Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (20 page)

That was the first step. In order to hear audio on the line—voices, noise, static, or whatever—the tech would then have to establish an audio connection to the SAS unit in the CO. These units were designed with a clever security provision: they had a list of phone numbers preprogrammed into their memories. The technician would have to send a command to the SAS unit to dial back to one of the preprogrammed numbers—the phone number at the location where he was working.

How could we possibly bypass such a clever, apparently infallible security measure?

Well, it turned out not to be all that hard. You’d have to be a phone company technician or a phone phreaker to understand why this worked, but here’s what I did. I dialed from my telephone into the phone line I knew SAS would use to make its outgoing call, then immediately triggered SAS to call back an authorized number programmed into its memory.

When SAS picked up the line to make an outgoing call, it actually answered the incoming call from my phone. But it was waiting for a dial tone and couldn’t get one because I had the line tied up.

I went
mmmmmmmmmmmmmm
.

I couldn’t have hummed exactly the right sound, because a dial tone in the United States is actually made up of two frequencies. But it didn’t matter because the equipment wasn’t designed to measure the exact frequencies; it needed only to hear some kind of a hum. My Campbell’s Soup
mmmmmmm
was good enough.

At this point, SAS attempted to dial the outgoing call… which didn’t go through because I was already connected on the line it was trying to use.

Final step: from my computer, I typed in cryptic commands that instructed SAS to drop in on the phone number of the subscriber line I wanted to monitor.

On our first attempt, I was so excited I could barely breathe.

It worked!

Lewis said afterward, “Kevin, you were beside yourself, dancing around in circles. It was like we had found the Holy Grail.”

We could remotely wiretap
any
phone number within all of Pacific Bell!

Meanwhile, though, I was really growing antsy to find out the truth about Eric. Too many things about him seemed suspicious.

He didn’t appear to have a job. So how could he afford to hang out at the clubs he talked about? Hot places like Whiskey à Go-Go, where acts like Alice Cooper and the Doors, as well as rock gods from back in the day like Jimi Hendrix had sometimes dropped in to jam.

And that business about not giving me a phone number? Eric wouldn’t even give me his
pager
number. Very suspicious.

Lewis and I talked about the situation and decided we needed to find out what was going on. First step: penetrate the screen of “I won’t give you my phone number.” Then, once we had his phone number, use it to find his address.

Caller ID wasn’t being offered then to customers in California because the state’s Public Utilities Commission was fretting over privacy issues and hadn’t yet authorized its use. But like most phone companies, Pacific Bell used central office switches developed by Bell Labs and manufactured by AT&T, and it was common knowledge in the phreaker community that these switches already had the caller ID feature built into their software.

In the building where my friend Dave Harrison had his offices, a terminal on the first floor had hundreds of phone lines running to it. I went down to the terminal in stealth mode because there was a security guard stationed very nearby, though thankfully not in direct sight. Using a lineman’s handset that Dave had sitting around in his office, I connected to several cable pairs, looking for one that had a dial tone. When I found one, I dialed the special code to obtain the phone number. That was the bait number I would set Eric up to call.

Next Dave “punched the pair down” in the terminal, connecting that line to an unused phone line running up to his office. Back upstairs, we hooked a phone to the hijacked line and connected a caller ID display box.

From my old VT100 terminal, I dialed in to the Webster Street central office switch and added the caller ID feature to the bait phone line.

Later that night I returned to my dad’s apartment in Calabasas, set my alarm clock to go off at 3:30 a.m., and turned in. When the alarm went off, with my cell phone as usual cloned to someone else’s number, I paged Eric, who by then had loosened up enough to give me his pager number. I left the bait phone number for him to return the call. When Eric dialed the number, the caller ID data would be sent between the first and second rings, capturing the number of his phone. Gotcha!

Hermit-like, Dave secretly lived and slept in his office. As soon as I thought Eric would have returned the page, I phoned Dave. It was 3:40 in the morning. I had to keep calling until he finally answered, really angry.
“What is it?!”
he shouted into the receiver.

“Did you get the caller ID?”

“Yes!”

“Dave, it’s really important. What is it?”

“Call me in the morning!”
he yelled before slamming the phone down.

I went back to sleep and didn’t reach him again until the next afternoon, when he obligingly read me the phone number off the caller ID: 310 837-5412.

Okay, so I had Eric’s phone number. Next to get his address.

Posing as a technician in the field, I called Pacific Bell’s Mechanized Loop Assignment Center, or MLAC, also known simply as the Line Assignment Office. A lady answered and I said, “Hi. This is Terry out in the field. I need the F1 and the F2 on 310 837-5412.” The F1 was the underground cable from the central office, and the F2 was the secondary feeder cable that connects a home or an office building to the serving area interface, which eventually connects to the F1, all the way back to the central office.

“Terry, what’s your tech code?” she asked.

I knew she wasn’t going to look it up—they never did. Any three-digit
number would satisfy, so long as I sounded confident and didn’t hesitate.

“Six three seven,” I said, picking a number at random.

“F1 is cable 23 by 416, binding post 416,” she told me. “F2 is cable 10204 by 36, binding post 36.”

“Where’s the terminal?”

“The oh-dot-one is at 3636 South Sepulveda.” That was the location of the terminal box, where the field technician bridged the connection to the customer’s home or office.

I didn’t care about anything I had asked so far. It was just to make me sound legitimate. It was the next piece of information that I really wanted.

“What’s the sub’s address?” I asked. (“Sub” being phone company lingo for the subscriber, or customer.)

“Also 3636 South Sepulveda,” she told me. “Unit 107B.”

I asked, “Do you have any other workers at 107B?”—“workers” being lingo for “working telephone numbers.”

She said, “Yes, we have one other,” and gave me the second number, along with its F1 and F2. As easy as that. It had taken me not much more than a few minutes to discover Eric’s address and both of his phone numbers.

When you use social engineering, or “pretexting,” you become an actor playing a role. I had heard other people try to pretext and knew it could be painfully funny. Not everybody could go on stage and convince an audience; not everybody could pretext and get away with it.

For anyone who had mastered pretexting the way I had, though, it became as smooth as a champion bowler’s sending a ball down the lane. Like the bowler, I didn’t expect to score a strike every time. Unlike the bowler, if I missed, I usually got another try at it with no loss of score.

When you know the lingo and terminology, it establishes credibility—you’re legit, a coworker slogging in the trenches just like your targets, and they almost never question your authority. At least, they didn’t back then.

Why was the lady in Line Assignment so willing to answer all my questions? Simply because I gave her one right answer and asked the right questions, using the right lingo. So don’t go thinking that the
Pacific Bell clerk who gave me Eric’s address was foolish or slow-witted. People in offices ordinarily give others the benefit of the doubt when the request appears to be authentic.

People, as I had learned at a very young age, are just too trusting.

Maybe my venture back into hacking was excusable, or at least understandable, justified by my need to solve the riddle of my half-brother’s death. Yet I suddenly realized I had been beyond stupid: I had been using one of the three phone lines in my dad’s apartment to make all kinds of social-engineering calls to Pacific Bell, to follow leads in my Adam investigation, and to talk with Lewis.

These were all clear violations of my conditions of my supervised release. What if the Feds were monitoring my dad’s phone lines and had heard those conversations?

I needed to find out what they knew.

E
ven paranoids sometimes have real enemies. One day I had a gut feeling that someone was watching me—or rather, listening to my phone conversations.

The idea had me really fretting. I was panicked about getting a call from my Probation Officer, telling me to come in for one of those visits that would mean I was about to be taken into custody again and shipped back to Federal detention, maybe even put back in solitary confinement. Scary as hell.

Our home phone service was served out of a PacBell central office in Calabasas, which covered a small territory, so if there were any intercepts, I figured I’d likely be the target. I called the CO and got a tech on the line. “Hi,” I said. “This is Terry Atchley, in Security. I think we have some of our equipment over there. We’re short on monitoring equipment, and we need some of our boxes back for another case. Could you walk around the frame and see if you have any of them?” The frame tech asked me what they looked like. Hmm—I didn’t know. I stumbled a bit and said, “It depends on the model that’s being used over there. It’s probably a small box with a miniature printer attached that’s recording the digits dialed.”

He went to look. I was nervous as hell, pacing as I waited for him to come back to the phone. I was praying he wouldn’t find anything.

Finally he came back on the line. “Yeah,” he said. My heart started beating faster, adrenaline pumping through my veins.

“I found three of your boxes. They’re small gray boxes, but as far as I could see, they don’t have printers,” the tech said.

Three boxes—probably one for each of the phone lines at the apartment I was sharing with my dad. Fuck! This was not good.

“Okay,” I told him. “If we don’t still need them there, somebody’ll come by and pick them up tomorrow. I need you to trace out the connections.”

“On which one?”

“Let’s try the first one.”

The tech asked me which side to trace. Another uh-oh—again I didn’t know how to answer. He told me the box had two connections. “Let’s trace out both and see where they go,” I said.

After several anxious minutes of waiting, I heard him come back on the line. “I had to trace this thing across the frame,” he said. I recognized that for what it was: an annoyed complaint that I had made him chase wires a considerable distance through a complicated maze running along the main distribution frame. He also told me, “On one side, I just hear a thousand-cycle tone.” That was weird. “On the other, I get a dial tone.”

But I wouldn’t be able to understand how these boxes worked until I knew what they were connected to. I asked him to disconnect the cables from the frame and do an LV—a line verification—to find out what phone numbers were connected to each side of the box. “Okay, give me a few minutes,” he said.

Doing line verifications was a routine task. The tech would simply lift each cable pair one at a time, clip his lineman’s handset to the pair, and dial the code to determine each phone number.

The thousand-cycle tone didn’t make sense. Intriguing. I had no idea what it meant but didn’t have time to dwell on the question. My heart was racing, I was sweating with fear, knowing he was going to read me one of my dad’s phone numbers.

He finally came back on the line and gave me the two phone numbers connected to one of the boxes. Neither of them belonging to Dad.

I let out a silent sigh. I could finally breathe again. It was as if a ton of bricks had been lifted off my chest.

But what about the other two boxes? The tech sounded just a bit annoyed when I told him I needed the other two traced, as well. Still, he wasn’t going to make trouble for himself by complaining out loud.
Though the wait this time was much longer, he finally came back and gave me the numbers that were connected to the other two boxes. Again, none were for any of my dad’s lines.

No one was checking up on me.

I could hardly wait for the next step: calling both numbers assigned to each box.

First I tried one of the thousand-cycle numbers. It rang three times and then answered with a
beep-beep-beep
. I tried again. And again. No matter what time I called, always the same thing. What could this be? Maybe it was waiting for some type of code. Whatever the explanation, it was obvious to me that it wasn’t the line being wiretapped.