1994-03-25 - Re: Netherlands and Other European Countries

Header Data

From: Graham Toal <gtoal@an-teallach.com>
To: cypherpunks@toad.com
Message Hash: 50f53914a4bf2677e00096f21a8f3559a9def5432e3d33b37035c44d5c6f798a
Message ID: <199403251937.TAA01790@an-teallach.com>
Reply To: N/A
UTC Datetime: 1994-03-25 23:41:45 UTC
Raw Date: Fri, 25 Mar 94 15:41:45 PST

Raw message

From: Graham Toal <gtoal@an-teallach.com>
Date: Fri, 25 Mar 94 15:41:45 PST
To: cypherpunks@toad.com
Subject: Re: Netherlands and Other European Countries
Message-ID: <199403251937.TAA01790@an-teallach.com>
MIME-Version: 1.0
Content-Type: text/plain


	> P.S. Is anyone worried that the Netherlands seems on the verge of
	> banning PGP?  Wasn't this country once a hacker's paradise?

	As for the Netherlands being a hacker's paradise....recall that
	telephone and other services are under the control of the "PTT"
	(Postal, Telegraph, and Telephone monopoly) that's
	so common in European countries. If they say "no modems may be
	attached," that's the law. (I don't know the current status, but at
	one time there were severe restrictions, heavy fees, etc.)

.nl has that reputation because before last year phone phreaking specifically
wasn't a criminal offense - if you could get free service off the telco by
blowing whistles down their phones, that was the telco's loss.  Last year
they introduced new laws which made this illegal.  The laws also appear
to affect computer hacking, but the situation (last time I looked) was
much less clear.  Maybe someone has been charged by now so we'll know
one way or another if the phone laws were successfully applied to computer
hacking.

	Ask the guys at Hactic, De Zwarte Star, and BILWET (Amsterdam Association for
	the Dissemination of Illegal Science) about the surveillance done on
	them by the BVD, the Binnenlandse Veilegheids Dienst, the Dutch
	Internal Security Service. 

I'll save you the bother - this is from Hacktic from last year:

Path: ibmpcug!ibmpcug!pipex!uunet!elroy.jpl.nasa.gov!lll-winken!telecom-request
From: rop@hacktic.nl (Rop Gonggrijp)
Newsgroups: comp.dcom.telecom
Subject: Tapped Phone
Message-ID: <telecom12.497.1@eecs.nwu.edu>
Date: 19 Jun 92 07:09:19 GMT
Sender: Telecom@eecs.nwu.edu
Organization: Hack-Tic Magazine
Lines: 187
Approved: Telecom@eecs.nwu.edu
X-Submissions-To: telecom@eecs.nwu.edu
X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 12, Issue 497, Message 1 of 7

I had a STRANGE experience with one of the Hack-Tic phones this week.

It all started on Friday, June 12th when the modem hooked up to the
Waffle station that is posting this message (and all the other traffic
from and to the hacktic.nl domain) did not work anymore. I started up
LanAssist to control the Waffle station and initiated a poll to our
Internet host 'sun4nl'. The Waffle station is in our 'server closet'.
It's an unattended and diskless 286 with no keyboard or monitor hooked
up.

The modem picked up the line and a high-pitched tone came from the
modem speaker.

So the modem is broken I thought. I started up Telix and 'talked' to
the modem directly. Same high-pitched tone. I reset the modem. Same
tone.  This modem is fairly new, and although it had functioned
properly most of the time, we were not really happy with it because
the V42bis mode wasn't totally 'hang-proof'. So we concluded: the
modem is broken.

The next day Felipe and Paul came over and tried to fix the problem.
Felipe and Paul are the Hack-Tic network trouble-shooting team. They
brought two other high-speed modems to confirm that the modem was
broken. They hooked up number one and tested it. Same high-pitched
tone.

After a few very puzzled looks we had to make a wild assumption: It
wasn't our flaky equipment that was at fault; it could be the
well-oiled machinery of The Phone Company that was messed up.

Bill, our chief telephone engineer, well known to all of you for his
'sometimes-a-little-too-knowledgeble' posts quickly hooked up a
telephone (that had not been attached to that line before) and picked
it up. Same high-pitched tone. The dial-tone was audible in the
background, but overpowered by the tone. The dialtone had been there
all the time but the quality of the average modem speaker leaves
something to be desired.

When he hooked up our New York Telephone test-set he noticed that the
high-pitched tone was even there when the phone was on the hook. Bill
used the Demon-Dialer (our homebrew high-precision tone-generator) and
found out that the tone was EXACTLY 3000 Hz, so it had to be crystal
generated. This ruled out any spurious oscillations.

As a last check we went to the point where all the wires come into our
flat. We unscrewed the wires leading in and clipped the test-set onto
the wires leading out. Same high-pitched tone. That Saturday night the
error was reported to the PTT and that was it. So we thought.

On Sunday the problem was still there (the PTT only fixes things in
the weekend if you are a major customer that is planning on buying one
of their PBXs). Bill checked to see that the tone was still there by
picking up the test set that was still plugged in. Then I picked up
our voice-line to make an outgoing call to Felipe.

Bill's face went through several emotions within a few seconds.
Finally he said 'Hmmm ... ehrr .... pfah ...'. When I looked at him
rather puzzled he added: 'hgggggnaaaah ...'.

I told Felipe to hold on. Bill started explaining that he heard my
voice on the other line, but that it sounded scrambled. I asked Nils
(who was also here, it's usually rather busy here) to talk to Felipe
for a while and took the test-set from Bill.

Yep, it was there all right. Scrambled voices.

   -------------------------------------------------------------
   Short Intermezzo About Voice Scrambling

   One of the easiest ways to scramble someone's voice is to
   invert the speech. It works as follows: you take a tone and
   subtract the audio from it. In more technical terms: You
   single-sideband modulate the audio onto the tone.

   Dutch police uses this technique extensively for their medium
   security traffic. Every real scanner-freak has a retrofit in
   his scanner to undo this. It does keep the absolute lamers
   from listening in I guess.

   Speech inversion may be a quite simple process that does not
   involve many parts, but it is by no means something that
   happens at random. (Or at least not in a voice-frequency
   environment)
   -------------------------------------------------------------

Now there is a lot of thing that can go wrong in a phone system that
cause a tone. Causing a frequency inversion of the audio on one line
to another line is quite something else. Especially if you know that
both lines are hooked up to different COs. The data line is hooked up
to a fully digital Ericcson AXE switch, the voice line goes to a PRX
(Processor Reed Exchange), which compares to a 1A/ESS in US terms.

We spent the rest of that sunday looking for alternatives for what
seemed to be the only possible conclusion: someone had hooked up
something to our line that did not belong there. Even more so: they
had messed up badly.

I decided that the time had come for some social engineering. I had
barely used my engineering skills since I had more or less given up on
my active hack/phreak career and started publishing a hacker-magazine.

This Monday (June 15th) I called the main access number of the PTT
Amsterdam office and asked for the number of the Diemen
'hoofdverdeler', where my lines come in. The 'hoofdverdeler' is where
all the lines for an entire area come in. They are split up to the
offices serving that area from there.

The phone at extension 2018 (+31 20 674 2018 to be precise) was
answered by Fred. I explained that I was a service mechanic (I only
used my first name, like they all do) at a customer's house and that
there seemed to be a strange tone on the line. I was not the first to
tell him of the problem. In fact, he had allready received a call from
another service mechanic trying to fix the problem. He said that the
line was rewired using colorcode-2, a code, he explained, that they
don't normally use in that office. The in- and outgoing point for my
data-line did connect according to his beep-device, but they were
different wires.

I asked him to follow the wires, and he did. He came back to the phone
to tell me that my line had been hooked up to a small rack that he had
never seen before. He looked further and concluded that it was the
rack for internal lines to that building. When I asked him to clip my
line loose from that rack he said that he could not do that. Because
if it was not his color code, his instructions were not to mess with
it. He said that this was the first time he saw so many of 'us from
outside works' working on something. Knowing I could not convince him,
and having all the information I wanted, I said goodbye and hung up.

I thought about this for a while and decided to call Fred back and
play it open with him. I told him that I was the subscriber, and not a
technician. I told him what I thought the device was. He did not
dispute my theory, but did not confirm it either. We chatted for quite
a while.  He wanted to know where my telephone knowledge came from,
and I explained about Hack-Tic, phreaking, international signalling
systems and so forth. When I asked him if he had seen lines with
code-2 before he hasitated for about five seconds and said: 'Well,
your line is being fixed. I'd say just wait and see'. I knew I was
asking a question that he was not allowed to answer. We hung up.

By this time our mailbox had been emptied, and it revealed a card from
a service mechanic that had apparently tried to visit us early that
moring (all morning is early to hackers). So I called the office and
made an appointment for the morning of the next day, knowing that the
problem would probably be gone by then.

For the next few hours I heard people testing on the modem line
(little ticks). But as evening came, the beep was still there.

So early this morning, a man from the PTT arrived. He looked at the
problem and was quite puzzled by it. He then said that they could not
locate the problem, but that he believed that it was located between
the office and me. In a sense this was true, because the 'hoofdverdeler' 
is indeed between the office and me. He decided to work around the
problem.  He whipped out a cell-phone and called his buddies at the
other end.  Together they put my line on a completely different wire
leading from the CO to here. No more high-pitched tone.

As I write this on Thursday afternoon, it all still needs a little
time to sink in. It seems that the only conclusion is that somebody
wanted to tap my lines, and hooked up the two lines that they wanted
tapped to the in- and output of the tapping device instead of using
two inputs. So the audio that was supposed to be fed to them
(scrambled so that anybody just testing the wire could not hear what
was going on) came back on my second line. The 3000 Hz tone was used
to indicate that the line was not currently in use. As soon as I
picked up, the tone would be replaced by a scrambled signal using the
3000 Hz as it's offset.

So if this was a real attempt to tap us, they would have the two lines
used to transport our audio hooked up to the in- and output of the
second circuit. They would have tapped themselves.

If you publish a hacker magazine, the notion that at least some of
your phones are tapped some of time is not that far-fetched. Why do it
so obvious? This could be an illegal tap. It could be one done by and
for the PTT itself (they are the main subject of our publication after
all).  It could be ...

Why guess. I'm not paranoid, and I don't want to be. If they tap my
lines that is fine. Everything we say over the phone is considered
public anyway. If they pay me, I'll transcribe all the important calls
myself. Our network, used to spread information to and from the
computer underground was down for two days. Now THAT PISSES ME OFF!


Rop Gonggrijp (rop@hacktic.nl) from Amsterdam





Thread