Hacker/Phreaker BBS Stings

This article was originally published in Blacklisted! 411 magazine in 2004. If you’re interested in a bit of background about the writing process and the battle to get paid, please see “Collecting your freelance money.” The majority of what’s described in here is of purely historical interest, as it predates wide-scale use of the Internet and takes place mostly on bulletin board systems (BBSs). The stings do still happen, though…

---

Law enforcement has a mixed response to hacking. Most agencies don’t understand what it is, and don’t know the difference between an old-school hacker, a white-hat hacker, a cracker, a phreaker, or a virus author. The laws are often ambiguous, and prosecution is dependent on who, exactly, is hurt—or thinks they are.

Internet-based stings are getting fairly common. There are regular courses taught in the development of “honey pots” on corporate networks, and whole books about catching invaders in computer systems.

There are a lot of ways to set up a sting. Read Cliff Stoll’s book, The Cuckoo’s Egg. The whole book describes one large hunt for a digital invader (Hans Huebner, a.k.a. Pengo), including an elaborate sting where he created a fictitious government project as bait.

When Janaka Jayawardene was trying to track down the cracker that had invaded his systems at Portland State University (a minor, using the name Phantom Dialer), he used a classic cracker technique – the Trojan horse. He modified the telnet program to keep a keystroke log so that he’d be able to see everything that Phantom Dialer did when using telnet from the Portland State University computers. The tale of Phantom Dialer is told in the book, @ Large: The Strange Case of the World’s Biggest Internet Invasion.

These operations, fascinating for the way they pitted hacker against cracker, don’t fit the classic law enforcement definition of a sting, though, because they had a very specific target right from the beginning. A more classic sting was the Phreaker’s Phortress.

The Revenger and the Phreaker’s Phortress

In 1985, most police officers had never used a computer, and had no idea what a modem was. Sgt. Dan Pasquale of the Fremont Police was an exception.

Fremont, California is big enough to be called a city, but small enough to feel like a town. There are no high-rise office buildings, subways, and other trappings of big-city life. The police headquarters building overlooks a big lake in Central Park, and has a view of the mountains at the edge of town. With 100 square miles of land, Fremont has plenty of space to spread out, and it does.

Fremont, however, is no stranger to technology. It is at the edge of Silicon Valley, a few miles from San Jose. It was inevitable that technophiles would find their way onto the Fremont Police Department, and Pasquale was one of the first.

He had a Commodore 64 at home, just for fun, and the thought of combining his job in law enforcement with his computer hobby didn’t occur to him until he arrested a juvenile for shoplifting. The kid was carrying a stack of credit card receipts he had pulled from a dumpster, and Pasquale asked him what he intended to do with them. As they say in the gangster movies, the kid sang like a canary: He was part of a group that traded and/or sold credit card numbers.

Pasquale was fascinated by the whole computer underground and the BBSs that were popping up all over the country. He asked his superiors at Fremont PD for approval to set up one of the country’s first sting BBSs, and was told that the department would authorize a couple of hours a week of his time, but wouldn’t cover all the expenses of setting up and operating the BBS.

There was no problem finding Silicon Valley companies that were concerned with computer fraud and cracking at the time, and Pasquale went hunting for support. Apple Computer donated an Apple IIe computer with an external 40 megabyte disk drive (that was a lot of disk space in 1985) and a 1200 baud modem. Since his primary targets were people stealing credit card numbers and long-distance calling cards, he also got support from the credit card companies and phone companies.

Visa, MasterCard, and Wells Fargo Bank all created credit cards just for Pasquale’s sting. The cards had $500 limits, and the verification systems were set up to track them. AT&T, Sprint, and MCI donated calling card numbers with similar tracking.

The local phone company, Pacific Bell, agreed to install a telephone line into police headquarters that was shown on all the records as being in a nearby apartment complex. Pasquale said that the only way of actually tracing it to the police would have been to crack the 911 system – that was one thing Pacific Bell would not agree to mess with. All other verifications, including cracking the switches and social-engineering operators, would have led to the false front in the apartment.

With the infrastructure coming together, the next thing Pasquale needed to do was go undercover himself. He adopted the handle “Speedy Da Mouse” (for his favorite cartoon character, Speedy Gonzales), and started joining all the underground BBSs he could find.

Sysops of cracking/phreaking boards were justifiably paranoid, and most required verification of a new user’s true identity. Often, this involved a telephone conversation. Pasquale said, “Even then, I didn’t sound like a 17-year-old, so I needed another way to buy into their confidence.” That way was card numbers.

On virtually every board he contacted, giving them a valid credit card number or long-distance calling card number was all the ID he needed. Speedy began developing an identity.

Even as Speedy Da Mouse infiltrated BBSs across the country, Pasquale was putting the finishing touches on his sting BBS. The Apple IIe went into a broom closet at police headquarters, and Pasquale created a main board with five sub-boards. Most of the maintenance could be done from his Commodore 64 at home, so he didn’t actually have to climb in the crowded closet with the Apple very often.

The BBS took shape. He built sub-boards specifically for stolen credit cards, phreaking, and cracking. In September of 1985, Phreaker’s Phortress went online.

The sysop of Phreaker’s Phortress was another Pasquale identity: The Revenger. Speedy Da Mouse posted messages on every BBS he knew of, announcing this cool new board in California, and vouching for The Revenger.

I asked Pasquale what made the Phreaker’s Phortress look real. “It was real,” he replied. Sure, there were users who suspected this unknown Revenger guy of being a cop, but their suspicions went away when he handed out bait.

Throughout the remainder of 1985 and into early 1986, Pasquale gathered evidence and continued to learn about his BBS and the computer underground. He found, for example, that as he was monitoring the BBS one day, someone pressed the Z key 36 times, and was immediately given full access to the board. He contacted the company that had written the BBS software, and they sheepishly admitted that they had written this back door into the program to allow them to check on installations and see if they were legitimate, and to help sysops that locked themselves out of their own BBSs.

In late March, Pasquale went full-time. For two weeks, he got his warrants, and built up to the arrests in April. Seven of the targets were locals, two were out-of-towners who lived elsewhere in California, and another half-dozen were from other states. He rounded up the seven locals and turned the others over to appropriate agencies. To the best of his knowledge, the Feds never even followed up on the ones from out of state.

The seven locals all turned out to be juveniles. He had them red-handed, not just for computer intrusions and theft of long-distance service, which the courts didn’t understand, but also for having and using stolen credit cards. All seven plead guilty to possession of stolen property. They had their equipment seized, and they cost their parents a bundle in legal fees and fines.

Since they were minors, their court records were sealed when they turned 18. Their names were never disclosed to the press. I asked Pasquale if he had kept in touch with any of them. He told me that one had become a nuclear engineer and joined the military. As of a couple of years ago, he was serving on a nuclear submarine.

When Pasquale took down Phreaker’s Phortress, the credit card companies and long-distance companies shut off their bait cards. “Were they out a lot of money?”, I asked Pasquale. Actually, he told me, they went after the parents of the kids for reimbursement of everything they charged on the cards. In some cases, however, it was merchants that got stuck.

Visa and MasterCard have very strict rules about verifying purchases. These days, your card is run through a reader that dials up a verification service. In 1985, merchants were supposed to call themselves to check out purchases over a certain limit. In one case, one of the credit card thieves had purchased $3,000 worth of computer equipment, and the store never bothered to check the card, which only had a $500 limit. Because they broke the rules by not verifying the card, the store was stuck for the money. Their only choices were to write it off or sue the parents of the kid that bought the equipment.

As you can see, even though the criminal investigation may only net probation and confiscation of computer equipment, the civil lawsuits can drag on for years and cost thousands of dollars in legal fees and eventual settlements.

Could a sting like Phreaker’s Phortress happen again today? You bet it could. Pasquale doubts that a BBS sting would be worth it anymore, because everyone has moved on to the Web. There are still BBSs, although most of them are accessible through the Internet rather than dial-up, but nothing like the hundreds of underground boards that existed in the 80’s.

Today, Pasquale said, a sting like that would be done with a Web site. I asked Alameda County (California) Assistant District Attorney Don Ingraham if a similar Web sting had ever been done. Yes, he said, it has.

The Legality of a Sting

There’s nothing new about stings. Law enforcement has used them for decades. Ingraham explained that the only things police need to watch out for is entrapment. Pasquale set up a BBS and allowed people to talk about what they were doing. They freely shared stolen card numbers and bragged about their cracking and phreaking exploits. They did it on a system that he had the right to monitor.

“You can’t seduce innocent people,” Ingraham said. If you talk someone into committing a crime that they wouldn’t have otherwise committed, that’s entrapment. If you give them an environment where they can discuss the crimes without actually encouraging them to commit crimes, you have a legal sting.

It’s hard to argue that stealing credit cards is moral or ethical. It’s theft. Often, however, crackers present arguments that breaking into systems is a benefit to society. Ingraham appeared on TV’s Geraldo show with Craig Neidorf—the famed Night Lightning. Neidorf made precisely that argument, explaining that by finding security holes and pointing them out, he was improving security and making the systems better. Geraldo asked Ingraham whether he considered Neidorf’s cracking (Geraldo, of course, called it “hacking”) a public service.

“Right,” responded Ingraham, “and just like the people who rape a co-ed on campus are exposing the flaws in our nation’s higher education security. It’s absolute nonsense. They are doing nothing more than showing off to each other, and satisfying their own appetite to know something that is not theirs to know.”

Neidorf and Ingraham represent two ends of the spectrum, and most of us are in the middle somewhere. If you break into your brother’s computer as a gag, most people would not consider that to be a crime. If you break into Bank of America’s central computer and transfer a few million dollars to your own account, it’s pretty obvious that’s a Federal crime.

I asked Ingraham whether he still agrees with what he said on Geraldo over ten years ago. “Absolutely,” he responded. He explained that he wasn’t actually equating the severity of breaking into a computer with committing a rape, but that he felt the comparison of logic was perfectly valid.

We also discussed Ingraham’s opinion of Neidorf’s case. As you may recall, Neidorf was the co-editor of Phrack who was arrested for publishing a document stolen from BellSouth. The document was lifted by a member of the Legion of Doom, who went by the handle of Prophet. He copied the document from BellSouth’s computer as a trophy, to show that he had actually been there. It passed through several hands, and finally made its way to Neidorf, who edited it down and printed it in Phrack.

The document, which became known as the “E911 document,” was a description of the BellSouth Extended 911 service. Not the equipment–the service. There was virtually no useful information about the computers at all. BellSouth claimed the document to have a value of $70,000, which made the theft and possession major felony offenses. It was only after the E911 document was found in a directory of products offered by BellSouth, and court shown that anyone who wanted it could get it for $13, that the trial began to fall apart.

Ingraham, who was responsible for overhauling some of California’s search and seizure laws, felt that Craig Neidorf was a nice guy that was taken down by a very bad warrant. Unlike many prosecutors, Ingraham is no stranger to the world of hacking, cracking, and phreaking. He subscribes to 2600, and regularly reads Phrack and Blacklisted! 411. He believes that publications like this are covered by the First Amendment, and that they contain useful information as well.

It’s unfortunate for Neidorf that he was in Chicago rather than Alameda County, California. It sounds like he would have fared much better.

What Should You Do About Stings?

If you’re not doing anything illegal, a sting board (or Web site) shouldn’t be anything for you to worry about. Unfortunately, that’s not always the way it works.

The laws in this country are based upon the assumption that individuals are innocent unless they are proven guilty. It is likely, however, that if you get involved in a board where criminal activities are being discussed, you will end up being investigated. Even if you are never charged with a crime, it could cost you money for legal fees and a great deal of potential hassle if your equipment is impounded.

Your best bet is to stay clear, or just lurk. You just never know who’s on the other end of the network.