Above all, though, Weigman is still a teenager. While he expresses remorse over his swatting attacks, he takes giddy pleasure in recounting his other exploits — whether punking celebrities or playing the phone companies like an Xbox. “The phone system and infrastructure is just weak,” he says. “I had access to the entire AT&T and Verizon networks at times. I could have shut down an entire area.” Then he segues into an earnest pitch for a future job. “I’d love to work for a phone company, just doing what I do legally,” he says. “It’s not about power. I know the phone and telecommunication systems and can be a crucial part of any company.”
This is one graph out of a very interesting phreaking story here. Most that read this board probably know what a phreak is — someone who manipulates the PSTN network for fun. Please do read the whole thing, its interesting.
But the sobering side shows just how vulnerable our telecommunications on PSTN is at two levels. A) That it can be socially engineered around. B) That the infrastructure itself is very naive.
The latter first. Back in the 60′s two things happened. The Bells figured out how to design a computer that could operate like the old mechanical stepper CO switches without all the support issues. The second was the development of FSK keying better know to the public as touchtone. Both developments design at a time when shall we say the world that America operated in was one of innocence. The thoughts were, why would anybody muck with the phone systems? Its dull boring stuff that even those in the companies found only peripherally interesting. It never occurred to anyone that Bell could represent a ‘respectable’ challenge to manipulate.
Consider touchtone® its basically a two tone modulated signaling system. Barely a step up from Morse code. Its weak link is that it is in the human audio range. From a security perspective probably the worst set of choices one could make. Tones can be recorded. Tones can be generated to overcome the system (a blue box.) Compared to systems to day, its a security nightmare.
Then there are the companies themselves. For years, even while I was there, if you were ‘in the Bell loop’ you were a trusted entity. The companies are vast and diverse. If you work there you live on the phone, conduct most business via long distance and for the most part rarely if ever physically meet the people you interoperate with on a daily basis. It worked quite well so long as parties worked on the knowledge that their peers could be trusted. And why not? You were an employee!
That breaks down when outsiders can mimic the technobabble that is used in the industry. Even though employees are trained to spot interlopers, a 10% failure rate in that regard opens a large bundle of opportunity. Security training is required yearly at most Telcos. They still do it. But here is the interesting thing. To my knowledge none of them have implemented the simplest of measures for providing secure lines for fraud, security, and collection departments. Its one of the prime reasons that phreaking works.
Still sound droll, even with a possible threat of a swatting attack going wrong? Well then think about this before you go to bed tonight — What could Weigman have done had he been hired by terrorists?