Hacker Perspective: Bill from RNOC
I was 14 years old the first time I convinced a supervisor at New York Telephone to happily give me their login and password to a sensitive computer system. It wasn't until the next day that I was able to gain access and explore, on account of not having a modem of my own. You see, in the 1980s I was a teenaged computer hacker, phone phreak, and a pretty good social engineer.
Hacking into computers and manipulating communication networks was fun and exciting. Later on, for about a year or so, I was the head of the Legion of Doom (LOD), whatever that means.
The way I see it in retrospect, loosely knit hacker groups like LOD or MOD were something of a farce - groups based upon who was the most elite hacker and who were his friends. Kind of like an elaborate kid's game played with very adult, real world pieces. The board of this game was the world's technological communications infrastructure.
If there's anything that can make anyone feel old, it's talking about the technology of their youth. My dad used to talk about taking the subway to and from the movies, seeing a double feature, and getting a popcorn or lunch for a nickel. (Or was it a dime?) I never wanted to sound old like my dad. When I was a kid...
When I was a kid, computers had memory measured in K. (My orthodontist excitedly told me that the makers of the VIC-20 were planning to produce a home computer that had a whopping 64 of these mammoth Ks, as he tightened the wires in my mouth.) Most computer monitors were monochrome green or amber on black. Calculators had segmented red LED displays. People used to specify that TVs were color (we had a big one with a whopping 22-inch curved glass tube). Data was no longer stored on cards, but tapes reel to reel, or, if you happened to have access to Wang, you used conveniently sized 8-inch floppies. Oh yeah, most phones had rotary dials, and the Bells charged extra to let you use your push-button Touch-Tone phone, the one that you leased from them at a premium - but you read about that in your back issues of 2600.
At 11 or 12, I got my first computer.
It was the TI-99/4A. It hooked up nicely to our color TV with an RF modulator. urn the TV to channel 3 or 4, plug in a cartridge, and "boop," it was on and ready to go.
Most of the cartridges were games, which was fine by me. Some were generic rip-offs like Munch Man or TI Invaders. Then we had a few licensed games like Q*bert and Popeye. One game called Hunt the Wumpus let you save your sessions on a cassette recorder, so we could continue our adventures after the Star Trek reruns during sleepless sleepovers. Then there were the hard core computing cartridges like Statistics and Extended BASIC. And I will never forget my favorite peripheral that snapped snugly into the side of the machine: the Speech Synthesizer. This was just made for late night prank phone calls. I would just hold the phone up to the TV and hit <ENTER>.
A couple of years later, I got my first real computer with a dedicated green monitor, dual floppy disk drives, and a tractor feed dot-matrix printer. It was an Apple IIe. We bought it used, without a modem, for about $1200. Modems were expensive and they led to big phone bills. Local calls were 10.2 cents per minute. We used a hole punch to double-side our disks. They were expensive too, and you never seemed to have enough for the project at hand.
When I was a freshman in high school, I used to trade disks of games and printouts of bulletin board messages with other like minded students. I loved text files by hackers and phone phreaks, like my favorites: The BIOC Files. (Even now they're still available at cache.cow.net/works/biocagent.)
These fueled my interest in the phone company and telephone networks by providing me with all sorts of secret telephone company numbers and tricks, like 99XX being a common ending for internal numbers.
Some of this information was spot on, while some was wild guesswork and fantasy. I read about hackers and they all had handles. I read about LOD and I knew I needed to someday join. I needed a handle and at first couldn't decide between "Paperclip" and "Basketball Jones." Not quite sure what the latter meant (I wasn't much of a sports fan), I just kind of liked the way it sounded.
One afternoon I was sitting in my dad's study, talking on the phone, surrounded by his vast collection of psychology tomes, thumbing through my favorite page-turner paperback, The Anarchist Cookbook, when my new handle hit me like a ton of books: Sigmund Fraud.
Since I didn't have a modem, I could only sign on to BBSes from my friend Peter's house. Peter had a modem - a 300 baud Apple-CAT modem, crème de la crème.
I went to Peter's house almost every day. I signed on to a lot of (then) subversive BBSes at first. Later, when I had things to hack into, I did it from there. The problem was that Peter also liked the name Sigmund Fraud - a little too much - and he started logging onto other boards and using my name. I think I found out about it from a friend at school. He was all "You sounded like a real pompous asshole on the XYZ board" and I was all like "I never heard of that board." We would have said "D'oh!" in unison, but there was no Simpsons yet.
So it was back to my father's den of higher learning for more inspiration where I had another vision. This time, I came up with the handle Alter Ego. That one lasted a couple of months.
It took me a while to get a handle that stuck.
But I soon learned that there were more places to derive inspiration from than just files. I had a relative who worked at Bell Labs. They saw that I was interested in telephones and computers and gave me a present that changed my life on my 14th birthday. The Bell System Technical Journal about the Automated Repair Service Bureau (July-August 1982 Vol. 61, No. 6, Part 2) hereby referred to as the ARSB BSTJ.
This was amazing and mind opening in many ways. First being that the Bell System published technical works that were available to the public and not rife with inaccuracies and guesswork that BBS posts and textfiles were oft built upon. These people knew how things really worked because they were the people inventing this hardware and programming these systems and they were as close as your nearest public library microfilm reading room, a fun alternative to school. The downside was that the articles were often a little dry - just a tad - and lacked the wonderment that a phreak or hacker would embody when they magically stumbled upon something.
Like the time I was quickly dialing 950-1033, the Feature Group B access code for Allnet. I accidentally dialed 958-1022, and a disjointed mechanized recording interrupted and spoke in my ear: 7-7-7-9-8-0-7.
I got chills; I remember it like it was yesterday.
With a little trial and error I was able to figure out that 958 was the magic number and that 777-9807 was constantly busy because it was the number of the unmarked payphone I was on. It seems that this 958 was the code for the Automatic Number Announcement Circuit (ANAC) in New York City. We all called these numbers Automatic Number Identification (ANI) because that's what it said in a text file somewhere; we knew what they were for, just not what they were called. (Just now, Google found a nice list of these for me here at: www.topbits.com/anac-number.html)
The other way this journal really changed me is that it made me realize, crystal clear, just how complex, intricate, and excitingly beautiful a network, something as seemingly simple as telephone repair, could be. The preface started: "A family of computer-based support systems, the Automated Repair Service Bureau (ARSB), has been introduced at Bell Operating Companies" and within a page or two I knew that I had to become intimately acquainted with these computers, and their abilities to monitor circuits. But where was I to begin? (No, I didn't memorize the passage, but 26 years later I still keep the journal on the bookshelf in my office.)
I started at the beast's public face.
In New York, where NYNEX remained king of the telephones, the public's window into the ARSB was hidden behind another 3-digit code, just like my beloved ANAC. This code was 611. Three digit codes were coveted internal portals to the world of the recently divested, still hopelessly intertwined, Bell System.
Many of these are still in service today. Back then, we also had 211 for the credit operator, 411 for information, 660 in NYNEX-land as a test portal (that could make any phone ring after you hung up), and of course 911 for 911.
I remember reading some internal NYNEX marketing paper explaining where their awkward name came from. It was indeed an acronym of sorts, meaning New York, New England, and the Unknown (X). Probably thought up by the genius parents of the marketers that brought us its second generation successor Verizon (which I always thought should mean the Vertical Horizon - more conjecture on my part).
As a phone phreak/computer hacker without a modem, I used the biggest tools at my disposal; my voice and the telephone. I took to social engineering my way from the mailroom on up, impersonating anyone or anything I met along the way.
For some of my earliest social engineering expeditions, before my voice had fully changed I went by the name of "Mrs. Grisby," a bumbling but kindly old woman from AT&T. Working as old Mrs. G, I convinced someone in a Remote Work Center (RWC) somewhere in Colorado to help install some 800 numbers. These permitted free calls to my friends' houses. These numbers generated no billing data and stayed in service for the next eight years, long after they were needed. But I'm getting ahead of myself.
To really find my way deep into the repair world, I needed to establish a map, of sorts, of the ARSB to see how things were structured in New York. Where did the computers live? Where did the operators sit? Where were the repairmen dispatched from? Where did they park their trucks? Well, lucky for me, it's mighty hard to hide a parking lot or a central office building. I could see a large lot from the subway by Sheepshead Bay with about 100 or more vans that all looked strikingly to the 2600 van that later toured the nation in Freedom Downtime.
For starters, I said I was a repairman named "John from Repair." (There had to be at least one of us, right?) I was dispatched out of Sheepshead Bay on a repair for a random number that I made up. That was the start of the confusion. I was told there was no trouble-ticket registered for that number. I said I would check with my foreman and get back to them. I had an idea.
I would call and make a report of telephone trouble for a number that I knew, and then I would call as the technician again. I picked the number for a local Blimpie restaurant (this was a gross fast food joint that was fun to prank call because of the way this one guy would always answer the phone in a heavily accented "Hello Blimpie" and every time we "said" a random word with my TI speech synthesizer, he would repeat "Hello Blimpie" ad infinitum until we would hang up because our sides hurt from suppressed laughter).
"John from Repair" (a very brief handle I used) and his "coworkers" were able to discover a web of information by using this and other very simple ruses. The first nugget of info I gleaned was an internal direct-dial number for 611, a repair office based in the borough of Queens, a number ending in 9941 where the operators sat. This was my first successful social engineering mission.
Next, I slowly got numbers for the rest of the departments, then branched out to the supervisors' office numbers, system names, and locations. With each subsequent call, I gained another nugget of information. Later, I graduated to computer dial-up numbers for PDP-11 front-end systems in the computer operation centers, and corresponding accounts and passwords. And eventually, given some time, back-end access to mammoth mainframes. I was aided along by having much of my information of the blanks and gaps filled in with terminology from the ARSB BSTJ, or from previous phone calls.
I ended up getting an Apple-CAT 300 baud modem around the time I found the handle that stuck: Bill From RNOC, borne from the same roots as John From Repair.
This time, Bill was a guy I talked to who worked at one of AT&T's Regional Network Operations Centers. Eventually, I stopped breaking the law when I was dragged down by its long arm, but I never stopped thinking like a hacker.
As much as things change, they stay the same.
There are still dry technical documents to inform and whet the appetites of curious minds. There are still plenty of stories and articles, posts, blogs, and zines being written by intrepid explorers. No matter how old or young you are, you can look back at the role and place that technology and technological change had in your life and feel old too; whether it was owning a cell phone that lacked the ability to send SMS or text, downloading a song over your dial-up connection using the original Napster or Kazaa, or even turning in your first program to your college professor on 563 sequentially numbered Hollerith punch cards.
When I was in my mid 20s, long after I got in trouble, I got back to my roots by forming a computer security consulting firm with some old hacker buddies. And it was here that I did the ultimate feat of social engineering, when I helped convince a large wireless telephone company to hire us to pull a no-holds-barred external hacking audit/penetration test - a full scale attack on their facilities from the outside.
The included, but was not limited to, social engineering, trashing, war dialing, spoofing, and good old-fashioned hacking. And it was a f*cking blast, as fun, if not more fun, than when I was younger, because I was getting paid to be sneaky and clever. I'd love to tell you how things turned out, but I'm still under nondisclosure. When it expires, I promise to tell all.
A lot has changed in the world of repair service in this quarter of a century.
For one thing, 611 no longer gets you to an operator, but a recording that tells you to dial 890-6611, which, when called, kindly interrupts to say that you now need to dial 1+ your area code first.
Finally, if you dial 1-718-890-6611, you get a recording telling you that in the future all of your needs can be met by dialing 1-800-VERIZON, before putting you into a voice prompted system that proceeds to take you for a long ride.
This is long before trying to diagnose your trouble by continuing to use their patented prompt/menu service to raise your blood pressure all the while. Luckily, my 9941 number to the repair service operator still works to this day, without the need to dial through endless messages, or hear a recording stating that your call is being monitored for "quality purposes."
From the hacker's perspective I feel that I've lived in interesting times, as the curse goes, and I'm grateful for all the past phone numbers and passwords that still float around in my memory long after my call has been terminated - and that the urge to figure things out remains strong.
Bill from RNOC is one of the many names of this New York City based multi-hatted hacker cum artist/filmmaker. He first wrote for 2600 in November of 1986 under yet another nom de plume. Look it up.