We're gonna talk today a little bit about what hacking was like, and freaking
was like, and what the what the whole scene was kind of like back in the 80s
and 90s. You know, how did this start? What was it like back then? And how does that
lead us to where we're at today? And what does that mean for us kind of going
forward? All these views and opinions are obviously my own. You know, everybody's
experience might be a little bit different. So if anybody during the talk
wants to, you know, bring something up or interject something, by all means. You
know, this is a very a very social talk, right? So feel free to interject things
and to jump in if you like. So the talk is hacking the day, playing words for
back in the day, right? So who am I? My name is Brad Swanson. You can find me on
Twitter is Digital Templar or you can just shoot me an email at gmail. I am the
incident response lead currently for a SAS provider based out in California.
Formerly I've been with Amazon with Thermo Fisher Scientific in a variety of
security or audit related roles. A lot of PCI, a lot of SOX, a lot goodness. I've
been doing security stuff for about 25 years now. Most of it as a good guy. The
early years were a little sketchy, obviously, as many of us had. I got started
in the 80s. My folks bought me an Osborne back in the day and I got the Osborne in
January. I had a colossal caves adventure. Was sick of the pirate killing me in the
twisty passages. So by February I was learning how to take it apart and fix
the software so the pirate wouldn't kill me all the time.
Careered back in the day for frozen crew at a really, really slow baud rate which
led to a recreational interest in how phone systems worked to help cut down on
my electric or my phone bill. Some of the things I like... social engineering. I love
social engineering stuff. I just find it fascinating how you can hack
people's brains. Red teaming. I want to be a red teamer when I grow up. And I also
like romantic walks on the beach while sniffing Wi-Fi. So the standard
disclaimer. These are my experiences. These are my views, my opinions. They do
not reflect any stance of my employer, any stance of the team that I
work with, etc. etc. My views only. My employer wouldn't even know that I'm here
except my boss is in the audience right now. So everybody clap when we're
done here. Not now. Not now. Just when we're done. Yeah. Also some other just
extra information. If anybody has peanut allergies, look out for me. I'm like
peanut dust. It's not good. So we're gonna cover basically three different kind of
areas at a very, very high level here. We're gonna look at the social aspects.
You know, what was it like back then and how is it now? Obviously, hacking has
become a very social thing. We're all here. You know, we're all at CypherCon.
We're all interacting with each other. It's not just, you know, I'm in my own
little area with my head down, hacking away on a keyboard. We're talking with
each other. We're learning from each other. We are, you know, interacting and
interfacing as humans rather than just, you know, a name on a screen in green
font. We're also gonna look at hacking. What are some differences between hacking
back then and hacking now? And we'll touch a little bit on freaking as well
and what the good old days were like versus what it's like today. So the
social aspect. Back in the day, hacking was not as, I guess, anonymous, if you
will, as it is now. It was started by friends. It was groups of friends that
had something that brought them together other than hacking. So we have like the
414s, for example, right here in Milwaukee. The 414s were actually a
group of friends. They were Explorer Scouts. You know, they knew each other and
they had an interest in computers. Sure. So they would kind of go with the, you
know, go out and explore things and then they found out that they could explore
with their computers. And so that led to a little bit of trouble. They hacked a
bunch of systems. They got into Sloan-Kettering. I went to touch the log
files to make sure that they didn't get caught and did a little bit of damage
financially. About $1,500, I believe. And that's what got them popped. They ended
up on the cover of Newsweek. People had not really been exposed mainstream to
hackers before, right? So it was a big deal. People didn't know how to
deal with them. A couple of them were charged with like a toll fraud type of
charge. But there were no computer crime laws really back then. So yeah. So then
again, a group of friends that started out. You know, there was the firm. They
were initially called Kilobot. They did a lot of sys-opping of bulletin board
systems. If it was a hacker board, a lot of times it'd be somebody from the firm
that would help out with the sys-opping of that. There was the Loft. Loft
Heavy Industries out in Boston. That started as roommates. It was a
couple of guys that were roommates. Their girlfriends, they had a loft area
in Boston. And their girlfriends had a hat company. They sold hats out of this
loft. They, you know, made hats and sold them. They used the other half of the
loft to store equipment that they got from the flea market at MIT. So they
would get all this equipment. They'd bring it in. They'd hack around on it.
They'd fix stuff up. They'd do cool things. And then they'd flip it. And it
turned into basically what was the equivalent of the first hacker space.
Where, you know, their friends would come over and hack around on hardware. We had
Cult of the Dead Cow down in Lubbock, Texas. There were a bunch of friends that
worked together at a meatpacking plant. Hence the name Cult of the Dead Cow. They
dealt with dead cows all day. And so again, you know, groups of friends that
were friends before they were a hacking group, right? Then it expanded a little
bit, right? So you've got these friends that you're hanging out with and doing
computer coolness with. What if we could meet more people? Well, how do we do that?
How do we spread the word? How do we get the word out there? BBSes. Let's advertise
on BBSes. Let's spin up a hacker BBS. Let's have some some text files that we
can, you know, have people come and read and learn a little bit. You know, we had
things like the Legion of Doom, which was run by FiberOptic. There was Masters of
Deception with Eric Bloodaxe, who used to be part of Legion of Doom that are falling
out and they split off. You know, there are courier groups like Fairlight, Frozen
Crew, you know, and they were, you know, they started as friends and then they
expanded out. They brought in people that they didn't know that weren't part of
that core group of friends. Now it's a it's a hacker friend. It's my online
friends, my BBS friend. And then, you know, how do we how do we advance that? How do
we grow that? How do we take that another step further? Let's meet people face to
face. You know, kind of scary, but let's let's give it a shot and see what
happens. So there were things like the Chaos Communications Congress. This
took place in Germany. It was run by the the CCC, the Chaos Computer Club, and it
basically brought European hackers together to kind of learn from each
other and share things. We had the Hackers Conference. There was a book
that was written, I don't recall the name of the book specifically right now, my
apologies, but there was a book that was written that talked about a bunch of
hackers and somebody said, hey, let's let's have a conference in California
and let's invite these hackers that this book talked about and get them all in
the same room. Let's see, once we put all these people together, what they can come
up with. That might be kind of cool. We had DEF CON. DEF CON was 1994 and it was
meant to be a one-shot deal. It was supposed to be like a big farewell blow
out party to say goodbye to BBSs because BBSs started to die out in the mid
90s with the advent of the Internet, right? So, you know, Jeff said, hey, let's
let's have a big party, say goodbye to the BBSs and we're done. We move on.
Well now DEF CON continues and continues and continues and it's it's grown into
something very large and cool. So and then we have Hackers of Planet Earth.
It's a New York conference that gets that's been around since I want to say
95. Another, you know, another conference where let's just get people in the room
and talk to each other about what we're doing. What are we, what are we
hacking on today? So that's changed. Now what we have is a much more direct
experience kind of, right? A lot less, a lot less of the anonymous communication, a
lot more face-to-face. So there's a lot of regular meetups. We have things like
MilSec, we have BurbSec for, you know, these are some of the local, local get-togethers
where people get together and they talk about things. Hey, I figured out how to do
A, B, and C. Or, hey, I'm trying to figure out how to stop this person from, you
know, coming in and doing horrible things through my OWA portal. You know, it's a
it's a way that we can bounce ideas off each other and and learn from each other.
There's local 2600 groups that get together. You know, there's, there's local
DEFCON groups. There's the DC414 group, which is phenomenal. There are, you know,
DEFCON groups pretty much all over the country, all over the world. Twitter.
Twitter has become a huge thing. There is some, there's a lot of noise on Twitter.
There's a lot of shit posting. But there's also a lot of really good
information. You know, looking out just in this room, I see a couple of people in
this room that I follow. A couple of people that have really good info. And
it's, it's nice to be able to hop on and check a spot and see what's going on in
the world. Sometimes it's bad if it's a Friday afternoon and Tavis Orvandy posts
something and you're like, oh, I'm not going home tonight. But, you know, it's,
it's a good way for various people to be able to stay in touch. So, you know,
hackers will use Twitter. Companies will, will post things. You know, maybe a
company is coming out with a new product. Zero-day announcements, you know,
that Tavis seems fond of on Fridays. And so, you know, it's, it's a good, it's kind
of a good way to kind of keep your pulse on things almost, almost real-time. And
then we have conferences, right? Conferences have become kind of a big
thing now. There are a lot of conferences, a lot of people go to. There's obviously
CypherCon, right? There's Black Hat. There's DEFCON. DEFCON actually made it
25 years before being canceled this year. I'm not sure if anybody heard that that was
canceled. But there's, you know, there's ThoughtCon in Chicago. So there's a lot
of kind of face-to-face, meet the people you're talking to that are on the other side
of the keyboard. In the old BBS days, you could talk to somebody for years and not
know what they look like. Not know who they were with, with the conferences and
stuff. It kind of puts a face to the name, which is nice.
ANSI art, right? Some people have to remember ANSI art. ANSI art was awesome.
It was like a, like a bulletin board for your BBS. The cooler your ANSI art, the
cooler your bulletin board. Well, at least that's what people thought back then
anyway. So ANSI art was a big deal. And people would get on BBSs sometimes just
to grab ANSI packs and move them around and, you know, find something cool on this
BBS. Oh, I want that on my BBS. I'll download it and install it. BBSs were
really kind of the lifeblood in the growth of hacking. You know, it was, it was
a way that you could get outside of, you know, your, your, your basement or your
bedroom or wherever your computer was and, and talk to people. You know, you
could, you could trade wares on a BBS. You could download e-zines. There were a
lot of communications that people started putting together. There was FRAC.
There was CDC communications. There were, you know, several different groups that
would write up these e-zines about these hacks that they were doing or these
projects they're working on. And then those would be distributed throughout
the BBSs, you know, via couriers and people, you know, grabbing it from one
uploading it to another. BBSs really started to die around 94 when the
internet took off. There's still a push. There's still some old people like
me that are diehards, right? You can still download BBS software and run it on
your servers. You know, instead of dialing in, people will tell not to. And,
and, you know, it still has the same functionality. You can run Dora games
and, you know, download files and everything. The thing with BBSs is you
had to bring skills to the table back in the day, right? You had to be leaked,
right? Otherwise, you weren't welcome. You know, it was kind of looked at as we
have this hacking group, we have our BBS set up. What can you give us? What can we
take from you? What skills are you bringing to make us stronger as a hacking
group? You know, we're, we're LOD and we have, we have this big beef right now
with MOD. And so we want better things and they've got what have you, what do
you have that you're gonna contribute to us? If you had nothing to contribute,
that was it. Forget it. Don't worry about it. You know, go somewhere, go, go hop on,
you know, Prodigy or something. If you had skills, if you were good, you could get
vouched for. You know, and a lot of times it required somebody that was already a
member to say, oh yeah, I know Ed, I know Sarah, they're good people. Let them in.
They know what they're doing. They're, they're really super elite hackers. And it
was, in my opinion, it was kind of crappy because it kind of stagnated that talent
pool. You might have somebody very intelligent that doesn't have that
skill set yet that wants to learn it. They weren't able to, you know, unless
they did a lot, a lot of work on their own to try and figure it out. So part of
the reason was they wanted those bragging rights that our, our BBS is
awesome. Our hacking club is awesome. But they also were very worried. There are a
lot of busts that were going on for hacking and for, you know, piracy, things
like that. There were a lot of people that when they would get arrested back
then, the first thing they would do is, hey, do you have a notepad and a piece of
paper? I will give you the name of everybody on that board and all the
stuff that they're doing. So a lot of people kept it a very small, close-knit
community just for a safety factor. Just to keep from, from getting arrested
themselves. So now, I mean, it's really grown how we, how we do our communications.
You know, we use websites and Twitter and Tor and YouTube. You know, we have, you
know, different file sharing networks that, that we use. And it's really kind
of expanded the reach, right? So BBS's used to be mostly your local area code,
right? You'd have, you know, like, people will dial into this 414, but they're not
gonna dial into a, you know, a 702 Las Vegas BBS because, well, that's long
distance. That's gonna rack up a huge phone bill, unless you do weird trickery,
which we'll get to in a bit. You know, so it was, it was local. Whereas now with the
Internet, it's worldwide. You know, you, you know, one, one minute I'm talking to
somebody on Twitter that's sitting two desks away from me that I work with, and
two minutes later I'm talking to somebody in Turkmenistan who I've never
met before, but has some good information. We're having a good
conversation about stuff. So it's really kind of expanded that world to us. It's
really opened things up. And you can do it from anywhere. It used to be, oh, what
are you doing tonight? I'm gonna go home, boot up my computer, get on the BBS. Now,
I'm gonna whip my phone out of my pocket and check Twitter quick. You know, it's,
it's become with, you know, with smartphones, it's become much easier for
us to stay in touch and to communicate with each other. Now, instead of having to
be elite and having skills that you bring to the table, you need to bring
that desire and that drive. And that's, that's all that you really need for
somebody to reach out and say, hey, you know, I like the fact that you want to
learn. I'm more than happy to teach you. I will teach you whatever you want to
know. And we see that a lot. We see a lot of security groups within companies
bringing on people that maybe don't have security experience, but they want to
learn about it, right? We want those people. Those people have that drive. They
have that, that ability to learn. We can teach security. We can't teach drive,
right? You know, and it's, it's a lot easier for these people to learn stuff
too. They don't have to get access to a board to get all this information. It's
all out there. It's all over the internet. You know, you go out to YouTube, you
watch a video, you can learn how things work. You know, you can go and, you know,
buy something at DEF CON and then get on YouTube, learn all about it. And, you
know, now you're able to go in and pop boxes. Which, good and bad, depending on
what side of the fence that you're on. You know, it used to be that this
knowledge would die out with people, right? But now that we're able to teach
the new generation and the younger people that are coming up through the
ranks that maybe don't have that skill set, it keeps it alive. And that's kind
of the point of this talk. Is we want to keep this, this past in this history. We
want to keep this alive and remember, you know, where we came from. Because that
helped us get to where we are today. And where we are today is gonna determine
where we're going tomorrow. And so, it's very important to not only talk about
the past, but to talk about what we're doing today and in the future. You know,
30, 30 years ago we're on BBS is doing this stuff. Where are we gonna be 30
years from now? Probably talking about how I remember back when we used to use
Twitter and, you know, communicated with each other. So, yeah. So, it's opened us up
to a very nurturing type of environment. Which, which is good. You know, the more
people will learn about this, the better off we're gonna be. So, hacking back then.
Hacking back then was super easy, in my opinion, compared to now. You could do
simple things. There, there are a lot of issues with things like file
permissions, processes having way too many rights. One of my favorite things
back then was you could link the password file to the dead letter file
and then just send an email from nobody to nobody that contained a password file
entry. In less than a minute, you've got a root account on the box and you can
pretty much do what you like on it at that point. You know, password management.
People didn't really give a lot of thought about that back then. You know, in
the 80s, as long as you had a password, that thing was super secure. Never mind
the fact that the password is 1, 2, 3. You know, once you got a password, nobody
will get into that. Security, then more so even than now, I think, was an
afterthought. I mean, it's still, in some companies, kind of an afterthought. You
know, oh, we rolled out this new product. Did you secure it? Well, what can we do to
secure it now that it's rolled out? That was a lot more prevalent back then. And
as I mentioned, a lot of programs that ran as root had a lot of
issues. You know, you could get a program running as root and then
just crash it and take over that process space. You could overwrite files.
SendMail. SendMail was the bane of security people's existence for years
and years and years and years. So back then, if a system had a password, it was
probably super easy to guess. It was probably 1, 2, 3, 4, 5, 6 or it was
password or, you know, the the person's birthday or their wife's name or their
husband's name or the dog's name. Complexity wasn't forced back then, like
it is now. Exploits were a lot simpler. Somebody's got bad permissions, let's
just exploit that. Bam, we're in. You know, or processes had way too much
privilege available to them. There's no reason that a process that maybe
writes a, writes a file, that it needs root access to everything. Servers sat
alone and in the dark. They were neglected. They were like mushrooms. If it
was a night or a weekend, odds are that server is locked away and nobody's
looking at it. You know, the sysadmins went home. You know, we didn't have
things like a sock that were watching over all these servers. They were
lonesome and sad. And modems were plugged into everything. You know, war dialing was
a big thing. War dialing is where you set your modem to just dial every number
in a list until it finds a carrier and then it logs that number. Hey, I found
something living here. And then you go back, you look at your list and you call
them up. You see what lives there. A lot of servers had modems plugged in for
maintenance modes. If you had like a like a big HP 9000, odds are there's a modem
plugged in the back so that when you have problems, HP can dial in and fix it
for you. Exploring humans can also dial into that and try and unfix it for you
as well. We also didn't have things like bug brownie programs. So if there's an
exploit, it didn't get reported right away to the company all the time, right?
That exploit might live on for months or a year or years. You know, it was the type
of thing where finally a good person would see that and would notify the
company, hey, there's a problem with this. Or they would write, you know, write their
own updated drivers or updated code that fixed it. But there weren't official ways
really back then to report these bugs that were found. Nowadays, the difference
is being that a lot of the vulnerabilities can be very technical.
You know, Spectre and Meltdown are good recent examples of vulnerabilities that
are tougher to exploit. It's not as easy as something having bad permissions or
being able to overwrite a config file. You know, you have to jump through a lot
of hoops if you want to exploit Meltdown and Spectre compared to, you know, the old
days. Nowadays, it really, really helps if you can program. You don't have to be like
an uber developer, but if you know some Python and know PowerShell, if you've
used Metasploit a bunch and know some of the better modules, it really makes
life easier from a security perspective. And sometimes now, instead of being a
one-shot deal where, okay, I'm going to link this file and send an email. We're
done. We're in. Now there might be several steps required. Okay, I'm gonna create this
config and now I've got to link these files. And now I've got to move this file
over here. A lot more, a lot more of a process now to get this kind of all
pushed through. Blue teams. Blue teams have really thrown a monkey wrench into
hackers trying to get into systems. We have socks. We have blue teams. Blue teams
are very skilled. Blue teams have all kinds of training. There's a lot of
knowledge that's shared so that they're able to detect things quickly. Systems
are monitored 24-7. Even if you don't have a human sitting there looking at it,
we have things like Nagios and various monitoring tools that will let us
know the minute something goes a little screwy with that box. And as soon as it
does, somebody's getting a page, getting woken up, and they're hopping on to see
what's going on. So nights and weekends are no longer the sweet spot. We also
have new technologies available to us. We have, you know, we have SIEMS. We have
IDS IPS. You know, we mentioned like infrastructure and system monitoring. And
they're gonna tell on you. They're gonna call somebody. They're gonna
wake somebody up in the middle of the night. That person's gonna be mad about
being woken up in the middle of the night. And they're gonna come and look
for you. You know, again, back in the old days, wasn't quite like that. They might
find out that you were in there on Monday when they come in. So the one thing
that stays the same is that humans are involved. Humans are always involved.
There's always a human somewhere in the chain, right? And humans are unpredictable,
unpatchable, and under deadlines. Now you'll notice that unpatchable has an
asterisk after it. And this is really small print. I apologize for that. But the
the disclaimer is, humans can be patched through continuous security education.
Unfortunately, a lot of companies don't do this. But it's a very good point that
that was was brought up. I believe Jason, you had mentioned that recently. That
humans are patchable. Saying a human is unpatchable is not exactly accurate. The
thing that we need to do as companies is make sure that we do patch our humans.
So we continue a continuous security education kind of regimen. People are
helpful. It's just in our nature. We, you know, it's the golden rule, do unto
others. If I need something, I want somebody to help me. Likewise, if somebody
else needs something, I'm going to help them. But it's this helpfulness that can
be exploited. Humans can bypass two-factor every time. So I worked for a
company previously that we had our red team came in to do a pen test. They
couldn't get in through the conventional means. They were just popping through our
firewall. They called one of our users up. Hey, we need your password. User gives it
out. Yeah, we're cool. We got two-factor, right? Saves everybody. They hit the
two-factor. They called the user back. Hey, you know, we tried logging in as you to
fix this problem, you know. They post as IT. You know, you logged in to fix this
problem. We're getting this two-factor thing. Could you do me a favor and read
me the code off your phone? And they did. Five times in one day. Yeah, it wasn't, it
wasn't a good day for us when we had to report to the sea levels about that. The
good thing is, is that person still works for the company. The company did not come
down on that person and say, oh, you're a horrible person. You gave out your
two-factor code. You're fired. The company used it as a training opportunity. They
said, hey, here's an, here's a, an opportunity for us to provide more
education to this individual. Let's explain to this person why what they did
was wrong and how to not fall for this in the future. Which I think really needs
to be the path that's taken. So often companies like, oh, you know, Ed screwed up.
Let's can him. That's, that's not the solution because you're just gonna get
another Ed in. Who's gonna fall for it? Improve your, your, your training posture.
And that's, that's how you fix that. Humans can forget the details of your
social engineering attack. You know, that's the, that's the old thing of be
likable and forgettable. You want that person to like you, but you want them to
forget about you as soon as you're out of their sight. Humans can make you
appear legitimate to others. They provide that legitimacy. So if I want to get in, I
want to get information off the, the CISO at a company, I'm not gonna go straight
to the CISO and, and try, you know, just saying, hi, my name is Bill and, you know,
I'm with your, your cloud service provider, but I'm gonna go to some of that
CISO's underlings. I'm gonna get in good with them. That might be an easier avenue.
Once they are vouching for me, that gives me credibility with that CISO. And humans
are everywhere. You know, like I said, if, if it's a company, there's probably a
human at it somewhere in that food chain, right? Eventually, you'll find that
human and you can try and exploit that. Systems rely on logic, right? Very
logical, you know, one zero. Humans rely on emotion. If you can play to somebody's
emotions, it's done. You're in. And that's, this has stayed the same. In the, in the
80s, people were pretty much guaranteed way in. In the 90s, it was that way. Now,
it's still that way. You know, how do we fix it? Again, education. Let's, let's
train folks and let's show them the right way to do things rather than scold
and fire and be growly and mean. So, I'm sure some of you have seen the movie
Hackers. Norm was my absolute favorite. Norm was the security guard. So, so
basically what happens is, Dave calls him up, says, you know, hey, the file I was
working on is lost. My, my, my BLT drive went AWL. He looks around his room and he
sees an empty food container and he thinks, a BLT drive. Norm doesn't have the
education he should, as far as security stuff. So, he doesn't know that this is a
line of crap that he's being fed. He doesn't, yeah, he doesn't understand that,
you know, it's, it's not a real thing, a BLT drive. And back then, people were not
comfortable around computers. In the 80s and 90s, computers were still, you know,
in the mid 80s, not every house had a computer. I mean, computers were
expensive. I had to beg my parents for years to get one and it took my friend
getting a K-Pro before I got an Asborne. I was like, ah. People were very scared of
breaking things and very scared of being in trouble. You call somebody at work and
you're like, you screwed up your computer. Yeah, this, this is Frank from IT and you
just broke your junk. They're gonna panic, right? They're gonna freak out. I'm
gonna get fired. It's that, that same fear thing. They're, they're a little more
comfortable with computers now. Everybody pretty much has a computer at home, or I
should say a lot of people. They're more comfortable with doing things on it. But
back then, it was real easy to have people fearful of their terminal. So, you
could get them to do bad things and they wouldn't be suspicious. Yeah, hi, I'm from
IT and you did something wrong. They'll do whatever you want then at that point.
I'll just fix it, make it go away. So, that brings us to freaking. So, freaking, back
in the, back in the old days, back in the 80s, the phone systems used something
called SS5. SS5 was a, like a signaling system that the phones used. And it used
what was referred to as in-band signaling. So, the phones had to be able
to, to talk back to the central office and, and kind of say, hey, this is what's
going on. This person's trying to make a phone call and they've put two quarters
into me. Is that enough money? Well, they would do this with, with very faint tones
that if you listen close, you could hear it. And that was in-band signaling
because it was in the same band as your, as your voice traffic, right? So, you could
actually record those tones, play them back to the phone, or make a device that
would play those tones to the phone. And the phone would be like, oh, they just put
a quarter in because I heard the, I heard the sounds, even though you put nothing
in it. So, there are things like blue boxes, red boxes. These enabled free calls.
They made it harder to trace calls. You could, you know, you could stack trunks
across the country. Some very famous people in the computer industry,
financed their way through college by selling blue boxes. It kind of really took off in
the late 60s, early 70s, and had a really good run through the, the mid 90s when
they switched to a new system called SS7. With the advent of SS7, they moved to
out-of-band signaling. So, these, these codes and these tones didn't go through
the phone line anyway. They went through the phone line, but not through the voice
channel. So, you couldn't just do craziness. Just a little bit of, I don't know, trivia,
if you will. There are red boxes and blue boxes in these badges. That's just
one of the, one of the things you can figure out on them. Kind of, kind of neat
stuff to be able to hear that. It won't work on a real phone, but, you know, kind
of, kind of neat for history's sake. The phone system, it was a new frontier, right?
So, hackers are inquisitive, right? We want to know how things work. You know, I'm
sure a lot of us, when we were young, took stuff apart. My mom hated it. I would take
things apart and never put it back together again, right? I would have crap
strewn from one end of the table to the other. And my mom would be like, what are you
doing? I'm done with that. I already took it apart. I know how it works. I'm done.
Bored. The phone system was like that, right? It was, it was this new world that,
you know, what does this do? How does it work? What does, where does this go? And we,
you know, we had that inquisitive mindset that made it such a wonderful thing.
Telephone companies would often leave trucks unlocked. Trucks contained service
manuals. They would also throw old manuals into dumpsters. So, you know, late
at night, you're bored, you're out cruising around. Hey, there's the telco. I wonder
what's in the dumpster. Oh, it comes with a set of bell manuals. Now, you know how a
lot of that stuff works. So, there were, there were a lot of late-night dumpster
runs back, back in the day. So, back to the boxes here. So, red boxes generated a
coin tone, right? And like a quarter tone, as an example, was kind of what? It was
like five high-pitched beeps. You could use them on Fortress phones or CoCot.
CoCot is a customer-owned, coin-operated telephone. Basically, a person could buy a
payphone, install it at their business, and then they got all the money out of it.
You can play nickels, dimes, quarters. I don't know why you'd ever play a nickel
or a dime, unless you're just trying to make it look legitimate. We always just
did quarters. And you can make it super easy. If you went to Radio Shack, Radio
Shack had a pocket dialer. We could program phone numbers in, and then you
push a memory button, and it would play it back, so you didn't have to be
troubled with pushing the buttons on the phone. Because that was a lot of work
back then, right? So, if you replace the crystal inside that pocket dialer, and
then programmed, like, I think it was five asterisks into a memory location, that's
a quarter. And so then you go and you call somebody in, I don't know, Algeria,
and you just start hitting the button, and it starts racking up quarters, and
now you've got a free phone call. Blueboxes basically allowed you to be an
operator console. You could stack trunks, you could, with the right combination of
things, you could, you know, there are ways you become like a directory
assistance operator. You know, there are a lot of different things you could do
with a blue box. Black boxes would set it so that if somebody called you, so
maybe, maybe you got a BBS, right? But you're in the middle of nowhere, but you
want people to call your BBS without racking up long-distance charges. The
black box would turn off the ringing. You could set your BBS to then pick up, but
it wouldn't trip. There are two relays, one controlled ringing, one controlled
billing. It shuts off the ringing relay, never trips the billing relay, so the
person's never, never billed. The phone company in the phone system, the CEO,
thinks that you never picked the phone up, even though you did. So a lot of these
boxes were pretty heavily used up until about the mid-90s. When, again, they
rolled out SS7, where the in-band signaling made life a lot easier for the
phone companies at that point. And they had things in place that they could
detect things before SS7, but it was not as sketchy, or I'm sorry, not as
reliable. It was a little more, a little more sketchy. There are times that, you
know, you crank out three or four dollars in quarters, and all of a sudden you have
an operator on the line. Sir, how many coins did you put in the phone? Yeah, 400
buy. Then you'd move on to the next phone before anybody in a Bell truck shows up.
So with the, with phreaking, there are a lot of interesting, cool phone numbers
that were out there. And these phone numbers would be traded on BBS. If
somebody finds a cool number, you hop on your local phreaking BBS. Hey, I found
this, you know. Feel free to use it. Or I found this. I don't know what the hell
this is. Can somebody figure it out? There are loop numbers. What a loop number was,
there, there's a high side and a low side. You could dial into one side, somebody
dials into the other, and you could talk to each other. Conference bridges. That
was a big thing, like the late 80s, early 90s. Everybody was dialing into conference
bridges. And what that was is, a business would have a conference bridge for doing
conference calls. It was just a phone to recall into, and you enter a password, and
now everybody can dial in, you can all talk to each other. Well, the passwords
were, you know, four or five digits long. Doesn't take much to brute-force that. So
the hackers would find them. They're not being used on nights and weekends, because
it's owned by a business, right? That business turned off the lights in the
server room, and they all went home. So the hackers would brute-force these
conference bridges. They'd log in, have their, their conversations. They'd talk
about hacker stuff, and freaker stuff, and just kind of hang out, and do
nefarious things. A&I numbers. A&I numbers were very handy. If I want to hack into
my local Pizza Hut, and play around with their supply ordering system, but I don't
know the number, I go outside of the DMART, the little phone box on the wall
out back. I open it up, I plug in a butt set, and I call what's called A&I,
automatic number identification. It's kind of what drives caller ID, and I could
find out what their phone number. I'd read back the number I'm calling from.
Now I know what the phone numbers are for this Pizza Hut on this line that I
dialed out, and I'm gonna go home, start calling around that area with my modem,
until I find a carrier. Now I know I'm into their, their supply system, and next
week they're getting 30,000 pounds of mozzarella, which usually leads to a
sale on, like, pizzas, which is nice. And then there are interesting numbers too.
You might find a number that's really bizarre and weird, and these still exist
out there. You know, government installations, there might be a
voicemail box that's weird. You know, there's a voicemail box for a long time
that was just a duck quacking, like you'd call this number, and a duck would quack
and beep, and you can leave a message. Nobody really knew what it was, it was just a
duck. Government installation, there are numbers you'd call, and they would rattle
off weird numbers, you know, Bravo, 6, Alpha, 9, 12. Okay, what is that? You know, so
then you'd share that number with your friends. They'd be calling, you'd all try
and figure out what it was, and it was neat. It was, again, it was that
exploring kind of mindset. And then there were sweep tones. So sweep tones were a
number that you would call, and it was just a sweeping tone. It's like, right, all
the way up, like super high-pitched. Sweep tones were the thing of urban legend.
They existed. It was just a test, a test tone, a test number. The rumor was that it
could detect a bug on your line. Not true. Not true. So if you think your line is
tapped, don't call a sweep tone because it won't really tell you anything. So
basically, in closing, you know, there have been a lot of changes over the last 30
years. A lot of things that have advanced, but a lot of things that kind of
stayed the same, too, right? You know, we all kind of started out with that
inquisitive mindset. You know, some of us were black hats, some of us were white
hats, some of us were gray hats. You know, it all brought us here today. You know, no
matter, I'm sure we have a wide variety in the audience, you know, everybody's
experiences have kind of made the whole community what it is. So that's a
that's a good thing. Who knows what we've got for the next 30 years. It's exciting
to think about with how fast things are going. It's important to remember where we
came from and to pass that on to the next generation as they come up. We need
to remember our history and to keep that going forward so that we don't don't
forget who we are.