What Was Really Going On? (August, 1985) ---------------------------------------- by Paul G. Estev [When the details of the Middlesex County Prosecutor's Office press conference hit the newspapers the next day, the ridiculous charges made many people knowledgeable about technology and computers very disgusted. Many simple and innocent bits of information had been twisted into "evidence" of illegal activities. With the aid of The Shadow, we have put together a guide to these misinterpretations in the hopes that everyone can see how this investigation has gotten completely out of control.] One of the more sensationalist of the crimes of the hackers was, as Middlesex County Prosecutor Alan Rockoff said, "changing the positions of satellites up in the blue heavens" and causing communications satellites to "change positions" in order to make free phone calls "possibly disrupting intercontinental communications and making legitimate phone calls impossible." This story was twisted by the media to the extent of dire predictions of hackers causing satellites to crash into the Soviet Union, provoking a nuclear war, as heard on one Wednesday morning radio news program, and the "disruption of telex and telephone transmission between two continents." Very soon afterwards AT&T and Comsat denied that any attempts to re-route satellites had been made. In fact, an AT&T executive on the MacNeil-Lehrer Report stated that the computers that controlled the satellites weren't even connected with the phone lines and that the satellites were constantly monitored for movement, and none had ever been detected. So how did this fallacy arise? Not having been on the other boards we can only assume that they may have contained information on making illegal international calls, giving the police the idea that there was international phreaking. Many long-distance companies use satellites to transmit their calls. The Private Sector BBS had much information on satellites, fitting in with its purpose as a telecommunications information source. One recurring topic was TASI (Time Assignment Speech Interpolation), a method of transmitting satellite conversations. TASI is only the packet switching of telephone conversations, where the conversation is converted into small packets and sent over satellite and many long-distance circuits effectively simultaneously along with many other conversations. TASI permits several conversations to be sent over one satellite circuit, thus permitting more conversations without sending up more satellites. It is comparable to talking about modem transmission methods. As far as we know there is no way to use TASI and similar information fraudulently, and certainly one cannot move satellites using this. Evidently Middlesex County law enforcement saw posted messages on the routing of calls through a satellite and jumped, due to paranoia, to the conclusion it was for the moving of the satellites. Another of the more sensationalist charges that the youths had Department of Defense "secret telephone codes" that could enable them to penetrate the Pentagon. Due to the subject matter of the Private Sector BBS (telecommunications), AUTOVON, the DoD's private telephone network, was often brought up because it offers an extremely interesting network architecture quite different than civilian phone systems. Some AUTOVON phone numbers were on the board as examples of the format of the unique numbering plan. These numbers are easy to obtain and have appeared on other boards. These AUTOVON phone numbers can be obtained from a declassified DoD phone book available from the Government Printing Office for a small fee. One of the more muddled of the charges was reported by media sources variously as hackers "ordering tank parts using stolen credit cards by computer from TRW," breaking into TRW computers for top secret information on tank parts, and other variations. It turns out that TRW does do some defense contracting, but it has nothing at all to do with tank parts, instead making automobile parts for various non-tank military vehicles. TRW does have a credit rating service accessible by computer, but this is in a completely separate division. Somehow the authorities and the press had mangled the different alleged crimes of credit card fraud and the breaking into of a defense contractor's computer system, which happened to have defense department information in it. Since TRW is in both credit ratings and defense contracting, it would be an obvious jump in illogic to have the hackers break into TRW computers and order tank parts by credit card. And just why was the Private Sector discussing TRW in the first place? TRW's credit rating computers were discussed on the Private Sector much as TRW was discussed in 2600 (July 1984). Since people's private credit information is stored under shoddy security, it naturally came up in the discussion of computer security as a particularly bad instance. Such discussions weren't for the purpose of breaking into computer systems, but were conducted by various hackers (not computer criminals) and data processing managers who were interested in security methods and computer abuses. Another possible source of confusion is the fact that many of the messages on the BBS's that were confiscated were written by people 13 years old or younger. People this age may brag and tell stories as young people sometimes do. We're sure that you can knocked a satellite out of orbit, much the same way he might brag about the speed of his father's new sports car. It would be quite irresponsible of authorities to issue the kid's father a ticket based on this just as it was irresponsible of them to announce to the press the list of computer crimes without verifying that actual crimes did occur. The authorities are still unsure what crimes, if any, actually took place. When all these exotic charges are revealed to be mere flights of fancy, a great lack of knowledge about computers and telephony is uncovered on the part of law enforcement. We feel that law enforcement officials along with telecommunications hobbyists, should start to research the field by looking in their public library, or even better a local college library (under 621 Dewey Decimal). Several magazines also provide good information, such as Telecom Digest, Communications Age, as well as 2600 and other telecom industry publications. With regards to the credit card part of this whole thing, here is a brief guide to how credit card numbers are used fraudulently. First one obtains a complete credit card number including expiration date. If a driver's license number, social security number, or other information is also obtained, then it is easier to use the credit card number to charge goods and services. Credit and other information are usually found in the form of carbons (actual carbon paper that fits between the credit slip and the receipt) that are often discarded after their use. Carbons contain all of the information from a previous legitimate purchase. If someone is required to include their address or social security number with their credit card number then this will also appear on the carbon, which is found in the daily trash of many retail stores. One can then call up a company that takes charge requests over the phone and order goods using the credit card information that was found with the trash. But the real hurdle to committing credit card fraud is to have the package delivered and for this one needs a mailing address. This can be obtained a few ways. One is to get a post office box under an assumed name, and another is to have it delivered to a place where it can be picked up before the package is noticed. By using stolen or false identification or by being convincing to a postal clerk, one can obtain a post office box. One can also ask for general post office delivery, where the post office will put your package on the racks behind the counter waiting for you to pick up. By finding a vacant or temporarily empty home one can also have the objects delivered there. And this is how it is done from start to finish. There may be more effective ways to complete the various stages, but all in all it is that simple. This is mainly because companies make it easy to make a purchase while only supplying a small amount of personal information. Often if a company has been guaranteed that it will be covered for the value of fraudulently charged goods, then the company will make it easier for a person to charge them. The problem of credit card fraud has a few simple cures: Make it harder to order objects by phone (companies can issue a code that must be verbally communicated order to complete the purchase - one that doesn't appear on the carbon) or discontinue the use of carbons in credit card receipts. There are many other safeguards that can be used to decrease this type of fraud. This section was not intended to be a guide in how to commit a crime, but an edification of how this crime is not committed. Credit card fraud is not high tech crime. No computer is involved or has to be involved; no illegal phone calls are involved; and it is not necessary to break into TRW or other credit bureaus to commit this crime. Computers may be used as notepads or message boards where individuals might write down the information that they found in the trash. With regards to credit card fraud, computers are only used as a medium for communication. Credit card carbons are so easily found and the process of performing the actual illegal charge has been made so easy that it is not even necessary to discuss the topic with others to be able to commit the crime. Because of the use of U.S. mail or post office boxes, the post office is involved in investigating this type of crime. The Secret Service was authorized last October to investigate credit card fraud. The FBI has a variety of reasons to investigate. There are already laws everywhere against credit card fraud, and there are already associated penalties. It is nothing new to law enforcement. In addition, much of all credit card fraud is committed by those who steal, manufacture, or find whole credit cards. We hope that this thorough explanation will help to get rid of those inaccurate stories we've seen abounding. Again we'd like to clarify that law enforcement people should learn a bit about computers and telecommunications and above all try to control their enthusiasm. We are, of course, only qualified to comment on the specific case of the Private Sector. We feel that Rockoff and his cohorts will have to search a long time for the "special codes that provided illegal access to the information at issue" on the Private Sector, as they just aren't there.