c2VuaWxzJ2RhZHltbm9zcGF0ZXJpd2VodHRjZW5ub2Nlcm
RuYXNlbGVnbmFzb2xvdHlsZm90ZGFob2h3dG5lZ2F5d
GlydWNlc2xsZWJjYXBlaHQ=
A couple of days after meeting my father’s friend Mark Kasden, from the PI firm, I set out on the long drive back to Vegas to pick up my clothes and personal belongings. The Probation Department had approved my request that I be allowed to move in long-term with my dad.
I left my dad’s at an early hour that didn’t much suit my nocturnal lifestyle but would let me escape LA before the morning rush hour. During the drive, I planned to do a little social engineering to investigate the monitoring boxes I had discovered, the ones I had at first feared were on my dad’s phone lines.
I turned onto the 101 Freeway eastbound toward the I-10, which would take me east through the desert. My cell phone was at hand, as usual cloned to someone else’s phone number.
A funny thing about the freeway. A few weeks earlier, I had been cut off by a guy driving a BMW. Busy talking on his cell phone, he had suddenly switched lanes, swerving within inches of my car, scaring the crap out of me, and only barely missing wiping out both of us.
I’d grabbed my cell phone and made one of my pretexting calls to the DMV, running the BMW’s license plate and getting the owner’s name and address. Then I called an internal department at PacTel Cellular (only two cell phone companies serviced Southern California at the time, so I had a fifty-fifty chance of getting it right the first time), gave the guy’s name and address, and found that yes, PacTel Cellular had his account. The lady gave me his cell phone number, and hardly more than five minutes after the jerk had cut me off, I called and got him on the phone. I was still shaking with anger. I shouted, “Hey, you fucking dick, I’m the guy you fucking cut off five minutes ago and almost killed us both. I’m from the DMV, and if you pull one more stunt like that, we’re going to cancel your driver’s license!”
He must wonder to this day how some other driver on the freeway was able to get his cell phone number. I’d like to think that call scared the shit out of him.
Truth be told, though, that lesson in the dangers of using a cell phone while driving didn’t have much lasting impact on me, either. Once I had left behind the traffic noises and honking horns of the rush-hour freeways and settled in for my drive to Vegas, I was on the phone. My first call was to a number etched in my memory: the one for the Pacific Bell switching center that supported all the switches in the west San Fernando Valley area.
“Canoga Park SCC, this is Bruce,” a tech answered.
“Hi, Bruce,” I said. “This is Tom Bodett, with Engineering in Pasadena.”
The name I’d given was too familiar at the time: Bodett was an author and actor who’d been doing a series of radio ads for Motel 6, signing off with, “This is Tom Bodett, and we’ll leave the light on for ya.” I had just tossed off the first name that came into my head. But Bruce didn’t seem to have noticed, so I kept right on. “How’s it going?” I asked.
“Fine, Tom, what do you need?”
“I’m working on an unusual case of trouble out of Calabasas. We’re getting a high-pitched tone—sounds like a thousand cycles. We’re trying to find where the call was originating from. Could you take a look?”
“Sure. What’s your callback number?”
Though Bruce hadn’t recognized my voice, I sure did know who he was. He’d been the target of social-engineering scams by me and other phone phreaks for years, and had been stung enough times that he had grown suspicious and protective. So anytime he got a call from somebody he didn’t know who claimed to be a company employee, he’d ask for a callback number—and it had better be a number he recognized as being internal to Pacific Bell. He’d ring off and dial you back.
Most phone phreaks either don’t bother to set up a callback number or don’t know how. They try to get away with some lamebrained excuse like “I’m just going into a meeting.” But Bruce was hip to all of that, and he wasn’t going to get conned again. So before my call, I had convinced a Pacific Bell employee that I was a company engineer who’d been sent to LA to tackle a technical problem and needed a temporary local phone number. Once that was set up, I put it on call forwarding to my cloned cell phone number of the day. When Bruce called back to the legitimate internal phone number I had given him, it rang through to my cell phone.
“Engineering, this is Tom,” I answered.
“Tom, this is Bruce calling you back.”
“Hey, thanks, Bruce. Could you take a look at this number—880-0653—in the Calabasas switch? And let me have the origination information.” In layman’s terms, I was asking him to trace the call.
“Yeah, one sec,” he said.
I was nervous as hell. If Bruce heard a car horn honking or some other nonoffice-like background noise, I’d be caught out. This was way too important—way too interesting—to screw up. I could hear Bruce typing, and I knew exactly what he was doing: querying the switch to trace the call.
“Tom, okay, the call is coming from the LA70 tandem”—meaning it was a long-distance call, coming from outside the LA area.
Bruce then gave me the detailed trunking information I needed to continue the trace. I also asked him for the number of the switching center that managed the LA70 tandem. My uncanny ability to remember telephone numbers came in handy once again: I didn’t have to scribble the number down with one hand while steering with the other. (In fact, most of the phone numbers and people’s names in this book are the real thing, still imprinted in my memory from as much as twenty years ago.)
At the end of the call, I told him, “Don’t forget me, Bruce. I’ll likely need your help again.” I was hoping he’d remember me the next time and not feel he needed to do that whole callback routine again.
When I called the switching center, the phone was answered, “LA70, this is Mary.”
I said, “Hey, Mary, this is Carl Randolph from Engineering in San Ramon. I have a circuit I’m tracing, and it appears to originate from your office.” Apparently I was on solid ground all around, since Mary didn’t hesitate, asking me for the trunking information. I gave it to her, and she put me on hold while she checked. Since phone phreaks rarely targeted toll switches, she didn’t even bother to verify my identity.
Mary came back on the line. “Carl, I’ve traced the trunk information you gave me. The call originated from the San Francisco 4E.” She gave me the trunking and network information she had found from her trace. I also asked her for the number for that 4E office, which she was kind enough to look up for me.
I was now approaching Interstate 15. My route would take me through the Cajon Pass, running between the San Bernardino Mountains and the San Gabriel Mountains, making it likely that any call would be dropped. I would wait until I reached Victorville, on the far side of the pass.
In the meantime, I switched on the car radio and was treated to some favorite oldies from the fifties. “K-Earth-101,” the disk jockey said. “We’re giving away a thousand dollars an hour to lucky caller number seven after you hear the K-Earth jingle—‘the best oldies on the radio.’ ”
Wow! Wouldn’t it be cool to win a grand! But why even bother trying? I had never won any contest I had ever entered. Still, the idea planted itself in my mind and would eventually turn from a fantasy into a temptation.
As I approached Victorville, I dialed the number Mary had given me, reaching a guy who said his name was Omar. “Hey, Omar, this is Tony Howard with ESAC in Southern California,” I said. “We have a weird situation here. We were tracing a circuit, and it has a thousand-cycle tone on it.” I gave him the trunking information from the LA tandem, and he went off to check.
Leaving Victorville, I was now heading back into an empty stretch of desert and again concerned that the cell call might drop. I slowed down from my open-road speed of eighty miles an hour so I wouldn’t leave Victorville behind quite so quickly.
It was some time before Omar came back on the line. “I heard that high-pitched tone,” he said, and went “eeeeeeeeeeeeeeeeeeeeeeeeee” in imitation of the sound, which made me chuckle to myself—I had heard the tone and didn’t really need to hear his attempt to duplicate it.
He told me the call was originating from Oakland. “Cool,” I said. “Thank you, that’s a help. Give me the trunking information from your switch so we can trace it.”
He queried the switch and gave me the info.
My next call was to the Oakland Switching Control Center. “We’re trying to trace a call from the San Francisco 4E,” I said, and provided the trunking and network information. The tech put me on hold, then came back and gave me a 510 208-3XXX number.
I had now traced the call all the way to its origin. This was the phone number dialing out to one of the boxes in the Calabasas CO that was wiretapping Teltec.
I still wanted to know if that thousand-cycle tone would ever change. If it did, what would happen? Would I hear a data signal? Would I hear a phone conversation?
I called Omar back. “Hey, has anything changed with that tone?”
He answered that he had listened to it for about fifteen minutes and never heard any change.
I asked, “Is it possible to put the handset near the speaker so I can hear the tone? I want to run some tests.” He said he’d put the phone down next to the speaker and I could just hang up when I was done.
This was awesome—with that tone coming through to my cell phone, it was almost like the time I’d eavesdropped on the eavesdroppers at the NSA. I was wiretapping the wiretap—how ironic was that?
By now I was feeling nervous and excited at the same time. But holding the phone to my ear throughout this hours-long social-engineering session had given me an earache, and my arm was getting pretty sore as well.
As I was entering the stretch of desert leading into Barstow, the halfway point to Las Vegas, where the cell coverage was crappy, the call dropped. Damn!
I called Omar back, and he set up the connection again so I could keep listening to that thousand-cycle tone over his loudspeakers. I was hoping the tone would end at some point and I would hear something that would give me some clue to what was going on, what the tone signified.
Coming into view was a complex that served all the good-buddy truckers who drove eighteen-wheelers all day and all night. I pulled in to fill the gas tank of the car and then decided to check up on my dad, who was still suffering over Adam’s death.
With my cell phone tied up with the intercept, I found a pay phone to make the call to my dad. I dialed his number and held on while the phone rang. The high-pitched tone from the cell phone suddenly stopped.
What the hell?!
I grab the cell phone and hold it to my other ear.
My dad’s voice comes over the pay phone receiver as he answers:
“Hello.”
I hear him over the pay phone and at the same time over the cell phone!
Fuck!
I can’t believe this.
This intercept isn’t on Teltec anymore… it’s on my dad’s phone. The tap has been moved.
They’re intercepting us!
Oh, shit.
I try to sound calm but assertive, insistent. “Dad, I need you to go over to the pay phone at the Village Market across the street. I have some important news about Adam,” I tell him.
My wording has to be innocuous, something that won’t tip off the intercept listener.
“Kevin, what’s going on?” Dad says, angry at me. “I’m tired of these stupid James Bond games.”
I insist and finally manage to convince him.
I’m sweating. How long have they been intercepting my calls without my knowing? A thousand questions are running through my mind. Was Teltec really a target or was it an elaborate scheme concocted by Pacific Bell Security to trick me—a way of social-engineering the hacker? My heart is racing as I try to recall everything I said and did on the phone from my dad’s house. What did they hear? How much do they know?
After five minutes, I call the pay phone at the market. “Dad,” I tell him, “get the fucking computer out of the house. You need to do it now! Don’t wait! Those wiretaps, they’re not on Teltec anymore, those guys are listening to us! You gotta get the computer out right away—please!”
He agrees but sounds really pissed.
My next call is to Lewis, with the same message: “We gotta go into cleanup mode.” We agree we’ll each stash our notes and floppy disks in places where no one will be able to find them.
Let the government try to prosecute: no evidence, no case.
I arrived at my mom’s place in Las Vegas with my nerves shot. I kept obsessively playing over and over in my mind all the conversations they might have intercepted.
What if they’d heard me discussing SAS with Lewis? What if they had heard me social-engineering internal Pacific Bell departments? Just imagining either of those possibilities was giving me heartburn. I was half expecting the U.S. Marshals and my Probation Officer to show up at my door and arrest me.
I needed to know when that intercept had been installed on my dad’s line.
Maybe if I knew who had ordered the taps, I could find a way to discover whether they had picked up anything I should worry about.
The phone companies had been getting so many phone phreaks and PIs calling in lately that they had started requiring verification. So I called Dispatch, the office at Pacific Bell that handed out assignments to the techs in the field, and said, “I’ve got an arson situation here, I need to page some other techs. Who’s on call tonight?”
The operator gave me four names and pager numbers. I paged each of them to call the internal Pacific Bell number I had set up, then once again reprogrammed the call forwarding to go to the number that my cell phone was currently cloned to. When each tech responded to my page, I launched into my “setting up a database” routine.
Why? Because I was asking them for very sensitive information, and they weren’t going to give that out to just anybody. So my pretext was, “I’m setting up a database of people on call to handle mission-critical problems.” One by one, I’d first ask a series of innocuous questions—“May I get your name, please?” “You work out of which Dispatch Center?” “Who’s your manager?” Once they’d established a pattern of answering my questions, I’d ask for what I really wanted: “What’s your UUID? And your tech code?”
I got what I needed every time, as each tech rattled off his two pieces of verification (UUID, or “universally unique identifier,” and tech code), his manager’s name, and his callback number. A walk in the park.
With these credentials, I could now get back into the Line Assignment Office, the department I next needed information from.
Once my credentials had been verified, my request went like this: “I have an internal number here out of Calabasas—it’s one of ours. Can you find out the CBR number of the person who placed the order?”
“CBR” is telco-speak for “can be reached.” In effect, I was asking for the phone number where I could reach the person who’d issued the order to set up the line—in this case, the line for the thousand-cycle tone on the box tapping one of my dad’s phones.
The lady went off to do her research, then came back and told me, “The order was placed by Pacific Bell Security; the contact name is Lilly Creeks.” She gave me a phone number that began with the San Francisco area code.
I was going to enjoy this part: social-engineering the phone company’s Security Department.
Turning on the TV, I found a show with background conversation that I set at low volume, to sound like the occasional voices of typical office background noise. I needed to influence my target’s perception that I was in a building with other people.
Then I dialed the number.
“Lilly Creeks,” she answered.
“Hi, Lilly,” I said. “This is Tom from the Calabasas frame. We have a few of your boxes over here, and we need to disconnect them. We’re moving in some heavy equipment, and they’re in the way.”
“You can’t disconnect our boxes,” she answered in a voice verging on a screech.
“Listen, there’s no way around it, but I can hook them back up tomorrow afternoon.”
“No,” she insisted. “We really need to keep those boxes connected.”
I gave an audible sigh that I hoped sounded exasperated and annoyed. “We have a lot of equipment being swapped out today. I hope this is really important,” I said. “But let me see what I can do.”
I muted my cell phone and waited. After listening to her breathe into the handset for something like five minutes, I got back on the phone with her. “How about this? You stay on the line, I’ll disconnect your boxes, we’ll move the equipment into place, and then I’ll reconnect them for you. It’s the best I can do—okay?”
She reluctantly agreed. I told her it would take a few minutes.
I muted the call again. Using another cell phone, I called the Calabasas frame, explained to the guy who answered that I was with Pacific Bell Security, and gave all three numbers and their associated office equipment. He still had to look up the number in COSMOS to find out the frame location, based on the “OE.” Once he found each number on the frame, he was able to lift the jumper off for each line, which dropped the connection.
Ms. Creeks, sitting at her desk, would be able to tell when each connection was dropped.
While waiting for the frame tech to come back on the line and confirm that the jumpers had been pulled, I went to my fridge and got a Snapple to enjoy while picturing Lilly anxiously sitting in her office with her telephone to her ear.
Then came the part that the whole operation up to now had been just a lead-in for. Back on the line with Lilly, I said, “I’m done here. Do you want your boxes reconnected?”
She sounded annoyed. “Of course.”
“I’ll need the connection information for each line going into the three boxes.” She probably thought I must be a little slow-witted if I didn’t even know where the jumpers belonged that I had pulled just a few minutes earlier, but the request seemed credible because she had seen the connections drop: clearly she really was talking to the frame tech at the CO.
She gave me the information. I said, “Okay, I’ll be right back.”
I put the phone on mute again, then called back the tech in the Calabasas CO and asked him to reconnect the cables to “our security boxes.”
When he was finished, I thanked him and got back on the other phone. “Hey, Lilly,” I said, “I’ve hooked everything back up. Are they all three working?”
She sounded relieved. “Everything is coming back up now. It all seems to be working.”
“Fine. Just to double-check, what phone numbers should be connected to these boxes? I’ll do a line verification to make sure everything is connected properly.”
She gave me the numbers.
Shit! They weren’t wiretapping just one of my dad’s lines, they were wiretapping all three! I wouldn’t be having any more conversations over my dad’s phones, that was for sure.
I still needed to know when the taps had been installed, so I could gauge which of my conversations had been intercepted.
Later, Lewis and I, for kicks, wanted to listen in on some of the other phones that Pacific Bell was tapping.
There was a hitch: for added security, the boxes wouldn’t start monitoring a line until a valid PIN, or “personal identification number,” was entered. I had an idea: it was a long shot, with almost no chance of working, but I tried it anyway.
First I had to be able to call in to the monitor box at the CO. So I’d call the CO and tell the frame tech who answered the phone, “I need you to drop that line because we’re testing.” He’d do it, and Pacific Bell Security’s connection would then be dropped from the intercept.
I dialed in to the box and began guessing the passwords that might have been set up by the manufacturer: “1 2 3 4”… nothing. “1 2 3 4 5”… nothing. All the way up to the last one I figured was worth trying: “1 2 3 4 5 6 7 8.”
Bingo! Incredibly, the people at Pacific Bell Security had never changed the manufacturer’s default PIN on these boxes.
With that password, I now had a complete technique that would let me listen in on any of Pacific Bell’s intercepts anywhere in California. If I found out the Security Department had one of its boxes at the Kester CO, say, or the Webster CO, I’d get a frame tech to drop the line Pacific Bell was using to call the monitor box, and then I’d call in to the box myself and enter the default PIN, which was the same on every box. Then Lewis and I would listen in and try to figure out who was being intercepted.
We’d do this just for fun, just because we could, sometimes twice or three times in a week. After we identified the target’s phone number, we’d call Pacific Bell’s Customer Name and Location (CNL) Bureau, give the phone number, and get the name of the person being monitored. Once we were told the phone was listed to the Honorable Somebody-or-Other. A little research gave me the rest of it: the intercept was on the phone of a Federal judge.
For Lewis and me, listening to wiretaps was a game, a lark. For Pacific Bell Security investigators, it was part of the job. But one of the investigators, Darrell Santos, was in for a surprise. He came in to work one morning, went to have a listen to what had transpired on the intercepts he had placed on my dad’s lines, and discovered that all of the Pacific Bell’s electronic surveillance had stopped in its tracks. There were no audio intercepts; everything was dead. Santos called the Calabasas frame and asked, “Are our boxes still working there?”
“Oh, no,” he was told. “Security from Los Angeles called and told us to disconnect them.”
Santos told the technician, “We don’t do any electronic surveillance out of Southern California: we do it all out of Northern California. So there’s no such thing as Los Angeles Security.”
That night Santos flew from his home base in San Francisco to Los Angeles and reattached all the surveillance boxes himself. To make sure nobody could be conned into disconnecting them again, he hid the boxes in the rafters above the racks of switching equipment.
Much later, in an interview for this book, Santos would recall, “This was a real big deal for us because now it hit home, it was personal. Kevin was listening to our calls, when we were in the business of trying to listen to his calls. Then he has our intercepts taken down. So it made us really change how we spoke on the phone and the messages we left. And we had to create some new ways to cover our tracks because we also had to protect the integrity of what law enforcement was doing with us, all of their court-ordered stuff.”
Maybe it was just as well that I didn’t know at the time what headaches I was causing them—otherwise I might not have been able to squeeze my big head through a doorway.
And maybe I would have been flattered to know, back then, that whenever anything like this happened at Pacific Bell, I immediately became the prime suspect. According to Santos, Kevin Poulsen had been number one on their internal most wanted list. Once Poulsen was behind bars, the revised list had a new name at the top: mine. The file they had on me going all the way back to my juvenile days was as thick as a big-city phone directory.
Santos said, “There were other hackers out there doing a lot of other things, but my opinion was that Kevin was the one who everyone was trying to emulate. I thought Kevin was the mouse and I was the cat, but sometimes it was the other way around.”
He added, “There were many leads we’d get from corporate security guys in other companies saying, ‘Hey, we’ve got this case, this guy’s getting us, do you think it could be Kevin?’ Every time something would pop up, it was always Kevin they’d suspect.”
As I say, I might’ve been proud to hear some of that back in the day, but just then I was feeling pretty frustrated. So far my talents hadn’t helped me uncover any of Eric Heinz’s backstory. Lewis and I had been going around and around with each other over our doubts concerning him. Sure, he knew lots of stuff about phone company systems and procedures, even some stuff Lewis and I hadn’t been aware of. But A, he wasn’t willing to share much of anything. And B, he was forever asking those kinds of questions, the kinds hackers just don’t ask one another: “Who are you working with?” and “What projects have you been doing lately?” and so on.
It was time for us to meet the guy face-to-face and see if getting to know him a little better would put our suspicions to rest. And if he was for real, maybe he could even help me learn when those taps had been placed on my dad’s lines.