Advent of Computing - Episode 81 - A Ballad in 2600 Hertz
Episode Date: May 1, 2022There's power in music, but not all tones are created equal. During the reign of Bell Telephone there was one tone in particular that opened up a world of possibilities: 2600 Hz. The devotees of this... note were called phreakers, and in some cases they knew the telephone system better than Bell employees themselves. This episode were diving in to the early history of phreaking, how a bag of tricks was developed, and why exploring the phone grid was so much fun.  Selected sources:  http://explodingthephone.com/ - Phil Lapsley's book and website of the same name  https://archive.org/details/belltelephonemag09amerrich/page/205/mode/2up - All about the Holmes Burglar Alarm system  http://explodingthephone.com/docs/dbx0947.pdf - FBI's records on Barclay and the Blue Box
Transcript
Discussion (0)
About 1am, October 31st, came Ingressia's Waterloo.
He attempted to place a call for a student to Long Island.
I whistled wrong, though, and got Montreal instead, Ingressia said.
Then I pretended to be an operator and asked for assistance dialing the correct number from the Montreal operator.
The operator was suspicious and monitored the call.
Naturally, the student I placed the call for talked extensively about the whiz kid who had made his free call.
The Montreal operator broke in and demanded to know who was speaking and from where.
University of South Florida, Oracle, 1968.
Can a single tone be transgressive?
Can you commit a crime by using only a single frequency? Well, according to Bell
Telephone, yes. Yes, you can. In 1968, Joe Ingracia was a seemingly ordinary student at the University
of South Florida. But looks, those can be misleading. You see, Joe had a special power. He could break telephone switchboards by whistling.
Through years of study, practice, and exploration, Ingracia had honed this raw power. All he had to
do was pick up a phone and whistle out an almost magical tune. It worked on almost any phone,
and it could connect him to almost anywhere in the world. But of course,
every hero needs a villain. Bell Telephone was afraid of Ingresia's power. They would try to
stop him in 68, but to no avail. The University of South Florida tried to kick Ingresia out over
the debacle, but the charges didn't stick. Joe was fined a mere $25 and went right back to
whistling. Free calls were just a side benefit for him, and Grisio was more interested in exploring
the vast network Bell had constructed. During those explorations, his world expanded, and he
started to meet more people just like himself. It sounds almost like folklore, almost like some electronic myth.
However, this is the best kind of urban legend, because every word of it is true.
Welcome back to Advent of Computing.
I'm your host, Sean Haas, and this is episode 81, A Ballad in 2600 Hertz.
Today, we aren't going to be talking about computers, at least not really.
We'll be in one of those fun computer adjacent zones.
In this episode, we'll be discussing the old telephone network, how it worked, and how it was exploited for fun and profit.
This episode is all about phreaking. That's spelled with a PH.
Now, phreaking is a portmanteau of phone and freak.
Although, for me, it usually gets kind of mixed up in my head as phone and hacking.
In short, phreaking is the practice of hacking and exploiting telephone
systems. Today that might sound a little strange. Modern phone systems are inextricably tied to the
internet and computers in general. You can't really place a phone call without a computer
getting involved, even on a landline. Most calls will end up going through the internet at some point, usually via something like
a VoIP protocol. But think about this in the not-so-old context. In the 21st century, we're
familiar with one worldwide network, the internet. But that network is a newcomer compared to older
systems. Before the internet, even before the ARPANET, there was the worldwide
phone grid. This grid did, in fact, function as a network. If you made a call from California to
a friend in Spain, you didn't have a direct wire running across the world. Your signal was routed
through a series of nodes. Shorter lines were temporarily connected to send a signal thousands
of miles away. It's not digital, but the phone system was itself a network. So now imagine you're
a modern computer nerd shot back into the 1960s. Only a very specially chosen few had access to computers. Home computing was a decade or more away.
Networking was… well, it kinda existed, but once again, it was only for the special
chosen few.
So what can you do to occupy your time?
The Bell Telephone System, sometimes affectionately called Mother Bell or Ma Bell, offered up one option.
It offered a worldwide network of nearly impenetrable complexity. It had its own interface
and messaging protocols, and perhaps most importantly, it had persistent issues with
security. It made a juicy target for tech heads the world over. Freaking, for me, has always occupied an interesting historical space.
Like I mentioned, it's not entirely related to computing.
It's on this periphery.
The phone network has similarities to later systems.
It's every part as complicated and rich as the digital networks that develop in the
70s and beyond.
Many of the freakers of yore would later transmute into more traditional hackers,
and conversely, many hackers took up freaking themselves.
The common, almost folkloric example are the two Steves.
Prior to founding Apple, Steve Wozniak was, in fact, a freaker.
He designed and built devices for breaking into the phone network.
He and Jobs would build and sell devices for breaking into the phone network. He and Jobs
would build and sell these boxes in their college dorms. According to some sources,
the spoils of these phone exploits helped to fund development of the Apple One.
There's also this unique mystique around freaking. You see, freaking wasn't exactly legal.
Exploiting Ma Bell, traversing hidden parts of the network, and making free long-distance calls were all technically crimes.
There are plenty of examples of freakers getting arrested, and some even serving time.
This is all rounded out by the fact that freaking, at least in large part, is no longer possible.
Phone systems have changed so much that the tricks freaks invented are, at least broadly large part, is no longer possible. Phone systems have changed so much that the
tricks freaks invented are, at least broadly speaking, useless. To me, reading about the
exploits of freaks feels like delving into arcane and secret knowledge. The tools and methods used
against Ma Bell aren't dangerous anymore, but it still feels like I'm being let in on something I shouldn't know.
It's like reading pamphlets from some long-defunct cult. With that all said, I should drop in a
disclaimer just for safety. Advent of Computing is purely an educational podcast. This episode,
we're going to be getting into the nitty-gritty of how freaking worked and how their arcane methods were developed.
Most of what we discuss no longer works on telephone systems. But still, don't go trying it.
At some points in this episode, I'm going to be playing notes, tones, and audio patterns that may interfere with the normal operation of an analog phone. Do not hold a phone receiver up to this
podcast. Everything you're about to hear is for fun,
so let's just have some fun. Names may have been changed to protect the guilty and, you know,
all that jazz. There's a traditional layout for hacking. First, you have to pick a target. Once
done, you need to collect information and profile that target. The goal here is to figure out how
the target functions and identify any possible
weak spots. Next, you have to plan and execute your exploit. Take the weak spots you found and
figure out how to use them against your target. Finally, you, well, you gotta do something with
that information. The last step really depends on what your goals are. A malicious hacker
may close by crippling the system and stealing documents, then covering their tracks. A hobbyist
might finish up by going, neato, and then recounting their exploits over a pint of beer.
This is the general approach that we're going to be using as we chronicle the history of freaking.
Target, profile, exploit.
After all, phreaking is another branch of hacking.
So let's start with the target, the Bell Telephone system.
Bell Telephone was founded by Gardner Hubbard in 1877.
The actual inventor of the telephone is contested, so we don't get nice exact calculations. But however
you cut it, Bell Telephone hit the scene very shortly after the telephone. Bell would be on
the forefront of development when it came to, you know, trying to make phones actually useful.
Early phones were primitive, and so too was their corresponding infrastructure.
Initially, a line would simply run between two points. If you wanted a way to contact your local pizza parlor, then you'd need to have a physical wire installed.
That wire would link you and your beloved pizza joint.
Calls could then be placed. Simple, direct, but not all that useful.
The next step was to build a system that could accommodate multiple callers over shared infrastructure.
In this new design, you could call up the same pizza place to order a pie,
and you could call up your friends to invite them over for dinner.
In theory, that sounds like a simple upgrade.
But this is a deceptively complicated problem to solve.
You can't just run a wire between every customer.
That's simply not sustainable.
The first attempt at a solution was a device called the telephone switchboard.
The solution had already been developed by the time Bell was founded,
but it had yet to be brought into widespread practice.
The first switchboard was used by the Holmes Burglar Alarm Company in 1877.
Early 1877.
By that time, the company, which started a few years prior by one E.T. Holmes in Boston,
already had a small network connecting up parts of the city.
The network was, all things considered, pretty simple.
A 1922 article in Bell Technical Journal outlines the system in full.
Businesses would subscribe to Holmes' alarm system.
Each of these subscribers had some simple sensors and bells installed in their businesses.
Sensors here, perhaps, is a bit of an overstatement.
These were basically wires connected to safes or doors,
so that if something was opened, it would break a circuit.
All those wires were fed back to Holmes' central office.
In this setup, each subscriber had a dedicated circuit routed between their business and this one's central location.
The office monitored each of these circuits.
If the circuit was broken, then an alarm at the office and the subscriber's business would go off.
If the circuit was broken, then an alarm at the office and the subscriber's business would go off.
Someone in the central office would be alerted, and the police and the subscriber would be contacted.
Simple, but relatively effective.
The kicker is that the burglar alarm system was only in operation at night.
During the day, it was normal for a business to, you know, need to open their safe every once in a while,
so it only made sense to check for burglary at night. The side effect was that all these alarm lines were left idle during the day. The Bell article explains the next step like this.
Mr. Holmes was keenly interested in the box telephones which were being constructed and
experimented with at the shop of Charles Williams Jr. at 109 Court Street,
and persuaded Gardner G. Hubbard to let him try them out on his own burglar alarm lines.
Within the next few days, five boxes were delivered to Mr. Holmes.
End quote.
This is where we get into this larger narrative of the early telephone.
Hubbard, the founder of Bell Telephone, was the
father-in-law of Alexander Graham Bell. Graham Bell was one of the claimants to the invention
of the telephone. Williams worked with Graham Bell during the development of his telephone.
All of this was happening right in Boston, so Holmes' interest in telephones didn't come from
nowhere. What Holmes would throw together in this tiny central office
would change the future of all of these parties involved.
The setup was really basic.
One phone was left in the office,
the remaining four were installed at some of the businesses
already connected to Holmes' burglar alarm network.
The core of the setup was a new device called a switchboard. This was,
quite simply, a board full of terminals. Each terminal was connected to a subscriber's circuit.
Using patch cables, homes could temporarily wire separate circuits together, connecting one
subscriber to another. Thus, a call could be patched from one subscriber to any of these other three boxes on the system.
Not really the biggest network, but it's something.
In practice, a call was a fully manual operation.
Recall that each subscriber's circuit is actually just two wires that complete a loop.
If you wanted to make a call, you started by flipping a switch back and forth a few times to disconnect the circuit. The central office was already wired up to ring an alarm bell
if the circuit was broken. Rapidly toggling the circuit open and shut would fire off a few short
rings back at that office. Holmes, sitting near the switchboard, would hear the ring and pick up
his own telephone. The board's phone was already patched into the system so he could
communicate freely with any subscriber that called in. The subscriber would then tell Holmes who they
wanted to contact. If I was making my usual call, I would just say, yo Holmes, pass me through to
the pizza place. Holmes would then operate the switchboard by placing a wire between my circuit's
terminal and the terminal for the pizza joint.
A few more flips of a switch on the board would make the receiver's alarm system ring,
and, like that, we have a connection.
Even at this early point, we should be able to spot an interesting issue here.
The central part of the entire operation is, well, the operator.
entire operation is, well, the operator. In this case, the whole network relies on Holmes answering his phone and patching callers through. There is nothing automated about this setup. It's 100%
dependent on human operators. That means that mistakes can be made. Operators can be tricked.
Downtime can occur due to either personnel or personal issues. What happens if I
need to order pizza but Holmes is fast asleep? The other bug, or perhaps feature, is how this
phone system handles data. We have two distinct types of information going down the line, a signal
for ringing bells and the actual analog voice signal. The ring signal is the more simple of the
two. A full disconnect of the circuit is interpreted as a ring. Then, once both telephones are connected
to the line, analog audio flows down the wire. That's the expected behavior. Fancy signaling,
then audio. But there's no reason that things can't get switched up. No hints yet, but just keep that in
the back of your head. The Holmes-Burglar alarm exchange didn't last for very long. According to
Bell, the system was up for a mere two weeks. It was just an experiment, after all. Once Bell
actually started operating, Holmes' system would serve as an early model for operator-based
switching. As the Bell system grew, it became more complex, more like a recognizable network.
The switchboard was scaled up but retained its initial features.
Most boards in this era were composed of a large board covered in plugs.
That was mounted perpendicular to an operator's desk.
Atop the desk sat a telephone, wired and patched cables,
and maybe a dial. Operators would physically patch through calls by pulling up a cable,
then plugging it into a circuit on the board. The big change came in the layout of the bell
system itself. A single operator can only route so many calls, and a single switchboard can only
be so big. So, this is the point where I need to introduce
you to the local loop and the trunk line. We've already seen a very simple local loop. The Holmes
burglar phone system is basically a local loop. The system only connects local subscribers to a
local switchboard. From there, you can call anyone else on that local loop. However, you can't
call anyone outside your locale. For a small town, this might mean that everyone you know is covered.
But for a larger city, you may only be able to reach some of your nearby friends. Half the area
may be on one loop, and the other one might be isolated to another. Each loop is serviced by a single
central office in this case. Trunks bridge the gap between local loops. A trunk line connects
switchboards to other switchboards. Let's go back to my Friday night plans to explain how this works.
My city is big enough that it has two central offices. One is in the north and one is in the south.
I live on the south side, but my beloved pizzeria is firmly connected to the northern local loop.
I'd pick up my old-timey phone and tell the operator I gotta have my pizza fix.
This southern operator would then call up a north loop operator, connect me through the trunk line, and then the
northern operator would connect my call to its final cheesy destination. Now, I will admit,
it took me a little bit too long to get why these were called trunk lines. These larger lines are
called trunks because, on a graph of the network, they look like the trunks of a tree with the local
loops extending out to form branches.
I think it's an apt metaphor when it comes to small examples.
But it breaks down a little bit when you look at a larger network.
Trunk lines are roughly equivalent to something like the fiber backbones that make the internet
today.
Subscribers never directly interact with trunk lines, but they end up carrying all traffic that goes any substantial distance.
Trunks tend to form a web-like network.
It isn't distributed like ARPA-related networks, but instead, maybe it's closer to decentralized.
There are many central offices spread throughout the network,
each is connected up to some other office or offices via a trunk line. Some small local loops will trunk up to larger offices. To get a call
across the country, you end up going through multiple offices and multiple trunks. And,
to begin with, each of these offices and each switchboard was handled by a real live human.
Of course, this isn't a sustainable solution either.
It didn't take long for automatic switching to hit the scene. Numeric dials were added to
subscribers' phones. Each was issued a phone number and special hardware was installed back
in the central office. The idea was that a signal would be sent down the phone line indicating that
a call was about to be placed.
This was followed by a telephone number to reach. The automatic switchboard would then route the call through. Then, audio transmission could take place between subscribers as per usual.
The initial scheme for this signaling was called pulse dialing. This was used by those old rotary
phones, you know, the ones where you have to spin
a dial to enter a number.
This dialing system was actually pretty ingenious.
The wheel on these phones was spring-loaded.
When dialing, you rotate the wheel to the number you want, then release it.
As the wheel spins back, it opens a contact a number of times equal to the number you're
dialing.
So 4 gives you 4 short pulses.
Those pulses are sent down the line and interpreted as a digit of a phone number.
This pulse code system was first introduced at the end of the 1800s,
but adoption took some time.
Local loops had to switch over to automatic boards,
and rotary phones had to get out into the hands of subscribers.
Because of this, operators remained in many central offices. At least some traffic still
used the older manual system. In the 1960s, Bell made the next jump forward to touch-tone dialing.
The more technical name for this technology is dual-tone multi-frequency signaling, or DTMF. Pulse dialing
did work, but it relied on the subscriber's rotary phone, well, working. The actual rotary mechanism
was physical, meaning it could break down. The spring that returned the wheel could wear out,
which would change the timing of pulses. Each digit also took a different amount of time to
dial. A zero would take a full rotation, while a one was a short click away. These were just
awkward phones. DTMF obviated the issue by replacing pulse-coded signals with audio-based
signaling. For subscribers, this meant fancy new phones were easy to dial. These new touch-tone
phones used keypads. Simply hit the number you wanted on the phone, and you were done. No
rotating involved. The phone would play a fun series of sounds as you dialed, and then you
were connected. The sounds were key here. Each number was encoded as a combination of two tones, something like a chord.
A 1, for instance, was now a 1209Hz tone mixed with a 697Hz tone.
Now, these tone combinations weren't picked at random.
They came out of the restrictions of the phone system itself.
By 1960, Bell's system was already pretty old.
The specifics of the network were well set.
For one, the system was tuned for transmitting audio in the rough range of the human voice.
That came out to around 300 to 3400 hertz.
Now, here are two other numbers to think about.
20 hertz and 20 kilohertz.
That's the rough range of human hearing. The range of frequency supported by the telephone system is a subset of our audible range. The implication here is that
any signals carried over Bell's system had to be in the audible range. More specifically,
in that slim subset between 300 and 3400 hertz. One slick trick would be to use
inaudible tones to send data down the line, use frequencies that we just can't hear. But that just
wouldn't work with Bell's existing infrastructure. So DTMF was stuck using audible tones. There were
some benefits to this system. It's actually easy to filter out specific tones
from an audio signal. You can build up a bandpass filter using only resistors, capacitors, and
inductors. Those are all very cheap and very passive components. So that's a big help when
it comes to actually implementing something to listen for these tones. A downside was what Bell called talk-off. In theory, Bell's
system could misinterpret normal audio as DTMF signals. Talk-off is just what they call when
that occurs, when a voice or music or some other audio just happens to line up with a DTMF tone
pair. As a 1960 article written by Bell explains, precautions had to be taken.
When only voice frequencies are employed, protection against talk-off must rely heavily on statistical tools.
This protection is required only during interdigital intervals.
Speech inference with valid signals is conveniently avoided by transmitter disablement. End quote.
The simple part of the solution was disabling the phone's microphone during dialing.
This basically meant that between when you pick up the the phone's microphone during dialing. This basically meant
that between when you pick up the phone and when you complete dialing, the only audio you could
transmit was DTMF. As long as the telephone is well-behaved, talk-off shouldn't be possible.
To better gird the system, the tones used for signaling were carefully selected.
for signaling were carefully selected. Take the frequency for dialing a 1, 1209 and 697.
That doesn't make a very nice chord. These are also very specific and not too usual tones. They don't fall on a scale very well, for instance. So the combination of these tones, at least in theory,
shouldn't often be produced by accident. All DTMF signals
were chosen in this manner. The same 1960 article explains it in terms of statistical analysis.
Basically, Bell was looking for tones that, combined, were not common. Thus, talk-off could
be further limited. One final thing to point out, a closing part of our target to identify,
is the fact that the telephone system is fully legacy compatible. You could call it the original
legacy system if you want. Even when touchtone dialing hit the scene, not all subscribers had
the fancy new devices. Bell's system continued to support pulse code dialing. Add to this the fact that not all routing on the phone network was as simple as plugging in a phone number.
Some calls, or more complex operations, required a little finesse.
So even with fancy automated switchboards, human operators were still very much in play.
The result here is that basically any phone could work with Mob Bell.
You could ring an operator, dial in pulses or even in tones.
That opens up a lot of opportunity for fun.
That's the target out of the way, and a good amount of detail profiling them.
So how did freakers find nice soft spots to exploit?
The fact is, we don't know the first person to break Ma Bell's system for fun and or profit.
There's a good chance that folk had been conducting low-level fraud against Bell for decades.
I found a few mentions in old Bell Labs magazines to some research working on anti-fraud measures
for payphones as early as 1936.
For anti-fraud measures to matter, there must have been some
fraud going on. In this case, toll fraud, aka using the phone, gasp, without paying.
All jokes aside, this introduces our first big roadblock in chronicling freaking.
roadblock in chronicling freaking. Ma Bell never had an incentive to publish information on when, where, and how their system was being messed with. Announcing that someone was doing nasty
things with their network, circumventing toll fees, or tricking operators, well,
that just wouldn't look good. Those kinds of matters had to either be handled quietly or by law enforcement.
So while Bell had excellent records and sources around how their system worked and how it
was developed, we get nothing from them about how their system was broken into.
This is the kind of situation where we get to pick and choose who to follow, or at least
choose which stories we care about.
There are honestly a lot
of options, and I have a personal favorite. To me, the quintessential freaker was Joe Ingrazia,
aka Whistler, aka Joy Bubbles. As far as I'm concerned, you have to be pretty cool to get
multiple aliases, and I think Ingrazia lives up to the hype. The main source I'm using for this section is the book Exploding the Phone by Phil Lapsi.
It's a fantastic text, and Lapsi goes the extra mile by uploading his sources to his own website.
So first of all, kudos for the transparency, and it also gives us a whole lot of information to work off.
We have a nice collection of primary sources
to go along with Lapsy's work. Lapsy also interviewed Ingracia specifically for exploding
the phone. Ingracia didn't have an idyllic childhood. The family moved around a bit,
which made it harder for Joe to make friends. Accounts point out that his parents had a
troubled and tumultuous marriage. Joe and his sister, Toni, both recall their folks often fighting. One exacerbating circumstance was that both
children were born completely blind. That just can't make things any easier.
Joe would find an interesting escape from the troubles of his daily life, the telephone.
From an early age, Ma Bell became Ingrazia's constant companion. It was available
everywhere, it didn't require vision to operate, and was hiding uncountable secrets. In Ingrazia's
words, as recorded in Exploding the Phone, quote, It was like a friend and companion to me. Most people take the little old phone for granted, but to me, it was like magic.
I couldn't even describe how important it was sometimes.
End quote.
I think this is a familiar sentiment for a lot of us, at least to some degree.
For my part, I could probably say the same thing about the old junky computers that I
cut my teeth on.
During my younger years, I'd definitely call
my second-hand PC clone a friend and a companion. This near-obsession is something that a lot of
tech heads experience. This is part of the hacker ethic that I like to champion around here.
But the key difference is that Ingracia wasn't friends with a computer. It was the venerable mob Bell that captured his interest.
The early period of Ingracia's life also gives us a fun detail about how Bell operated in general.
They just didn't have very tight security.
One of the tropes that shows up in many freaking stories is that the telephone company can be a danger for freakers,
but is often more bumbling than
actually effective. The young Ingrazia, probably around 5 or 6, was already building up a reference
library on Bell telephone systems. He makes it sound like it was actually just a matter of asking
phone repair people for books. Why turn down a blind kid asking for reference manuals about
automatic switches? Ingrazia's mother would for reference manuals about automatic switches?
Ingrazia's mother would read these manuals to him, and when he had questions,
Joe would actually sometimes just call up an operator and ask.
He even got a tour of a central office this way.
Bell wasn't really hiding anything, especially from a blind boy who was a fan of the company.
Was this a serious attack vector that more employees should have been looking out for? Well, no, I mean, probably not. I don't think eager children are the backbone of
corporate espionage. If they are, then maybe the world's a little worse than I thought it was.
Plus, the Bell of this era, sometime in the mid-50s, was a de facto monopoly. The feds wouldn't really drop the
hammer on Bell until 1983, so up until then, there was no other show in town. Bell was the
telephone system. No one could compete, so what was the harm if most of its operating details were
a little bit public? Spending this much energy thinking about Ma Bell and really this much time
on the network, it's natural that Ingrazio would start to pick up some tricks. The first big one,
call it Joe's first big break, was hook switch dialing. This is a slick little trick that
exploits certain legacy issues inherent to Bell's system. When Ingrazacio was 7 or 8, he figured out that pulse code dialing was,
well, it wasn't a very fancy system. As we've discussed, numbers were just encoded as on-off
pulses sent down the line. Also recall that there's only one line that handles signaling and audio.
So here's a fun question. How does Ma Bell determine that you've hung up
the phone? Or to put it in proper terms, how does the system detect that the phone is on hook?
Simple. The hook, the part that the handset rests on, has a little button. The weight of the handset
holds down that button as long as it's on hook. That button will break the line's circuit.
It essentially disconnects the phone line. Picking up the handset, pulling it off hook,
releases that button and closes the circuit. Note the similarity here. Pulse dialing is
accomplished by opening and closing the circuit a certain number of times to denote numbers.
That's handled by a fancy rotary dial. However, the hook also operates
by opening and closing the circuit. Ingracia, the phone fiend that he was, figured that it
should be possible to dial in pulse code just by pressing the hook in the right pattern.
So he gave it a try, mimicking the timing of his rotary phone's pulses. And, perhaps to his shock, it worked.
Ingracia no longer needed dials or buttons to place calls, just the single on-hook switch.
This seems like a tiny detail, maybe a fun trick, but here's the thing.
Hook switch dialing helped Freakers do things that Ma Bell's switchboards did not expect. One scheme used in
some payphones was to disable the keypad until, you know, you paid. Hook switch dialing circumvented
that. The phone's hook always had to be operational. But hey, that's a pretty boring edge case.
This weird trick matters more once we introduce our real main character, the 2600Hz tone.
Now, 2600 is a pretty shrill tone.
It's roughly the tone of the 7th octave E, or E7, or E above middle C, if you like.
While not fully outside the human vocal range, it's on the upper end, and it's kind of uncomfortable to the
ear. I'm going to spare you the headache of hearing the pure tone itself, but just to get us in the
ballpark, I can whistle an E6, which sounds like this. 2600 is an octave above that, give or take
a few hertz. But hey, what are a few cycles between friends?
Now, we can make some fun observations about this tone. 2600 is on the upper end of the frequency
band supported by mob bell. It's not strictly outside the range of human speech, but it's on
the extreme upper side of that. In practice, we don't really screech that shrilly at each other. I mean,
we could, but that wouldn't be intelligible. Sometimes a transient 2600Hz may occur in
normal speech, but it's masked by other tones. So in practice, there's very little chance of
talk-off. This also means that the tone sticks out like a sore thumb. It's unlikely to blend in with
background noise, at least if it's being generated as a pure tone. We also know that bell telephone
had a tendency to be a little bumbling, or maybe we should call it lazy. You see,
dual-tone dialing was really a system designed for the filthy masses.
A dumbed-down and safe signaling mechanism built to keep us sedated and weak.
Deep inside the switchboard, Mother Bell was hiding something from us.
They were hoarding power for themselves.
Bell used the more simple, more elegant, single-tone dialing for internal signals only. And the prime tone in
this Pantheon, the one wave to ring them all as it were, was 2600Hz. Now, all jokes aside,
the 2600Hz tone was kind of the secret sauce that Bell used to hold the phone system together.
Internally, a 2600Hz tone was used to mark a trunk line as idle.
When you placed a call, the automatic switchboard would figure out how to route you over unused
lines. To do so, it swept through lines looking for a 2600 tone. Another way to look at it is
that this new tone took the place of the old on-hook switch when it came to trunk lines,
aka the 2600 was the long-distance equivalent of the hook switch. Ingracia is often attested
as the first person to discover the power of 2600, but this gets a little weird. It should
go without saying that the Bell telephone system is a human-made construct.
The nerds inside Bell already knew all about their long-distance switching signals, since,
well, they designed, built, and operated them.
It's also hard for me to believe that the single-frequency signaling method was really a guarded secret.
Bell published a lot of material on how their system worked. Most of these documents were internal, but Ma Bell tended to leak like a sieve in this era. Not to mention the possibility
of ex-employees walking around with all that info tucked away for a rainy day. These signals
seem to have been more obscure than actually secret. All this is to say that Ingracia was one of the early outsiders who figured out the obscure
trick. Anyway, Ingracia came across the 2600 tone in a unique way. As he relates the story himself,
quote, I was seven or eight years old and I was sitting on a long distance line and I heard the
background hum of the tone that controls it. I started whistling
along with it, and all of a sudden, the circuit cut off. I did it again, and it cut off again."
Sound was Joe's entire world, so maybe it's unsurprising that he had a good ear for tones.
Observers always comment on the fact that his hearing, as well as his ability to reproduce specific notes, was almost uncanny.
A later interview with Ingracia on Off the Hook was simply titled,
He Had an Ear for It, just to give you an idea of how central this part of the story is.
Ingracia's difference was very much his strength.
Over the next few years, Ingracia started to realize how important the 2600 tone was.
So, this is probably a good time to explain the exploit in full.
We already know that sending the secret note down the line
tells a trunk that you've disconnected.
However, that's just on the trunk's side of things.
The local loop doesn't respond to a single-tone signal in the same way.
It only counts you as disconnected when the phone is actually on the hook.
So, once you send out a 2600Hz signal, the trunk line disconnects the remote end of the call,
the number you initially dialed.
The local loop sees you as still on the phone, so on that side,
it stays connected to the trunk. This leaves you in an invalid state. You're still on a call,
but it's only connected to a trunk line. In other words, you as the subscriber are now in a
position only intended for an operator. There are some fun uses for this trick.
First, you can get free long-distance calls. This is where I need to remind my listeners and
any feds or telephone security agents that this podcast is purely educational. Using fancy beeps
and boops to get free calls is called toll fraud, and it's a crime. So how do you commit
this crime? Well, it's easy. Ingresia would pick up the phone and dial a 1-800 number or some other
free long-distance number. Those are free to dial, and they route over a trunk line. That's the key.
Then comes the secret cord. A quick whistle at 2600 Hz drops the connection.
The final piece of the exploit is dialing your new number. To do this, Ingrazia employed a
variation of his hook switch dialing trick, but modified for the trunk world. Remember,
the 2600 tone is basically the hook switch of long distance. Ingrazia just had to quickly whistle
out a series of pulses corresponding to the number he wanted to dial. Doot for one, doot doot for two,
and so on. To the trunk, it looked like an operator was dialing a new number. That's normal,
there's nothing suspicious at all going on. Now, keen listeners among you may have noticed
this is kind of a Joe Ingrazia exclusive power. Not to brag, but I also have pretty good tone.
I've played music for a very long time, and I'd say I have something of an ear for it. But for
the life of me, I cannot whistle a 2600 hertz tone. I keep trying, and I'm sure it's starting to drive
my friends a little nuts at this point. The exploit was initially so Ingrazia-specific
that he even picked up a new nickname due to it. Whistler. Maybe not the most creative or
subtle name, but I do enjoy it. The nickname started due to an incident in 1968
while Ingrazia was enrolled at the University of South Florida.
He had bragged to some friends that he could make free long-distance calls
simply by whistling.
They didn't believe him, so he proved them wrong.
The problem, of course, is that loose lips have a habit of sinking ships.
Students started coming to
Ingrazia to get free calls, and eventually an operator overheard one student talking about
the miraculous whistler. That led to Ingrazia's first run with the law, which is where we started
the episode. This all went down in 1968. Ingrazia was almost kicked out of college, but emerged
unscathed after an appeal. However,
this is where some more of those fun caveats come into play. The University Whistler scandal
drummed up a surprising amount of press. The college's own newspaper, of course,
covered the case, so too did larger national outlets. This prompted some interesting people to get in touch with Ingrazia.
You see, Whistler wasn't the only freaker around. He wasn't the first person to exploit the Bell
system, and he wouldn't be the last. He would just be one of the few that could break into Ma Bell
unaided. So let's zoom out a little from Ingrazia. As we've discussed, the draw to exploit the telephone network was powerful.
Free calls were just the tip of the iceberg.
In the 60s and 70s, the network was really massive and complex, just like the modern internet.
The audio system was also, for the most part, poorly documented.
You could pick up a telephone book, sure, but most subscribers didn't have access to a database of some interesting numbers.
The ability to dial anywhere toll-free would open up the gates for more exploration.
One of the interesting phenomena was a type of technological squatting.
For this to make sense, it's important to remember that people have always been the same.
We're lazy and we don't like to clean things up.
Those truths are self-evident today just as much as they were decades or centuries ago.
In the 21st century, many businesses will leave their routers set to use default passwords,
or old routers will be left kicking around for no actual reason.
The same was true in the 20th century when it came
to voicemail. This is a bit of a simple job. Freakers would use free calls to surf the phone
network, just how we surf the internet, but with extra steps. Dial a total free number, beep a
little bit, then dial a number of interest. Most numbers were nothing, but some were useful. The specific
target for this exploit was to find a voicemail box that wasn't well secured. Voicemail systems
back in the day could be accessed remotely from a phone line, so you could listen to and delete
messages. Some freakers would use this as a way to pass around messages, like a proto-bulletin board system. Bridges,
party lines, and loop-arounds all fall into a similar realm as voicemail trickery. These were
lines that could connect multiple subscribers. Sometimes Bell would have these set up for
legitimate uses. Sometimes they were meant as test systems. There were multiple ways for freaks to form ad hoc audio conferences.
But loop lines are probably the best example. These loop arounds were used by telephone
technicians for testing equipment and parts of the overall network. Loops came as a pair of numbers.
A technician would make a call to one number, which, if everything was working, would result
in a test tone. If the second number was called, then the tone would turn off.
The actual line was wired up differently than normal phone numbers.
It didn't go through a switchboard like a normal call.
These loops appear to have been hardwired specifically for field testing.
There was no security here because that'd be overkill.
Imagine having to punch in some special code every time you needed to test a phone line.
That sounds like a real pain.
Besides, there's nothing you could really do with these test lines, right?
Well, no.
The trick here is that the two numbers on a loop around operate outside the normal subscriber
board subscriber scheme.
To make things all the better, loop numbers usually followed a pattern. Paired numbers
would end in 074 and 075. Putting patterns like this in numbers is useful for Ma Bell,
but it also made these numbers easily identifiable by freakers.
The final piece is that multiple people can phone
into these loop lines. You aren't calling a real phone, it's just a connection somewhere in a
central office. Those connections can have multiple subscribers call in. My point is that
freaking wasn't just about making free calls, it was about exploring the telephone system and finding unintended uses for Bell's
infrastructure. Free calls and some sick beeps were all part of the overall package. But that
gets us back to an unresolved question. How did freakers who lacked Ingrazia's special skill set
make their beeps happen? There are a number of answers to this question, all steeped in a
certain folkloric quality. If you only know one fuzzily remembered story about freaking,
then chances are it's the tale of Captain Crunch. It's short and it's sweet. In the 70s, a freaker
by the name of John Draper figured out that a toy whistle packaged in Captain Crunch cereal actually produced a sound close to
2600 hertz.
He was able to use that to get free long-distance calls.
He became so associated with this little whistle that he was forever known as Captain Crunch,
or alternatively, Crunch Man.
But here's the thing.
Draper didn't discover the power of this whistle.
He would just adopt
the name of the serial it came from.
The bell-breaking captain got his tricks from a friend, as Draper put it on his old website,
quote,
So let's go back to the year 1972, when I got a phone call from Denny, a blind kid who
turned me on to a toy whistle he got out of a Captain Crunch cereal box. So, who is this Denny character, and what exactly is the deal with this whistle?
Well, this leads us to a weird chain of provenance.
Dennis Terese was a blind freaker from Los Angeles.
Terese was still just a high school student when he met Draper.
Both of the audio nerds were running pirate radio stations,
another interesting underground scene that I should look into some more sometime.
Terese was the one that introduced Draper to the world of freaking, as it were.
This was a common occurrence, as Lapre examines so well in Exploding the Phone.
Freaking was something like an oral tradition.
It was spread person to person, sometimes over phone lines themselves, but often face to face.
Now, Terese had a number of ways to generate 2600 tones.
The whistle was a handy tool, but he also used an organ.
The first time Draper visited the blind freak,
he describes watching Terese dial an 800 number, strike a high E on a nearby keyboard, and then
dial out using actual musical chords. This was possible because the tolerances on Bell's side
were actually a little too forgiving. You could be a good number of hertz away from the target and switchboards
would still understand the signal, so maybe the overall design didn't limit talk-off as well as
Bell thought it would. But of course, the Captain Crunch whistle was the cooler piece of ingenuity.
Teresi wasn't the first person to figure out this trick. Exploding the phone traces this back to one
Sid Bernay. Now, that's a pseudonym, so we don't actually know who this character is.
Back in the 60s, some boxes of Cap'n Crunch cereal came with a tiny toy boatswain's whistle.
What's neat about these whistles is they can play a little chord. This is accomplished by having two
is they can play a little chord. This is accomplished by having two reeds, for lack of a better term. Each one is a little hole with a slant cut that causes fast-moving air to produce a tone.
It just so happens that one of these holes, probably by chance, produces a note near 2600
hertz. Bernays realized that if you cover the other hole, the one responsible for the less cool note,
you could break into Ma Bell's trunks.
You can still get a hold of these little whistles online, they're collectibles at this point,
or you could take the more practical and piratical route.
There are now 3D models for the Boson's whistle.
I guess I'm the kind of person who would download a car after all.
Anyway, blowing a 2600 hertz tone sounds something like this, and this is just your warning that it's a little shrill.
A little ear-splitting, but theoretically very effective. The crunchman method has the advantage of being portable and innocuous.
No one's going to arrest you for having a tiny cereal box toy in your pocket. However,
there is room for improvement. Any whistle-based method, aided or otherwise, requires skill and
practice. You have to be able to blast your whistle at the proper rate for Bell's switchboards to
understand what you want. Luckily, there was a better solution. The gold standard for freaking
was a little device called the blue box. I guess maybe we should really call it the blue standard
in this case. For this, we have a definitive inventor, Ralph Barclay.
In 1960, Barclay, 18 at the time, was a student at Washington State University.
The traditional narrative is that some of the engineering nerds that lived at the dorms with Barclay had illegally wired a phone into their room.
Some hapless campus employee had left an access panel open at just the wrong time.
A few minutes with some wire cutters, probably some laughing, and a phone line was patched in.
It worked, but Barclay saw it as a lot of work to get free calls.
Then, one day, he came across something truly interesting.
Like many undergrads, Barclay spent a lot of time in the library.
I think it just comes with the territory.
Well, his campus happened to have a few issues of the Bell System Technical Journal.
This was a yearly periodical that Bell published themselves.
It wasn't just about the telephone system.
Work from Bell Labs also made it into this publication.
That said, it also had a whole lot of detail on telephones.
Barclay was flipping through the latest edition and stopped on a neat little article titled Signaling Systems for Control of Telephone Switching. In these pages, Barclay learned
about Bell's fancy multi-frequency signaling, trunks and loops, and a better way to get free calls called the 2600
hertz tone. One of the neat aspects of Bell's system that I've been skirting around is how
simple it really is. DTMF is the most complicated part of the signaling system, and that's just two
tones played at once. That's not too bad. And we gotta keep the
time period in mind here. This is 1960. We don't have integrated circuits quite yet. We don't have
anything close to an embedded computer or microcontroller. Consumer telephones had to
implement DTMF, so it had to be doable with simple and cheap components.
We're talking resistors, capacitors, inductors, and maybe a few transistors.
Barclay was handy with a soldering iron, but he didn't have all the parts handy on campus.
Once winter break came around, he went home and started on a mysterious device.
Barclay created a handheld and battery-operated machine
that could chime a 2600 tone
and then perform pulse-based dialing by pulsing that tone.
The first pass was housed in a tiny metal box,
very concealable and very portable.
This Revision 1 was the most simple possible freaking box.
It only had to produce a single tone,
so no need for complex circuitry.
However, there's a catch.
By 1960, some trunk lines had started to drop pulse dialing.
Lapsley makes a big point of this in his text,
but I'm not entirely sure how relevant the switch to DTMF was.
Ingrazia was pulsing tones down trunks into the mid-60s. Well, really into
the late 60s. So maybe it was just a West Coast thing. Maybe the switch was very regional. Either
way, a single tone can only get you so far. So Barclay set about building a version 2. This time,
he just happened to have a little blue box lying around.
The Seattle FBI field office described Barclay's wonderful blue box like this.
Quote,
Tone dialing by pushbutton is accomplished with seven transistor oscillators and duplicates the tone used by toll operators between toll centers using multi-frequency coding.
The dial shown on the device is used for single-frequency coding. The dial shown on the
device is used for single-frequency dialing. End quote. You just gotta love the Freedom of
Information Act. So, was the first blue box just so impressive that the FBI had to check it out?
Were they just excited? Well, maybe that's the wrong way to put it. Barclay would make it less than a year before he got arrested.
As the FBI finally explains, it went something like this.
Barclay got back to campus with his magical free call box.
The great advantage was that anyone with the box could instantly become a certified freak.
Just tap the buttons and you're in.
become a certified freak. Just tap the buttons and you're in. Some of Barclay's friends ended up borrowing the box to place free calls and to surf Bell's system. Most of the calls they made
were exploratory, just trying to suss out what was connected to certain trunks. That's all well
and good, except for the records left behind. The kicker here was that Barclay and his crew
were using the same toll-free number to hop onto the network.
They would call a nearby information line in Yakima, Washington.
That line would normally connect to an operator,
and it was administered by the phone company.
Internal records begin showing strange calls to information
that lasted much longer than a call to an operator should.
The phone company called in the law, and so the FBI got involved.
It wasn't long before Barclay was brought in for questioning.
However, there was a bit of a hang-up.
You see, the FBI was convinced that Barclay was involved in some kind of larger criminal enterprise,
not just a college freshman with a little too much free time.
The interrogation eventually broke down.
Now, I'm going to pull directly from Lapsley for this,
since it's probably my favorite part of the story.
So here's from Exploding the Phone with liberal quotes from Barclay.
We're not going to get any further on this,
Barclay recalls the FBI agent saying.
They turned to the Bell Labs engineer.
Find out where he got the information to make this stuff.
Barclay told them about the Bell System Technical Journal.
I remember one of them looked at the guy from Bell Labs and said,
Could this be possible?
The Bell Labs guy said, yeah, there was an article.
End quote. As always, Bell proves more bumbling than dangerous. The FBI was under the impression
that racketeering was going on. In other words, all these weird calls were being used to facilitate
gambling or some other illegal enterprise. Why? Well,
one of Barclay's friends owned a photography studio that apparently specialized in horses.
Some of the actual real calls his friend made were to discuss, well, horses. This is a simple
wiretap away from a three-letter organization believing that horse
betting was involved in this enterprise. Now, I will admit this sounds a little silly at first,
but there is some context that explains this. Some crime organizations engaged in similar
activity in order to hide the true origin of their calls. This didn't use a blue box, but instead a physical device that freakers called a gold box.
There's this robust tradition of phone freaks calling circuits
by the name of colors and boxes,
and you just gotta roll with it.
A gold box was basically an automatic call forwarder.
You install one of these boxes on a phone line.
Then you could call into that boxes on a phone line. Then you could call into
that number from a second line. Instead of a ring, you were greeted with another dial tone. From there,
you could dial out to your actual destination. To the recipient and to the phone company's records,
this would look like a call from the gold box's number, and thus your true location would remain obscured. Supposedly, this was used by
some organized crime groups. The blue box's first outing looked similar to this pattern.
You first had to dial into a trunk and then break out to another number, so it piqued the FBI's
interest. As we know, Barclay didn't really have mafia ties. He just had a friend who happened to like horses.
The final result of this bust was a $100 fine for toll fraud.
Maybe not the department's finest work.
But this leaves us with another fun bit of Bell's bumblings.
In the same FBI filing, we get this short passage. Quote,
The company locally is countering the device by placing decoders designed and built since the recovery of this device on suspect lines,
since there is information that similar devices are being used by several of Barclay's engineering student associates.
End quote.
So, that's the end of it, right? Barclay creates the first blue box,
uses it to have some fun, then gets arrested. The FBI recovers this strange device and passes
it off to Bell's local office. Someone over at Bell Labs rips the thing apart, sees how it works,
and then designs countermeasures. Thus, the era of freaking ends in, let me check my notes, 1961. Eh, not really.
Countermeasures, if they ever existed, either didn't do much of anything or were extremely
localized. Let's just think about this for a second. How would Bell stop a blue box from
working? The only viable option would be to
install some kinds of circuits on local loops that would filter out the 2600Hz tone. The usual
voice band is defined as topping out at 3400Hz. Note that that is above 2600. Chopping out the 2600Hz would impact subscribers. But it gets worse. Bell's signaling
system had those error bars I keep talking about. So anything close enough to 2600Hz would be
accepted as a signal. To effectively stop freaks, you would have to filter out a band around 2600, so something like 2550 to 2650 let's just say.
Even at 100Hz, that would be a good sized chunk of the audio spectrum. Subscribers probably
couldn't point out exactly what was missing, but I'm sure there would have been complaints
that telephone quality was degraded. The FBI memo is also the first time I've ever seen
mention of this kind of freak-beating
countermeasure. It makes me think that the Bell nerds were just saying that to keep the FBI off
their back. Yeah, sure, thanks for the neat box. We'll definitely take countermeasures. In fact,
you know, we've already set them in place around where Barclay lives. We can just close the matter,
right? No need to be public about this.
The final reason that I doubt Bell ever placed these filters is that the blue box, once it
escapes from Washington State University, becomes legendary. It's a technology that basically
outmods all earlier methods of breaking the bell. Why did Terese get in touch with Draper? Simple.
Terese didn't know enough about electronics to make a blue box, but the future Crunch Man did.
During their first meeting, Terese explained the new wonder device to Draper, after which
Draper would build his own model. The blue box doesn't become an underground hit if Belle is actually able to protect against
it. Conversely, the blue box becomes legendary because Belle just can't stop it.
Alright, that brings us to the end of our telephonic adventure. I hope this serves as
a good primer to get you more interested in the
history of Freaking. There's just a lot more stories in the canon that I can't ever hope to
cover. I'd highly recommend checking out Exploding the Phone by Lapsy for yourself. It's a fantastic
read. Between the book and his website, Lapsy covers about everything you could want to know
about Freaking. To close things out, I want to circle back to the top. Freaking takes up this unique space in the larger history of computing. Despite
its uniqueness, I think its stories are really relatable. Hackers have always existed. Nerds
have always wanted to get into places they aren't technically allowed to enter. That mindset isn't
unique to keyboard jockeys, we just
happen to be one of the most recent expressions of this collective spirit. The mythology around
freaking makes it sound like some bygone era with larger-than-life figures, but best of all,
the reality isn't that far removed from the myth. The basic outline of freaking follows the same pattern that more recent hackers
use, because fundamentally, it's the same thing. Target, profile, exploit. Bell was everywhere.
Those in the know were able to gather information on the system, and there were plenty of design
flaws with the overall network. Just slot in some digital system for Bell and the story could just
as easily be about the internet. I think that's why I find stories about freaking so fun and
comforting. It's easy to see a bit of ourselves reflected in this bygone era. Thanks for listening
to Advent of Computing. I'll be back in two weeks time with another piece of computing's past. And
hey, if you like the show, there are now a few ways you can help it grow. If you know someone else who'd be interested in the history of
computing, then why not take a minute to share the show with them? You can also rate and review on
Apple Podcasts. And if you want to be a super fan, you can support the show directly through
adding of computing merch or signing up as a patron on Patreon. Patrons get early access to
episodes, polls for the direction of the show,
and bonus content. You can find links to everything on my website, adventofcomputing.com.
If you have any comments or suggestions for a future episode, then go ahead and shoot me a
tweet. I always love to hear from listeners. I'm at adventofcomp on Twitter. And as always,
have a great rest of your day, and remember...