 
because such tones are not normally originated from a subscribers 
line.


_______________________________________________________________________
                       M & M Enterprises
16                                               The Boxing Book
_______________________________________________________________________

     Once the raw data described above is gathered, the security 
department collects and formulates the data into legally admissi-
ble evidence of criminal activity. Such evidence will establish:

  (1) That a fraudulent call was placed by means of an ETF 
     device,

  (2) That conversation ensued,

  (3) That the fraudulent call was placed by an identified 
     individual, and

  (4) That such call was not billed to the subscriber number 
     from which the blue box call originated. 

     The evidence which is then available consists of documents 
and also of expert witness testimony by telephone company person-
nel concerning the contents of those documents, the operation of 
the blue box, and the operation of the detection equipment. 
(note- similar techniques are used in the investigation of other 
forms of ETF.)

     Presentation of Evidence to Prosecutors
     ---------------------------------------

     The evidence accumulated by the security department is 
carefully reviewed by the legal department for the purpose of 
determining whether sufficient evidence exists to warrant the 
presentation of the evidence to law enforcement officials. If the 
evidence does warrant such action, it is presented under appro-
priate circumstances to the proper law enforcement officials. In 
all cases where prosecution is recommended, a professionally 
investigated and documented summary of the case will be prepared 
and presented by the security department to the prosecutor's 
office. Each case recommended for prosecution will be prepared as 
completely as possible, usually necessitating little or no pre-
trial investigation for the prosecutor. The summary of the case 
will include the following:

  (a) A background of the case with details of the defendant's 
     activities and a summary of all pertinent investigative 
     steps and interviews conducted in the course of the investi-
     gation.

  (b) Identification of witnesses.











_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     17
_______________________________________________________________________
DEALING WITH THE RATE & ROUTE OPERATOR By Fred Steinbeck
--------------------------------------

     It seems that fewer and fewer people have blue boxes these 
days, and that is really too bad. Blue boxes, while not all that 
great for making free calls (since the TPC can tell when the call 
was made, as well as where it was to and from), are really a lot 
of fun to play with. Short of becoming a real live TSPS operator, 
they are about the only way you can really play with the network.

     For the few of you with blue boxes, here are some of the 
phrases which may make life easier when dealing with the rate & 
route (R&R) operators. To get the R&R operator, you send a KP + 
141 + ST. In some areas, you may need to put another NPA before 
the 141 (i.e. KP + 213 + 141 + ST), if you have no local R&R 
operator.

     The R&R operator has a myriad of information, and all it 
takes to get this data is mumbling cryptic phrases. There are 
basically four special phrases to give the R&R operators. They 
are NUMBERS route, DIRECTORY route, OPERATOR route, and PLACE 
NAME.

     To get an area code for a city, one can call the R&R opera-
tor and ask for the numbers route. For example, to find the area 
code for Carson City, Nevada, we'd ask the R&R operator for 
'Carson City, Nevada, numbers route, please' and get the answer, 
'702 plus', meaning that 702 plus 7 digits gets us there.

     Sometimes directory assistance isn't just NPA + 131. The way 
to get these routings is to call R&R and ask for 'Anaheim, Cali-
fornia, directory route, please'. Of course, she'd tell us it was 
714 plus, which means 714 + 131 gets us the D.A. operator there. 
This is sort of a pointless example, but I couldn't come up with 
a better one on short notice.

     Let's say you wanted to find out how to get the inward 
operator for Sacramento, California. The first six digits of a 
number in that city will be required (the NPA and an NXX). For 
example, let us use 916 756. We would call R&R, and when the 
operator answered, say '916 756, operator route, please'. The 
operator would say, '916 plus 001 plus'. This means that 916 + 
001 + 121 will get you the inward operator for Sacramento.

     Do you know the city which corresponds to 503 640? The R&R 
operator does, and will tell you that it is Hillsboro, Oregon, if 
you sweetly ask for 'Place name, 503 640, please'.

     For example, let's say you need the directory route for 
Sveg, Sweden. Simply call R&R, and ask for 'International, Baden, 
Switzerland. TSPS directory route, please'. In response to this, 
you'd get, 'Directory to Sveg, Sweden. Country code 46 plus 
1170'. So you'd route yourself to an international sender, and 
send 46 + 1170 to get the D.A. operator in Sweden.



_______________________________________________________________________
                       M & M Enterprises
18                                               The Boxing Book
_______________________________________________________________________
     Inward operator routings to various countries are obtained 
the same way 'International, London, England, TSPS inward route, 
please', and get 'country code 44 plus 121'. Therefore, 44 plus 
121 gets you inward for London.

     Inwards can get you language assistance if you don't speak 
the language. Tell the foreign inward, 'United States calling. 
Language assistance in completing a call to (called party) at 
(called number)'.

     R&R operators are people too, so always be polite, make sure 
use of them, and dial with care.

Note: As a result of the break-up, R&R is now KP+800+141+1212+ST



STEP BY STEP SWITCHING NOTES By PHANTOM PHREAKER
----------------------------

     The following research was done on a class 5 Step By Step 
switching system. Items mentioned in this article are not guaran-
teed to work with your particular office. The following interest-
ing topics about Step By Step switching are for informational and 
educational purposes only. This article is aimed at people who 
wish to learn more about telephone switching systems.

     I realize step-by-step switching is dwindling every day, 
with many electromechanical SxS offices being replaced with newer 
electronic/digital switches and Remote Switching Systems (RSS's). 
However, rural areas of the U.S. still use Step, so if you are 
ever in an area served by a SxS CO you may be able to use this 
information.


     ANI Failure/ONI
     ---------------

     To understand this technique, you must understand how ANI 
functions in the Step-by-Step switching system. Your CO sends 
ANI, with your number, in MF or DP to receivers that collect the 
ANI information and store it, along with the called number, on 
the appropriate form of AMA tape. ANI outpulsing in MF can use 
either LAMA (Local Automatic Message Accounting) or CAMA (Cen-
tralized Automatic Message Accounting). ANI sent in DP type 
signaling can also be used, but is rare. DP vs MF trunk signaling 
is similar to the difference between DTMF and pulse dialing, 
except on a trunk. DP signaling sends all information in short 
bursts of 2600Hz tones.

     Causing ANIF's/ONI is an easy task in SxS (and some versions 
of Xbar), because the customer's link to the CO will allow the 
customer to input MF tones to influence a calls completion. This 
can be done by dialing a long distance number and listening to 
the clicks that follow. After the first click when you are done 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     19
_______________________________________________________________________
dialing, you will hear a few more. They will be timed very close 
to one another, and the last click occurs right before the called 
telephone rings. The number and speed of the clicks probably 
varies. Basically what these clicks are is the Toll Office that 
serves your CO setting up a route for your call. In order to 
abuse this knowledge, you need access to a MF source, whether it 
be a blue box, a computer with a good sound chip, tape recording, 
etc. Right before you hear the series of clicks, send one of the 
following sequences in MF:

KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF)

-or-

KP+2 (Repeatedly) For Operator Number Identification (ONI)

(Note:these will not work if your CO uses DP signalling.)

     Play these tones into the phone at a sufficient volume so 
that they 'drown out' the series of clicks. Do not send an ST 
signal, as you are not actually dialing on a trunk. You must send 
these MF sequences quickly for this method to work correctly. 
After you have played your 'routing' a few times, you will hear a 
TSPS operator intercept your call and ask for the number you are 
calling FROM.

     When an ANIF is recognized, the call is cut through to a 
TSPS site that serves your area. Now, you can give the operator 
any number in your exchange and she will enter the billing infor-
mation manually, and put the call through. The toll charges will 
appear on the customer who owns the number you gave. You can also 
accomplish a similar feat by merely flashing the switchhook 
during the series of clicks. This will send DC pulses that scram-
ble the ANI outpulsing and cause your call to be sent to a TSPS 
operator before the dialed number. Be sure to stop sending the MF 
'routing' after the operator attaches or she may know that some-
thing's up. Use this method sparingly and with caution. It would 
also be a good idea not to use the same number for billing more 
than one time. Don't use this method in excess, because a toll 
office report will list the number of ANI failures for a specific 
time period. 

     The ONI method works better because it is assumed ONI is 
needed to identify a caller's DN upon a multi-party line. Too 
many ANI failures will generate a report upon a security/mainte-
nance TTY, so if you plan on using this method, use the ONI 
method instead of just ANI Failure.

     The basic idea behind the ANIF is to scramble your ANI 
information by using MF (or the switchhook) to send your LD call 
to a TSPS operator for Operator Number Identification (ONI) due 
to ANI Failure. The idea behind the ONI method is that you are 
fooling the switch into thinking you are calling from a multi-
party line and ONI is needed to identify your DN.



_______________________________________________________________________
                       M & M Enterprises
20                                               The Boxing Book
_______________________________________________________________________
     Test numbers
     ------------

     Some other interesting things in the Step By Step system can 
be found by dialing test numbers. Test numbers in SxS switching 
systems are usually hidden in the XX99 area, as opposed to 99XX, 
which is common for other types of switching systems. These types 
of numbers are possibly physical limitations of a SxS switch, and 
thus a milliwatt tone or other test numbers will be placed there, 
because a normal DN can't be assigned such a number. However, 
these XX99 numbers are usually listed in COSMOS as test numbers. 
Another interesting note about XX99 numbers is that they seem (at 
least in some offices) to be on the same circuit. (That is, if 
one person calls an XX99 number and receives a test tone, and 
another person calls any other XX99 number in that same prefix, 
the second caller will receive a busy signal).

     Here we must examine the last four digits of a telephone 
number in detail.

XXXX=WXYZ             W=Thousands digit
                      X=Hundreds digit
                      Y=Tens digit
                      Z=Units digit

     Dialing your prefix followed by an XX99 may result in a busy 
signal test number, a network overflow (reorder), milliwatt 
tones, or other type of error messages encountered when dialing.

     Not every XX99 number is a test number, but many are. Try 
looking for these in a known Step by Step office.

     The numbers that return a busy signal are the ones that 
incoming callers are connected to when the Sleeve lead of the 
called Directory Number is in a voltage present state, which 
means the line is in use or off-hook. More about this in the next 
topic.

     Busy signal conferencing
     ------------------------

     Another interesting feature of the Step-By-Step system is 
the way busy tones (60 IPM) are generated. In ESS and DMS central 
offices, busy signals that are sent by the terminating switch are 
computer generated and sound very even and clear with no signal 
irregularity. In SxS, all calls to a particular DN are sent to 
the same busy signal termination number, which can be reached 
most of the time by a POTS number. These busy tones are not 
computer generated and the voice path is not cut-off.

     You can take advantage of this and possibly have a 'busy 
signal conference'. This can be achieved by having several people 
dial the same busy DN that is served by a Step office, or by 
dialing an always-busy termination number. When you are connected 
to the busy signal, you will also be able to hear anyone else who 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     21
_______________________________________________________________________
has dialed the same busy number. Connection quality is very poor 
however, so this is not a good way to communicate.

     As an added bonus, answering supervision is not returned on 
busy numbers, and thus the call will be toll-free for all parties 
involved. However, you must be using AT&T as your inter-LATA 
carrier if the call to the busy number is an inter-LATA call for 
you. So if your IC is US Sprint, you must first dial the AT&T 
Carrier Access Code (10ATT) before the busy number. If your IC 
doesn't detect answer supervision, and begins billing immediately 
or after a certain amount of time, then you will be billed for 
the length of the call.


     Temporarily 'freezing' a line
     -----------------------------

     A SxS switching system that operates on the direct control 
principle is controlled directly by what the subscriber dials. 
Jamming a line on SxS to prevent service is possible by simply 
flashing the switchhook a number of times. Or you may find after 
several aborted dialing attempts, the line will freeze until it 
is reset, either manually or by some time-out mechanism. Usually 
the time the line is out of action is only a few minutes. The 
line will return a busy signal to all callers, and the subscriber 
who has a 'dead' phone will not even hear sidetone. This happens 
when one of the elements in the switch train gets jammed. The 
switch train consists of the linefinder, which sends a dial tone 
to the subscriber who lifted his telephone, and places voltage on 
the S (Sleeve) lead as to mark that given DN as busy. Next in the 
switch train are the selectors. The selectors are what receive 
the digits you dial and move accordingly. The last step in the 
switch train is the connector. The connector is what connects 
calls that are intraoffice, and sends calls to a Toll office when 
necessary. Other types of devices can be used in the switch 
train, such as Digit Absorbing Selectors, where needed.

     Toll/Operator assisted dialing
     ------------------------------

     You may be able to dial 1/0+ numbers with your prefix in-
cluded in some areas. You can dial any call that you could nor-
mally reach by dialing 1+ or 0+. For example, to dial an operator 
assisted call to a number in Chicago, you could dial NXX + 0312 + 
555 + 1000 where NXX is your prefix, and you would receive the 
usual TSPS bong tone, and the number you dialed, 312 + 555 + 
1000, would show up on the TSPS consoles LED readout board. You 
can also use a 1 in place of the 0 in the above example to put 
the call through as a normal toll call.

     This method does not bypass any type of billing, so don't 
get your hopes up high.

     The reason this works is twofold. The first reason is that 
the thousandths digit in many SxS offices determines the type of 


_______________________________________________________________________
                       M & M Enterprises
22                                               The Boxing Book
_______________________________________________________________________
call. A 0 or a 1 in place of another number (which would repre-
sent a local call) is handled accordingly. The other reason is 
due to a Digit Absorbing Selector that can be installed in some 
SxS offices to 'absorb' the prefix on intraoffice calls when it 
is not needed to process the call. A DAS can absorb either two or 
three digits, depending on whether the CO needs any prefix 
digit(s) for intraoffice call completion.

     Hunting prefixes
     ----------------

     SxS switches may also translate an improperly dialed local 
call and send it to the right area over interoffice trunks. Take 
for instance, you need to make a local call to 492-1000. You 
could dial 292-1000 and reach the exact same number, provided 
that there is no 292 prefix within your local calling area. 
However, only the first digit of a prefix may be modified or the 
call will not go through correctly unless you happen to have 
dialed a valid local prefix. You also cannot use a 1 or a 0 in 
place of the first prefix digit, because the switch would inter-
pret that as either dialing a toll or an operator assisted call.

     Trunks
     ------

     Step by Step switching system incoming and outgoing trunks 
are very likely to use In-band supervisory signalling. This means 
you could possibly use numbers served by a SxS CO to blue box off 
of. But, some older step areas may not use MF signaling, but DP 
signalling. DP signaling uses short bursts of 600Hz to transfer 
information as opposed to Multi-Frequency tones. In DP signaling, 
there are no KP or ST equivalents. Boxing may be accomplished 
from DP trunks by sending short bursts of 2600Hz (2 bursts would 
be the digit 2). Acceptable pulse rates are 7.5 to 12 pulses per 
second, but the normal rate is 10 pulses per second. A pulse 
consists of an 'on hook' (2600Hz) tone and an off-hook (no tone). 
So, at 10 pulses per second, a digit might be .04 seconds of tone 
and .06 seconds of silence. DP is rarely used today, but some 
direct-control Step offices still use it. Common Control Step 
offices are much more likely to use MF trunk signalling.


     As said at the start of this file, some of the things men-
tioned here may have no practical use, but are being exposed to 
the public and to those who did not know about any one of the 
procedures mentioned here previously.

     References and acknowledgements
     -------------------------------

     Basic Telephone Switching Systems-By David Talley, Hayden 
publishers
     No. 1 AMARC-Bell System Technical Journal
     Mark Tabas for information about CAMA and DP, The Marauder, 
and Doom Prophet.


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     23
_______________________________________________________________________

Verification By Fred Steinbeck From TAP issue # 88  10-83
------------

     There has been a great deal of controversy in the realm of 
phreakdom over a mysterious subject known under a number of 
different names, including "Verification", "Autoverification", 
"Verify", "Autoverify", "Verify Busy", and even "VFY BY". All of 
these names basically mean the same thing: the ability to listen 
to another person's telephone line from any telephone in the 
direct-dialable world.

     Needless to say, Bell System is very tight lipped about 
knowledge regarding verification. Indeed, the infamous book 
'Notes  on long distance dialing' ('68 edition) says, "Care must 
be taken to insure that the customer never gains verification 
capabilities." With a printed policy like that, you can imagine 
what their real-world policy is like! Even their own rate and 
route operators will not give verification on routing codes (at 
least in my experience), one even responding, "What?! You must be 
crazy! We don't give those out!" Before you get too far into this 
article, I will state simply: I don't know how to verify. Howev-
er, I have been fooling with various things related to it, and 
collecting information on it for some time now. Therefore, while 
I can't do it (yet), I may be able to point some other bright 
TAPer on the right track, and perhaps he or she will show us all 
how. If you have knowledge not covered in this article, but don't 
want to write an article on your own, please send your ideas, 
comments, or information to Project Verify, C/O TAP.   

     Verify has also been called "Autoverify", and I have no idea 
why. This is not, to my knowledge, a Bell System term (at least 
I've never seen it in any manuals). As far as I know, there is 
verify, which means being able to listen to speech (kind of; see 
below) on a line, and there is the "Emergency Interrupt which 
allows you to take part in the conversation taking place on the 
line in question. It has been suggested that "Autoverify" is the 
same as an emergency interrupt , but I tend to disagree with this 
idea. It should be noted that the verification circuitry does not 
actually let an operator listen to a conversation without making 
a beep on the line every so often. Instead, she will hear en-
crypted speech. However, I believe with the proper methods, 
verify can be converted to an emergency interrupt. 

     Verification is normally done either by your normal "0" 
(TSPS) operator, if the call is in your home NPA (HNPA), or by an 
inward operator (IO). If the call is outside your HNPA, your 
normal operator will call the IO for the NPA,and say, "Verify 
Busy" or "Emergency Interrupt" please, 555 1212."  The IO will 
perform whatever magic he or she must, and then report back. If 
the call is in your HNPA, though, the "0" operator can do the 
verification herself by using the "VFY BY" key on her keyshelf. 
However, in some areas, the operator uses a routing code to 
accomplish verification, and this is the loop hole we shall at-
tack. 


_______________________________________________________________________
                       M & M Enterprises
24                                               The Boxing Book
_______________________________________________________________________

     It follows that if a IO or "0" operator can do it, so can 
we, with a blue box. Now, courtesy of Robert Allen (who brought 
it to my attention) and Susan Thunder (who apparently discovered 
it), here is what used to work for getting operators to hook you 
into conversations with other people (i.e.,let you listen to them 
till you hung up): You'd call the operator and say "Operator, 
TSPS Maintenance Engineer Calling. Ring forward to 001 + NPA + 
7d, ring back to my number, hit ring forward, no AMA, and then 
position release. 

     This creates some problems, and you must be familiar with 
the TSPS console (by dialing "0"), you are on the "back", or 
incoming part of a loop. When she places a call for you, the call 
goes out on the "forward", or outgoing part of the loop. If an 
operator wants to make a call, she punches KP FWD (keypulse 
forward), the number, and ST. Ring FWD puts a 90 volt ringing 
signal across the forward part of the line (and may dial the 
number as well).  The problem arises from the fact that I don't 
know if Ring FWD will actually dial a call, and if there is some 
other subtle difference between it and KP FWD. 

     Let us assume ringing forward makes a call from the TSPS 
console to whatever number is given. Ring back causes your phone 
to ring (it is assumed you hung up after giving her your instruc-
tions; if you didn't you'd hear an annoying 90 volts across the 
earpiece.) "No AMA" means "no automatic message accounting", so 
nobody gets billed for the call, although it will show up on a 
tape somewhere. "Position Release" removes the operator from the 
circuit, and allows her to receive other calls. This leaves an 
unaccounted-for ring forward. 

     The verification circuit, as you know, likes to encrypt 
conversation, which is something we don't want. Well, the second 
Ring FWD sends another 90 volts crashing against the verify 
circuitry, which Juda Gerad thinks removes the voice encryption 
from the line, puts the operator (and you) in circuit, and puts a 
beep tone on the line every five seconds. This seems to make 
sense, and I am inclined to agree with him. 

     The bit about "..001 + NPA + 7D" causes the thought "MF 
routing code" to spring immediately to mind. Now, the above trick 
was supposed to work in the 213 NPA. I have tried both "KP + 001 
+ 213 + 7D + ST", and some other area codes. I generally get 
nothing, a reorder signal, or a tandem recording. 

     Here's some food for thought: On an official Telco sheet I 
have, labeled " 213 NPA MF Routing Codes", 001 is listed as "VFY 
BY", or verify busy for the 213 NPA. 002 is listed for the 805 
NPA. Ma Bell likes to have standardized routing codes, such 
logical, then, that 001 would be a sort of "standard" verify 
code, and other prefixes would be tacked on at 002,003, etc. 
However, I have heard from a retired operator that verification 
codes are different from area to area, and are not always nice 
numbers like 001, 002. Ah, well, a guy can hope, can't he? 


_______________________________________________________________________
                        Copyright 1990
Tutorials                                                     25
_______________________________________________________________________

     Some suggestions for future attacks on this dilemma: Every
one call your operators and subtly ask questions. I have found 
they tend to give information out easier if you ask for something 
that you would ordinarily have to be a company employee to know 
about, such as rate steps, operator routings, etc. 

     Casually let slip that you used to be (or still are) an 
operator, or that you work for company security. Also, you might 
want to blue box some codes like 001 followed by your NPA and the 
last 7D of a busy number. If you get a sort of "whispery noise", 
try blasting the line with a ringing signal (you might piggyback 
another line onto yours and call the piggyback to generate the 90 
volts) and see if that does anything.











































_______________________________________________________________________
                       M & M Enterprises
