The Phrack E911 Affair
I had not planned to post this as a special issue, and had put itdirect in the TELECOM Archives. However, the demand for copies (basedon the mail I received Saturday alone) indicates it would be betterhandled in a couple of newsgroups.I had not anticipated the large demand for copies. Here it is: Date: Tue, 15 May 90 02:40:28 pdt From: Emmanuel Goldstein Subject: 2600 Articles: The Phrack E911 Affair
THE FOLLOWING TWO ARTICLES ARE FROM THE JUST-RELEASED SPRING EDITION OF2600 MAGAZINE, THE HACKER QUARTERLY. WE FEEL THAT THE CURRENT HAPPENINGS IN THE COMPUTER WORLD ARE EXTREMELY SIGNIFICANT FOR ANYONE WHO HAS ANY INTEREST IN COMMUNICATIONS AND/OR TECHNOLOGY. WE’D BE MOST INTERESTED INANY FEEDBACK ON THIS TOPIC.
*****ARTICLE ONE: AN OVERVIEW***
A year ago, we told the stories of Kevin Mitnick and Herbert Zinn,two hackers who had been sent to prison. It was then, and still is today,a very disturbing chain of events: mischief makers and explorers imprisonedfor playing with the wrong toys and for asking too many questions. We saidat the time that it was important for all hackers to stand up to such grossinjustices. After all, they couldn’t lock us all up.It now appears that such an endeavor may indeed be on the agendas of some verypowerful U.S. governmental agencies. And even more frightening is therealization that these agencies don’t particularly care who or what gets sweptup along with the hackers, as long as all of the hackers get swept up.Apparently, we’re considered even more of a threat than we had previouslysupposed.In retrospect, this doesn’t come as a great deal of a surprise. In fact, it nowseems to make all too much sense. You no longer have to be paranoid or of abeen witnesses to. Censorship, clampdowns, “voluntary” urine tests, liedetectors, handwriting analysis, surveillance cameras, exaggerated crises thatinvariably lead to curtailed freedoms…. All of this together with theoverall view that if you’re innocent, you’ve got nothing to hide. And all madeso much more effective through the magic of high tech. Who would you target asthe biggest potential roadblock if not the people who understand thetechnology at work? It appears the biggest threats to the system are thosecapable of manipulating it.What we’re about to tell you is frightening, plain and simple. You don’t haveto be a hacker to understand this. The words and ideas are easily translatableto any time and any culture.Crackdown”We can now expect a crackdown…I just hope that I can pull through this oneand that my friends can also. This is the time to watch yourself. No matterwhat you are into…. Apparently the government has seen the last straw intheir point of view…. I think they are going after all the ‘teachers’…andso that is where their energies will be put: to stop all hackers, and stoppeople before they can become threats.”
This was one of the reactions on a computer bulletin board to a series of raidson hackers, raids that had started in 1989 and spread rapidly into early 1990.Atlanta, St. Louis, and New York were major targets in what was then anundetermined investigation.This in itself wouldn’t have been especially alarming, since raids on hackerscan almost be defined as commonplace. But this one was different. For the veryfirst time, a hacker newsletter had also been shut down.Phrack was an electronic newsletter published out of St. Louis and distributedworldwide. It dealt with hacker and phone phreak matters and could be found onnearly all hacker bulletin boards. While dealing with sensitive material, theeditors were very careful not to publish anything illegal (credit cardnumbers, passwords, Sprint codes, etc.). We described “Phrack World News” (aregular column of Phrack) in our Summer 1989 edition as “a must-read for manyhackers”. In many ways Phrack resembled 2600, with the exception of being sentvia electronic mail instead of U.S. Mail. That distinction would prove to bePhrack’s undoing.It now turns out that all incoming and outgoing electronic mail used by Phrackwas being monitored by the authorities. Every piece of mail going in and everypiece of mail coming out.
These were not pirated mailboxes that were beingused by a couple of hackers. These had been obtained legally through theschool the two Phrack editors were attending. Privacy on such mailboxes,though not guaranteed, could always be assumed. Never again.It’s fairly obvious that none of this would have happened, none of this couldhave happened had Phrack been a non-electronic magazine. A printed magazinewould not be intimidated into giving up its mailing list as Phrack was. Had aprinted magazine been shut down in this fashion after having all of their mailopened and read, even the most thick-headed sensationalist media types wouldhave caught on: hey, isn’t that a violation of the First Amendment?Those media people who understood what was happening and saw the implicationswere very quickly drowned out in the hysteria that followed. Indictments werebeing handed out. Publisher/editor Craig Neidorf, known in the hacker world asKnight Lightning, was hit with a seven count indictment accusing him ofparticipating in a scheme to steal information about the enhanced 911 systemrun by Bell South. Quickly, headlines screamed that hackers had broken intothe 911 system and were interfering with emergency telephone calls to thepolice. One newspaper report said there were no indications that anyone haddied or been injured as a result of the intrusions. What a relief. Too bad itwasn’t true.In actuality there have been very grievous injuries suffered as a result ofthese intrusions. The intrusions we’re referring to are those of thegovernment and the media. The injuries have been suffered by the defendantswho will have great difficulty resuming normal lives even if all of this isforgotten tomorrow.
And if it’s not forgotten, Craig Neidorf could go to jail for more than 30years and be fined $122,000. And for what? Let’s look at the indictment:”It was… part of the scheme that defendant Neidorf, utilizing a computer atthe University of Missouri in Columbia, Missouri would and did receive a copyof the stolen E911 text file from defendant Robert J.| Riggs located inAtlanta and known in the hacker world as Prophet| through the LockportIllinois| computer bulletin board system through the use of an interstatecomputer data network.”It was further part of the scheme that defendant Neidorf would and did editand retype the E911 Practice text file at the request of the defendant Riggsin order to conceal the source of the E911 Practice text file and to prepareit for publication in a computer hacker newsletter.”It was further part of the scheme that defendant Neidorf would and didtransfer the stolen E911 Practice text file through the use of an interstatecomputer bulletin board system used by defendant Riggs in Lockport, Illinois.”It was further part of the scheme that the defendants Riggs and Neidorf wouldpublish information to other computer hackers which could be used to gainunauthorized access to emergency 911 computer systems in the United States andthereby disrupt or halt 911 service in portions of the United States.”Basically, Neidorf is being charged with receiving a stolen document. There isnothing anywhere in the indictment that even suggests he entered any computerillegally. So his crimes are receiving, editing, and transmitting.Now what is contained in this document? Information about how to gainunauthorized access to, disrupt, or halt 911 service? Hardly. The document(erroneously referred to as “911 software” by the media which caused all kindsof misunderstandings) is quoted in Phrack Volume 2, Number 24 and makes forone of the dullest articles ever to appear in the newsletter. According to theindictment, the value of this 20k document is $79,449. See story that follows this one|Shortly after the indictments were handed down, a member of the Legion of Doomknown as Erik Bloodaxe issued a public statement. “A group of three hackers|ended up pulling files off a Southern Bell system| for them to look at. Thisis usually standard procedure: you get on a system, look around forinteresting text, buffer it, and maybe print it out for posterity. No memberof LOD has ever (to my knowledge) broken into another system and used anyinformation gained from it for personal gain of any kind…with the exceptionof maybe a big boost in his reputation around the underground. A hacker| tookthe documentation to the system and wrote a file about it. There are actuallytwo files, one is an overview, the other is a glossary. The information ishardly something anyone could possibly gain anything from except knowledgeabout how a certain aspect of the telephone company works.”He went on to say that Neidorf would have had no way of knowing whether or notthe file contained proprietary information.Prosecutors refused to say how hackers could benefit from the information, norwould they cite a motive or reveal any actual damage. In addition, it’s widelyspeculated that much of this information is readily available as referencematerial.In all of the indictments, the Legion of Doom is defined as “a closely knitgroup of computer hackers involved in:
a) disrupting telecommunications byentering computerized telephone switches and changing the routing on thecircuits of the computerized switches;
b) stealing proprietary computer sourcecode and information from companies and individuals that owned the code andinformation;
c) stealing and modifying credit information on individualsmaintained in credit bureau computers; d) fraudulently obtaining money andproperty from companies by altering the computerized information used by thecompanies;
e) disseminating information with respect to their methods ofattacking computers to other computer hackers in an effort to avoid the focusof law enforcement agencies and telecommunication security experts.”
Ironically, since the Legion of Doom isn’t a closely knit group, it’s unlikelythat anyone will be able to defend the group’s name against these charges –any defendants will naturally be preoccupied with their own defenses.(Incidentally, Neidorf was not a part of the Legion of Doom, nor was Phracka publication of LOD, as has been reported.)The Hunt IntensifiesAfter learning of the Phrack electronic mail surveillance, one of the systemoperators of The Phoenix Project, a computer bulletin board in Austin, Texas,decided to take action to protect the privacy of his users. “I will be addinga secure encryption routine into the e-mail in the next 2 weeks – I haven’tdecided exactly how to implement it, but it’ll let two people exchange mailencrypted by a password only known to the two of them…. Anyway, I do notthink I am due to be busted…I don’t do anything but run a board. Still,there is that possibility. I assume that my lines are all tapped until provenotherwise. There is some question to the wisdom of leaving the board up atall, but I have personally phoned several government investigators and invitedthem to join us here on the board. If I begin to feel that the board isputting me in any kind of danger, I’ll pull it down with no notice – I hopeeveryone understands. It looks like it’s sweeps-time again for the feds. Let’shope all of us are still around in 6 months to talk about it.”The new security was never implemented. The Phoenix Project was seized withindays.And the clampdown intensified still further. On March 1, the offices of SteveJackson Games, a publishing company in Austin, were raided by the SecretService. According to the Associated Press, the home of the managing editorwas also searched. The police and Secret Service seized books, manuals,computers, technical equipment, and other documents. Agents also seized thefinal draft of a science fiction game written by the company. According to theAustin American-Statesman, the authorities were trying to determine whetherthe game was being used as a handbook for computer crime.Callers to the Illuminati bulletin board (run by Steve Jackson Games), receivedthe following message:”Before the start of work on March 1, Steve Jackson Games was visited by agentsof the United States Secret Service. They searched the building thoroughly,tore open several boxes in the warehouse, broke a few locks, and damaged acouple of filing cabinets (which we would gladly have let them examine, hadthey let us into the building), answered the phone discourteously at best, andconfiscated some computer equipment, including the computer that the BBS wasrunning on at the time.”So far we have not received a clear explanation of what the Secret Service waslooking for, what they expected to find, or much of anything else. We arefairly certain that Steve Jackson Games is not the target of whateverinvestigation is being conducted; in any case, we have done nothing illegaland have nothing whatsoever to hide. However, the equipment that was seized isapparently considered to be evidence in whatever they’re investigating, so wearen’t likely to get it back any time soon. It could be a month, it could benever.”To minimize the possibility that this system will be confiscated as well, wehave set it up to display this bulletin, and that’s all. There is no messagebase at present. We apologize for the inconvenience, and we wish we dared domore than this.”Apparently, one of the system operators of The Phoenix Project was alsoaffiliated with Steve Jackson Games. And that was all the authorities needed.
Raids continued throughout the country with reports of more than a dozenbulletin boards being shut down. In Atlanta, the papers reported that threelocal LOD hackers faced 40 years in prison and a $2 million fine.Another statement from a Legion of Doom member (The Mentor, also a systemoperator of The Phoenix Project) attempted to explain the situation:”LOD was formed to bring together the best minds from the computer underground- not to do any damage or for personal profit, but to share experiences anddiscuss computing. The group has always maintained the highest ethicalstandards…. On many occasions, we have acted to prevent abuse of systems….I have known the people involved in this 911 case for many years, and therewas absolutely no intent to interfere with or molest the 911 system in anymanner. While we have occasionally entered a computer that we weren’t supposedto be in, it is grounds for expulsion from the group and social ostracism todo any damage to a system or to attempt to commit fraud for personal profit.”The biggest crime that has been committed is that of curiosity…. We havebeen instrumental in closing many security holes in the past, and had hoped tocontinue to do so in the future. The list of computer security people whocount us as allies is long, but must remain anonymous. If any of them chooseto identify themselves, we would appreciate the support.”And The Plot ThickensMeanwhile, in Lockport, Illinois, a strange tale was unfolding. The public UNIXsystem known as Jolnet that had been used to transmit the 911 files had alsobeen seized. What’s particularly odd here is that, according to the electronicnewsletter Telecom Digest, the system operator, Rich Andrews, had beencooperating with federal authorities for over a year.
Andrews found the fileson his system nearly two years ago, forwarded them to AT&T, and wassubsequently contacted by the authorities. He cooperated fully. Why, then, washis system seized as well? Andrews claimed it was all part of theinvestigation, but added, “One way to get hackers| is by shutting down thesites they use to distribute stuff.”The Jolnet raid caused outrage in the bulletin board world, particularly amongadministrators and users of public UNIX systems.Cliff Figallo, system administrator for The Well, a public UNIX system inCalifornia, voiced his concern. “The assumption that federal agents can seizea system owner’s equipment as evidence in spite of the owner’s lack of proveninvolvement in the alleged illegal activities (and regardless of thepossibility that the system is part of the owner’s livelihood) is scary to meand should be to anyone responsible for running a system such as this.”Here is a sampling of some of the comments seen around the country after theJolnet seizure:”As administrator for Zygot, should I start reading my users’ mail to makesure they aren’t saying anything naughty? Should I snoop through all the filesto make sure everyone is being good? This whole affair is rather chilling.””From what I have noted with respect to Jolnet, there was a serious crimecommitted there — by the federal authorities|.
If they busted a system withemail on it, the Electronic Communication Privacy Act comes into play.Everyone who had email dated less than 180 days old on the system is entitledto sue each of the people involved in the seizure for at least $1,000 pluslegal fees and court costs. Unless, of course, the authorities| did it by thebook, and got warrants to interfere with the email of all who had accounts onthe systems. If they did, there are strict limits on how long they have toinform the users.””Intimidation, threats, disruption of work and school, ‘hit lists’, andserious legal charges are all part of the tactics being used in this’witch-hunt’. That ought to indicate that perhaps the use of pseudonyms wasn’tsuch a bad idea after all.””There are civil rights and civil liberties issues here that have yet to beaddressed. And they probably won’t even be raised so long as everyone acts onthe assumption that all hackers are criminals and vandals and need to besquashed, at whatever cost….””I am disturbed, on principle, at the conduct of at least some of the federalinvestigations now going on.
I know several people who’ve taken their systemsout of public access just because they can’t risk the seizure of theirequipment (as evidence or for any other reason). If you’re a Usenet site, youmay receive megabytes of new data every day, but you have no common carrierprotection in the event that someone puts illegal information onto the Net andthence into your system.”Increased RestrictionsBut despite the outpourings of concern for what had happened, many systemadministrators and bulletin board operators felt compelled to tighten thecontrol of their systems and to make free speech a little more difficult, fortheir own protection.Bill Kuykendall, system administrator for The Point, a public UNIX system inChicago, made the following announcement to the users of his system:”Today, there is no law or precedent which affords me… the same legal rightsthat other common carriers have against prosecution should some other party(you) use my property (The Point) for illegal activities. That worries me….
“I fully intend to explore the legal questions raised here. In my opinion, therights to free assembly and free speech would be threatened if the owners ofpublic meeting places were charged with the responsibility of policing allconversations held in the hallways and lavatories of their facilities forreferences to illegal activities.”Under such laws, all privately owned meeting places would be forced out ofexistence, and the right to meet and speak freely would vanish with them. Thecommon sense of this reasoning has not yet been applied to electronic meetingplaces by the legislature. This issue must be forced, or electronic bulletinboards will cease to exist.”In the meantime, I intend to continue to operate The Point with as little riskto myself as possible. Therefore, I am implementing a few new policies:”No user will be allowed to post any message, public or private, until his nameand address has been adequately verified. Most users in the metropolitanChicago area have already been validated through the telephone numberdirectory service provided by Illinois Bell. Those of you who receivedvalidation notices stating that your information had not been checked due to alack of time on my part will now have to wait until I get time before beingallowed to post.”Out of state addresses cannot be validated in the manner above…. The shortterm solution for users outside the Chicago area is to find a system closer tohome than The Point.”Some of the planned enhancements to The Point are simply not going to happenuntil the legal issues are resolved. There will be no shell access and no fileupload/download facility for now.”My apologies to all who feel inconvenienced by these policies, but under thecircumstances, I think your complaints would be most effective if made to yourstate and federal legislators. Please do so!”These restrictions were echoed on other large systems, while a number ofsmaller hacker bulletin boards disappeared altogether.
We’ve been told by somein the hacker world that this is only a phase, that the hacker boards will bewords and identities “registered”. But there’s also a nagging suspicion, thefeeling that something is very different now. A publication has been shutdown. Hundreds, if not thousands, of names have been seized from mailing listsand will, no doubt, be investigated. The facts in the 911 story have beentwisted and misrepresented beyond recognition, thanks to ignorance andsensationalism. People and organizations that have had contact with any of thesuspects are open to investigation themselves. And, around the country,computer operators and users are becoming more paranoid and less willing toallow free speech. In the face of all of this, the belief that democracy willtriumph in the end seems hopelessly naive. Yet, it’s something we dare notstop believing in. Mere faith in the system, however, is not enough.We hope that someday we’ll be able to laugh at the absurdities of today. But,for now, let’s concentrate on the facts and make sure they stay in theforefront.==> Were there break-ins involving the E911 system? If so, the entire storymust be revealed. How did the hackers get in? What did they have access to?What could they have done? What did they actually do? Any security holes thatwere revealed should already have been closed. If there are more, why do theystill exist? Could the original holes have been closed earlier and, if so, whyweren’t they? Any hacker who caused damage to the system should be heldaccountable. Period. Almost every hacker around seems to agree with this. Sowhat is the problem? The glaring fact that there doesn’t appear to have beenany actual damage. Just the usual assortment of gaping security holes thatnever seem to get fixed. Shoddiness in design is something that shouldn’t beoverlooked in a system as important as E911. Yet that aspect of the case isbeing side-stepped. Putting the blame on the hackers for finding the flaws isanother way of saying the flaws should remain undetected.==> Under no circumstance should the Phrack newsletter or any of its editors beheld as criminals for printing material leaked to them. Every publication ofany value has had documents given to them that were not originally intendedfor public consumption.
That’s how news stories are made. Shutting down Phracksends a very ominous message to publishers and editors across the nation.==> Finally, the privacy of computer users must be respected by the government.It’s ironic that hackers are portrayed as the ones who break into systems,read private mail, and screw up innocent people. Yet it’s the federalauthorities who seem to have carte blanche in that department. Just what didthe Secret Service do on these computer systems? What did they gain access to?Whose mail did they read? And what allowed them to do this?Take ExceptionIt’s very easy to throw up your hands and say it’s all too much. But the factsindicate to us that we’ve come face to face with a very critical moment inhistory. What comes out of this could be a trend-setting precedent, not onlyfor computer users, but for the free press and every citizen of the UnitedStates. Complacency at this stage will be most detrimental.We also realize that one of the quickest ways of losing credibility is to beshrill and conspiracy-minded. We hope we’re not coming across in this waybecause we truly believe there is a significant threat here. If Phrack issuccessfully shut down and its editors sent to prison for writing an article,2600 could easily be next. And so could scores of other publications whoseexistence ruffles some feathers. We cannot allow this to happen.In the past, we’ve called for people to spread the word on various issues. Moretimes than not, the results have been felt. Never has it been more importantthan now. To be silent at this stage is to accept a very grim and dark future.
ARTICLE TWO: A REVIEW OF THE E911 DOCUMENT ITSELF
Documentation on the E911 SystemMarch 1988 $79,449, 6 pagesBell South Standard Practice660-225-104SVReview by Emmanuel GoldsteinIt otherwise would have been a quickly forgotten text published in a hackernewsletter. But due to all of the commotion, the Bell South E911 document isnow very much in the public eye. Copies are extremely easy to come by, despiteBell South’s assertion that the whole thing is worth $79,449.While we can’t publish the actual document, we can report on its contents sinceit’s become a news story in itself. But don’t get excited. There really isn’tall that much here.Certain acronyms are introduced, among them Public Safety Answering Point(PSAP), also known as Emergency Service Bureau (ESB).
This is what you get (intelco lingo) when you dial 911. The importance of close coordination betweenthese agencies is stressed. Selective routing allows the 911 call to be routedto the proper PSAP. The 1A ESS is used as the tandem office for this routing.Certain services made available with E911 include Forced Disconnect,Alternative Routing, Selective Routing, Selective Transfer, Default Routing,Night Service, Automatic Number Identification, and Automatic LocationIdentification.We learn of the existence of the E911 Implementation Team, the brave men andwomen from Network Marketing who help with configuration in the difficultcutover period. This team is in charge of forming an ongoing maintenanceWe learn that the Switching Control Center (SCC) “is responsible for E911/1AESStranslations in tandem central offices”. We’re not exactly shocked by thisrevelation.We also find out what is considered a “priority one” trouble report. Any linkdown to the PSAP fits this definition. We also learn that when ANI fails, thescreens will display all zeroes.We could go on but we really don’t want to bore you.
None of this informationwould allow a hacker to gain access to such a system. All it affords is achance to understand the administrative functions a little better. We’d like toassume that any outside interference to a 911 system is impossible. Does BellSouth know otherwise? In light of their touchiness on the matter, we have towonder.We’d be most interested in hearing from people with more technical knowledge onthe subject. What does this whole escapade tell us? Please write or call so thefacts can be brought forward.
2600 MAGAZINE WANTS TO HEAR YOUR THOUGHTS AS WELL AS ANY ADDITIONAL FACTS YOUMAY BE ABLE TO SHARE WITH US. POST PUBLIC COMMENTS HERE. YOU CAN SEND PRIVATEMAIL TO 2600-well.sf.ca.us OR 2600 EDITORIAL DEPARTMENT, P.O. BOX 99, MIDDLEISLAND, NY 11953. IF YOU WANT TO CALL US, OUR PHONE NUMBERS ARE:(516) 751-2600 (VOICE/MACHINE) OR (516) 751-2608 (FAX).
9: Text Philez P-Z