SEVENTEEN Pulling Back the Curtain

Pulling Back the Curtain
Epib qa bpm vium wn bpm ixizbumvb kwuxtmf
epmzm Q bziksml lwev Mzqk Pmqvh?
N
ow that we had access to SAS, Lewis and I wanted to get the dial-up
numbers for all the central offices, so we would have the ability to monitor
any phone in Pacific Bell’s coverage area. Rather than having to social-
engineer a Pacific Bell employee to give us the dial-up number every time
we wanted access, we would have them all.
I had learned from the employee in Pasadena, the guy who read the
copyright line for me, how they used SAS. The tester had to manually enter
the dial-up number for the RATP for the central office of the line to be
tested. The testers had a list of dial-up numbers for the RATPs in all the
central offices they managed.
Small problem: How could I get a copy of the SAS dial-up numbers for
all the central offices when I didn’t know what the damned list was called?
Then I realized there might be a way. Maybe the information was already
available in a database. I called the group in Pasadena that used SAS to run
tests on a line when a subscriber was having phone problems. I called that
group, identified myself as being “from Engineering,” and asked if I could
look up the SAS dial-up numbers in a database. “No,” was the answer,
“there’s no database. It’s only in hard copy.”
Bummer. I asked, “Who do you call when you’re having a technical
problem with an SAS unit?”
Another example of how willing people are to help out somebody they
have reason to believe is a fellow employee: the guy gave me the phone
number of a Pacific Bell office in the San Fernando Valley. Most people are
sooo willing to be helpful.

I called there, got a manager on the line, and told him, “I’m from
Engineering in San Ramon,” the location of the major Pacific Bell
engineering facility in Northern California. “We’re putting the SAS dial-up
numbers into a database, so we need to borrow a complete listing of all the
numbers. Who has a copy of that?”
“I do,” he said, swallowing my story without hesitation, because he was
a guy buried deep within the Pacific Bell internal organization who
wouldn’t think an outsider would have any way of finding him.
“Is it too long to fax?”
“About a hundred pages.”
“Well, I’d like to pick up a copy for a few days. I’ll either come by for it
myself or have somebody pick it up for me. That okay?”
He told me where to find his office.
Again Alex was excited about being a front for me. Dressed in a
business suit, he drove over to the Pacific Bell facility in the San Fernando
Valley. But the man didn’t just hand him the package, as we expected.
Instead he pressed Alex about why he needed the information.
It was an awkward moment. This was in the spring, in Southern
California. It was warm outside. And Alex was wearing 
gloves
.
When the guy saw Alex’s gloved hands, he looked at him and said, “Can
I see your ID?”
Another uncomfortable moment.
Few things in life are more valuable than being able to think on your
feet in a situation that would be flop-sweat time for most people.
Alex nonchalantly said, “I’m not with Pacific Bell. I’m a sales associate
on the way to a Pacific Bell meeting downtown. They asked me, as a favor,
if I would swing by and pick this up.”
The man looked at him for a moment.
Alex said, “It’s okay—if it’s a problem, it’s no big deal,” and he turned
as if he were going to start walking away.
The guy said, “Oh, no, no—here,” and held the package out to Alex.
Alex was wearing an “I did it!” grin when he presented me with the
binder containing all the dial-up numbers for the SAS units at every central
office in Southern California.
After we had copied the pages, Alex went to a public Pacific Bell
customer billing office and convinced a secretary to put the package into
intracompany mail to be returned to the man who’d let him borrow it—

covering our tracks by avoiding having any questions raised about a
missing binder that could lead to a discovery SAS had been compromised,
while at the same time leaving Alex untraceable.
One day, I had a gut feeling that Lewis could also be the target of an
investigation. Checking just as a precaution, I discovered intercepts on all
the phone lines at the company where Lewis worked, Impac Corporation.
Why? Could Eric have anything to do with this? Lewis and I decided to
phone Eric and see if we could trap him into revealing anything about it.
Lewis handled the call, with me listening and prompting.
Eric mostly responded with a noncommittal 
Hmm
sound. Finally he
said, “Sounds like you guys got some problems.” Well, thanks. That wasn’t
any help.
Eric asked, “What’s one of the monitor numbers? I’d like to call in and
see what I get.” Lewis gave him the monitor number that was in use for
intercepting one of the Impac lines: 310 608-1064.
Lewis told him, “Another strange thing—I now have an intercept on the
phone in my apartment as well.”
“Pretty weird,” Eric replied.
Lewis said, “What do you think is going on, Eric? Kevin keeps asking
me these questions. He would like you to speculate. Could there be law
enforcement involvement?”
“I don’t know.”
Lewis pushed: “Just say yes, so he’ll quit asking.”
Eric said, “I would think no. I think it’s just the phone company.”
“Well, if they’re going to monitor all the lines at the place I work,
they’re going to have to listen to thousands of calls a month,” Lewis
answered.
The next day, with me listening over speakerphone, Eric called Lewis, who
started by asking, “Are you calling from a secure line?”
Eric answered, “Yes, I’m calling from a pay phone,” and then launched
into another of his “You’ve got to respect my privacy” complaints.
Then, seemingly out of the blue, he asked Lewis, “Have you installed
any of the CLASS features at work?”

He was referring to “custom local area signaling services” such as caller
ID, selective call forwarding, return call, and other features that weren’t
available to the general public. If Lewis said yes, he would be confessing to
an illegal act.
Before Lewis had a chance to deny it, we heard a call waiting signal on
Eric’s end.
I said to Lewis, “Since when do pay phones have call waiting!?”
Eric muttered that he had to get off the line for a minute. When he came
back on, I challenged him about whether he was calling from a pay phone.
Eric changed his story, now saying he was calling from a girlfriend’s.
While Lewis continued the conversation, I called Eric’s apartment. A
man answered. I tried again, in case I had misdialed. Same man. I told
Lewis to press him about it.
Lewis said, “Some guy is answering your home phone. What the hell is
this all about, Eric?”
He said, “I don’t know.”
But Lewis kept pressing. “Who’s in your apartment, Eric?”
“Well, I don’t know what’s going on. No one’s supposed to be in my
apartment. I’m going to go check it out,” he answered. “With all the stuff
that’s happening, I’m going into secure mode. Keep me posted.” And he
hung up.
So many lies about little things that didn’t matter.
Eric was becoming a mystery to solve, equal to the mystery of the intercept
boxes. So far, all I had on that was three numbers originating from
somewhere in Oakland that were connected to the boxes.
Where, physically, were the monitor calls originating from? Not very
difficult to find out. I simply called MLAC, the Mechanized Loop
Assignment Center, provided one of the phone numbers, and was given the
physical address where the telephone line was located: 2150 Webster Street,
Oakland, the offices of Pacific Bell’s Security Department. They had
previously been located in San Francisco but had since moved across the
bay.
Great. But that was just one of the numbers. I wanted to know 
all
of the
numbers Pacific Bell Security was using to connect to its secret monitoring
boxes. I asked the MLAC lady to look up the original service order that had

established the one phone number I had already discovered. As I expected,
the order showed that multiple other phone numbers—about thirty of them
—had been set up at the same time. And they were originating from what I
thought of as the “wiretapping room,” where they were recording the
intercepts. (Actually, I would find out much later that there was no
dedicated wiretapping room; when a call started on any of the lines being
monitored, it would be captured on a voice-activated recorder on the desk
of whichever security investigator was handling that case, to be listened to
whenever he or she had the opportunity.)
Now that I had the monitor numbers, I needed to figure out where each
one was calling out to. First I called each of the numbers, knowing that any
of them that didn’t give me a busy signal must not be actively in use for
wiretapping; those, I ignored.
For all the others, the ones that were currently in use for intercepts, I
called the Oakland SCC and social-engineered a switch tech into
performing a query call memory (QCM) command on the DMS-100 switch
serving that number (a QCM gives the last phone number called from that
phone). With this new information, I now had a list of dial-up monitor
numbers for each active Pacific Bell wiretap in the state of California.
The area code and prefix of the monitor number identified which central
office the wiretap was in. If Lewis or I knew anyone who had a phone
number served out of a CO where a wiretap was active, I would call the
central office, say I was from PacBell Security, and explain, “We have one
of our boxes there. I need you to trace out the connection.” After a couple
of steps I would have the target phone number that the intercept was placed
on. If it didn’t belong to anybody I knew, I’d go on to explore the next one.
I kept checking on intercepts as a precaution, watching my back while
focused on the crucial task of trying to figure out what Eric was really up
to. One approach came to mind that hadn’t occurred to me before. I called
the Switching Control Center that managed the switch providing Eric’s
telephone service and convinced the tech to perform a line-history block, or
LHB, a way of getting a report on the last phone number dialed from a
phone line served by a 1A ESS switch.
After that I started calling for LHBs on him up to several times a day, to
find out what numbers he was calling.

One of the numbers made me break out in a cold sweat. Eric had called
310 477-6565. I didn’t need to do any research. It was seared into my
memory:
The Los Angeles headquarters of the FBI!
Fuuuck
.
I called Lewis at work from my cloned cell phone and said, “Turn on
your ham radio.” He knew that meant something entirely different: it meant,
“Turn on your cloned cell phone.” (He was the kind of person who liked to
focus on one thing at a time; when he was addressing the task at hand, he’d
turn off his cell phone and pager so they wouldn’t interrupt his train of
thought.)
When I got him on the safe cell phone, I told him, “Dude, we’re in
trouble. I did an LHB on Eric’s line. He’s fucking calling the FBI.”
He didn’t seem concerned. Entirely without emotion. 

Download 2,97 Mb.

Do'stlaringiz bilan baham: