> P.S. Is anyone worried that the Netherlands seems on the verge of > banning PGP? Wasn't this country once a hacker's paradise? As for the Netherlands being a hacker's paradise....recall that telephone and other services are under the control of the "PTT" (Postal, Telegraph, and Telephone monopoly) that's so common in European countries. If they say "no modems may be attached," that's the law. (I don't know the current status, but at one time there were severe restrictions, heavy fees, etc.) .nl has that reputation because before last year phone phreaking specifically wasn't a criminal offense - if you could get free service off the telco by blowing whistles down their phones, that was the telco's loss. Last year they introduced new laws which made this illegal. The laws also appear to affect computer hacking, but the situation (last time I looked) was much less clear. Maybe someone has been charged by now so we'll know one way or another if the phone laws were successfully applied to computer hacking. Ask the guys at Hactic, De Zwarte Star, and BILWET (Amsterdam Association for the Dissemination of Illegal Science) about the surveillance done on them by the BVD, the Binnenlandse Veilegheids Dienst, the Dutch Internal Security Service. I'll save you the bother - this is from Hacktic from last year: Path: ibmpcug!ibmpcug!pipex!uunet!elroy.jpl.nasa.gov!lll-winken!telecom-request From: rop@hacktic.nl (Rop Gonggrijp) Newsgroups: comp.dcom.telecom Subject: Tapped Phone Message-ID: <telecom12.497.1@eecs.nwu.edu> Date: 19 Jun 92 07:09:19 GMT Sender: Telecom@eecs.nwu.edu Organization: Hack-Tic Magazine Lines: 187 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 12, Issue 497, Message 1 of 7 I had a STRANGE experience with one of the Hack-Tic phones this week. It all started on Friday, June 12th when the modem hooked up to the Waffle station that is posting this message (and all the other traffic from and to the hacktic.nl domain) did not work anymore. I started up LanAssist to control the Waffle station and initiated a poll to our Internet host 'sun4nl'. The Waffle station is in our 'server closet'. It's an unattended and diskless 286 with no keyboard or monitor hooked up. The modem picked up the line and a high-pitched tone came from the modem speaker. So the modem is broken I thought. I started up Telix and 'talked' to the modem directly. Same high-pitched tone. I reset the modem. Same tone. This modem is fairly new, and although it had functioned properly most of the time, we were not really happy with it because the V42bis mode wasn't totally 'hang-proof'. So we concluded: the modem is broken. The next day Felipe and Paul came over and tried to fix the problem. Felipe and Paul are the Hack-Tic network trouble-shooting team. They brought two other high-speed modems to confirm that the modem was broken. They hooked up number one and tested it. Same high-pitched tone. After a few very puzzled looks we had to make a wild assumption: It wasn't our flaky equipment that was at fault; it could be the well-oiled machinery of The Phone Company that was messed up. Bill, our chief telephone engineer, well known to all of you for his 'sometimes-a-little-too-knowledgeble' posts quickly hooked up a telephone (that had not been attached to that line before) and picked it up. Same high-pitched tone. The dial-tone was audible in the background, but overpowered by the tone. The dialtone had been there all the time but the quality of the average modem speaker leaves something to be desired. When he hooked up our New York Telephone test-set he noticed that the high-pitched tone was even there when the phone was on the hook. Bill used the Demon-Dialer (our homebrew high-precision tone-generator) and found out that the tone was EXACTLY 3000 Hz, so it had to be crystal generated. This ruled out any spurious oscillations. As a last check we went to the point where all the wires come into our flat. We unscrewed the wires leading in and clipped the test-set onto the wires leading out. Same high-pitched tone. That Saturday night the error was reported to the PTT and that was it. So we thought. On Sunday the problem was still there (the PTT only fixes things in the weekend if you are a major customer that is planning on buying one of their PBXs). Bill checked to see that the tone was still there by picking up the test set that was still plugged in. Then I picked up our voice-line to make an outgoing call to Felipe. Bill's face went through several emotions within a few seconds. Finally he said 'Hmmm ... ehrr .... pfah ...'. When I looked at him rather puzzled he added: 'hgggggnaaaah ...'. I told Felipe to hold on. Bill started explaining that he heard my voice on the other line, but that it sounded scrambled. I asked Nils (who was also here, it's usually rather busy here) to talk to Felipe for a while and took the test-set from Bill. Yep, it was there all right. Scrambled voices. ------------------------------------------------------------- Short Intermezzo About Voice Scrambling One of the easiest ways to scramble someone's voice is to invert the speech. It works as follows: you take a tone and subtract the audio from it. In more technical terms: You single-sideband modulate the audio onto the tone. Dutch police uses this technique extensively for their medium security traffic. Every real scanner-freak has a retrofit in his scanner to undo this. It does keep the absolute lamers from listening in I guess. Speech inversion may be a quite simple process that does not involve many parts, but it is by no means something that happens at random. (Or at least not in a voice-frequency environment) ------------------------------------------------------------- Now there is a lot of thing that can go wrong in a phone system that cause a tone. Causing a frequency inversion of the audio on one line to another line is quite something else. Especially if you know that both lines are hooked up to different COs. The data line is hooked up to a fully digital Ericcson AXE switch, the voice line goes to a PRX (Processor Reed Exchange), which compares to a 1A/ESS in US terms. We spent the rest of that sunday looking for alternatives for what seemed to be the only possible conclusion: someone had hooked up something to our line that did not belong there. Even more so: they had messed up badly. I decided that the time had come for some social engineering. I had barely used my engineering skills since I had more or less given up on my active hack/phreak career and started publishing a hacker-magazine. This Monday (June 15th) I called the main access number of the PTT Amsterdam office and asked for the number of the Diemen 'hoofdverdeler', where my lines come in. The 'hoofdverdeler' is where all the lines for an entire area come in. They are split up to the offices serving that area from there. The phone at extension 2018 (+31 20 674 2018 to be precise) was answered by Fred. I explained that I was a service mechanic (I only used my first name, like they all do) at a customer's house and that there seemed to be a strange tone on the line. I was not the first to tell him of the problem. In fact, he had allready received a call from another service mechanic trying to fix the problem. He said that the line was rewired using colorcode-2, a code, he explained, that they don't normally use in that office. The in- and outgoing point for my data-line did connect according to his beep-device, but they were different wires. I asked him to follow the wires, and he did. He came back to the phone to tell me that my line had been hooked up to a small rack that he had never seen before. He looked further and concluded that it was the rack for internal lines to that building. When I asked him to clip my line loose from that rack he said that he could not do that. Because if it was not his color code, his instructions were not to mess with it. He said that this was the first time he saw so many of 'us from outside works' working on something. Knowing I could not convince him, and having all the information I wanted, I said goodbye and hung up. I thought about this for a while and decided to call Fred back and play it open with him. I told him that I was the subscriber, and not a technician. I told him what I thought the device was. He did not dispute my theory, but did not confirm it either. We chatted for quite a while. He wanted to know where my telephone knowledge came from, and I explained about Hack-Tic, phreaking, international signalling systems and so forth. When I asked him if he had seen lines with code-2 before he hasitated for about five seconds and said: 'Well, your line is being fixed. I'd say just wait and see'. I knew I was asking a question that he was not allowed to answer. We hung up. By this time our mailbox had been emptied, and it revealed a card from a service mechanic that had apparently tried to visit us early that moring (all morning is early to hackers). So I called the office and made an appointment for the morning of the next day, knowing that the problem would probably be gone by then. For the next few hours I heard people testing on the modem line (little ticks). But as evening came, the beep was still there. So early this morning, a man from the PTT arrived. He looked at the problem and was quite puzzled by it. He then said that they could not locate the problem, but that he believed that it was located between the office and me. In a sense this was true, because the 'hoofdverdeler' is indeed between the office and me. He decided to work around the problem. He whipped out a cell-phone and called his buddies at the other end. Together they put my line on a completely different wire leading from the CO to here. No more high-pitched tone. As I write this on Thursday afternoon, it all still needs a little time to sink in. It seems that the only conclusion is that somebody wanted to tap my lines, and hooked up the two lines that they wanted tapped to the in- and output of the tapping device instead of using two inputs. So the audio that was supposed to be fed to them (scrambled so that anybody just testing the wire could not hear what was going on) came back on my second line. The 3000 Hz tone was used to indicate that the line was not currently in use. As soon as I picked up, the tone would be replaced by a scrambled signal using the 3000 Hz as it's offset. So if this was a real attempt to tap us, they would have the two lines used to transport our audio hooked up to the in- and output of the second circuit. They would have tapped themselves. If you publish a hacker magazine, the notion that at least some of your phones are tapped some of time is not that far-fetched. Why do it so obvious? This could be an illegal tap. It could be one done by and for the PTT itself (they are the main subject of our publication after all). It could be ... Why guess. I'm not paranoid, and I don't want to be. If they tap my lines that is fine. Everything we say over the phone is considered public anyway. If they pay me, I'll transcribe all the important calls myself. Our network, used to spread information to and from the computer underground was down for two days. Now THAT PISSES ME OFF! Rop Gonggrijp (rop@hacktic.nl) from Amsterdam