Writing

Feed Software, technology, sysadmin war stories, and more.

Sunday, March 10, 2013

Warez couriers and long-distance extenders

Last month, I wrote a post about C-64 intros and jokingly suggested someone should do a Linux distribution that way. In it, I also mentioned "long distance extenders", and I now realize this is probably not a common term. It's something I picked up by orbiting that "warez" community back then, and it deserves some elaboration.

As it was explained to me, an "extender" is really just another name for a calling card. Of course, here in 2013, that probably doesn't help, since who actually uses or has heard of a calling card?

Here's the general idea: you'd talk to your phone company (which probably was the one and only Ma Bell back then), and they'd hook you up with a 'calling card'. This had a number on it which probably resembled your home phone number but might have had a difference or two. Then it typically had another three or four digits at the end for "authentication".

It turned something like "408 555 1212" into "428 555 1212 9324". You'd use this to make calls from wherever you were (say, a pay phone) to anywhere you wanted, and it would be billed to your home phone. That way, you didn't have to try to pump quarters into a cranky pay phone or stick your host with an outrageous phone bill. Keep in mind that long distance charges were non-trivial at the time, and people tended to keep stopwatches by the phone so they wouldn't ramble on.

It should become obvious why these were prized by the people who did all of the long distance dialing to move around new releases of pirated software. All of those calls to Europe weren't exactly cheap, so why not stick someone else with the charge? The problem was one of finding the actual number to use.

You could do it by hand, in theory. First, you'd pick a long distance carrier to target. If you were going to scan for cards issued by MCI (remember them?), the access number was 950-1022 -- that's a Feature Group B number. You'd ring that up and it would answer with some kind of tone, and then you'd key in the number you wanted to call, with a 0 first instead of a 1, like this: 0 415 555 1212. It would make some other tone, and then you'd key in the "428 555 1212 9324" calling card number and wait a moment or two.

If it worked, it would give another noise (I think they were two short blasts of a dial tone), give you a ka-chunk or click, and then the call would go through. You'd get the usual ringing, or busy, or whatever, just like if you had dialed it direct as 1 415 ... and so on.

How do I know this, you ask? Easy. No, I didn't go scanning for these things. That would have been illegal. I had legitimate access to one at the time, and I used it enough to where the whole sequence is burned into my head.

There's an obvious problem with scanning manually, and that's taking forever to try all of those combinations. Even if you could twig on to a phone number which probably has a calling card account, then figure out how it got mangled (408 to 428, or whatever), you'd still have to brute-force the 10,000 combinations the four-digit access code gives you.

This is a job for a computer. There's just one question: how do you have a modem figure out when the call went through? These things were relatively stupid and couldn't identify much in the way of error noises on the phone line. If you were lucky, your modem might detect "RINGING", but that wasn't well-supported.

One thing you'd usually be able to count on was detection of a busy signal. Even modems which didn't have the high end features of being able to detect "VOICE" or "RINGING" would usually have a "BUSY" result. That reduced the problem nicely. You'd only get a busy signal if the call went through, and that means the code worked! Any other result meant you got some error message and it didn't work.

That leaves only one question: how do you make sure you're always going to get a busy signal, so that your scanner can detect a valid code? There were test numbers which were always busy, and some people knew about those, but there was another trick, too: just call your own number. Since you're obviously already on it, it's always going to be busy.

With all of those things figured out, it was just a matter of starting it up and letting it run. Any busy signals would be logged and could be checked out manually to ensure they worked properly. Then these stolen numbers would be traded around in order to procure favors or access to "elite" boards where the actual "couriers" hung out.

Thinking about it now, I'm surprised this went on as long as it did. Anyone who reviewed the audit logs for a given access node at the long distance company would have found hundreds or thousands of call attempts to the same number... all local, and always busy. What kind of nutcase uses a calling card to call a number in the same city? Then they'd look more closely and notice they were being charged to entirely different account numbers. They'd also find even more failed attempts to dial the same number which didn't pass the authentication stage. If they happened to trace it back, it would all be coming from one line, but odds are, they already knew the number, because they were dialing themselves.

Talk about a giant neon sign that says "come here and get me".

All you had to do was start up the program on your computer and wait.