“Mr. Norden” must have known the jig was close to being up at that point. “He got scared,” says Perrin. Two days later he called the phone company and canceled his telephone service. Three days after that, Perrin says, he seemed to have a full-fledged panic attack. They were on to him, it seemed clear. Better to switch sides now, he must have thought, while the switching was good.
On November 24, 1975, “Robert P. Norden” picked up the phone and called Wayne Perrin. Over the course of a wide-ranging two-hour conversation, Perrin wrote, he “related numerous items concerning toll fraud involving 611 toll trunks, toll fraud concerning the use of call diverters, a scramble-descrambling method used to monitor telephone conversations at any location in the country and his ability to access numerous kinds of telephonically secure systems.” That fateful phone call began his new career as an informant, perhaps the single most effective phone phreak informant that the telephone company ever had.
The two met and spoke numerous times over the next several weeks. “Norden” was convinced the phone company was “three days away” from swooping down and arresting him. They weren’t, says Perrin, but since “Norden’s” worries made him talkative and anxious to cooperate, Perrin wasn’t about to correct him in this regard. Perrin described this paranoid phone phreak as being in his “early twenties, five-foot-eleven, approximately 145 to 150 pounds, dark brown hair and eyes, extremely grubby” with hair that “comes to the shoulders, sideburns down to the chin line with a partial muttonchop.” Perrin’s notes give a bit of insight into his psyche.
Mr. Norden, often times, loses sight of his perspective, he attempts to keep everything on a “we, he, they” basis but often times gets so involved in his descriptions he changes to “I” and “me” [. . .] If you catch it, he will finally admit to you on a rough basis that he was actually involved or did the act. He is extremely egotistical, very easy to work with if you do not apply any pressure. You can question him subtly, if you question him violently he will react and want to back off. Mr. Norden is extremely nervous about being followed or whisked away by Secret Service or CIA or FBI. He is so paranoid about the situation that he looks over his shoulder at everything and anybody, with the exception of young ladies.
Finally, after many meetings, Perrin learned “Norden’s” real name: Paul Sheridan.***
***A pseudonym.
Perrin didn’t know what to make of Sheridan, this unkempt and unsettled kid who made outlandish claims about all the crazy things he could do with a telephone. He had mastered all sorts of telephone tricks and was thoroughly plugged in to the Los Angeles phone phreak scene. He seemed to know everyone, from the kids who hung out on LA loop arounds to the John Drapers and Bill Ackers of the world. But Sheridan brought an intensity and an intelligence to his endeavors that not everyone had. He was quick-witted, foulmouthed, verbally gifted, and had a telephonic self-confidence—really more of an arrogance—that made him a talented social engineer. Being able to make free phone calls was apparently the least of his skills. Sheridan admitted to being part of the Santa Barbara nuclear hoax a few years earlier. He said he could wiretap phone calls with a blue box. He bragged of breaking into the military’s telephone network and getting the U.S. Air Force Strategic Air Command in Omaha, Nebraska, on the horn. He could scramble nuclear bombers by doing this, he claimed. He said he had a special 800 number that went directly to the White House; he boasted that he could get President Ford on the line any time he wanted. In fact, he claimed, he had spoken to the president several times by phone.
The president? Really?
“We did not believe that,” Perrin recalls. So Perrin and his colleague Bill Cheney decided to try it out. They got the 800 number from Sheridan and gave it a try from their office in Pasadena. “Here’s two grown adult men, we’re sitting in Cheney’s office, and we dial that number up and we got right to the second floor of the White House. It scared the crap out of us! We hung up!”
That was the problem, really. It would be easy enough to dismiss these crazy things Sheridan was saying, but they all seemed as if either they actually were true or they might be true. It was a great combination—claims that were impossible to discount and disturbing as hell.
Among Sheridan’s most disturbing claims was that phone phreaks could break into autovon. Though it sounds like a German highway, autovon—short for Automatic Voice Network—was the U.S. military’s telephone network. It started in the United States in the early 1960s but later expanded into other countries where the United States had military bases.
For the most part autovon looked and felt like the plain old telephone network that civilians used. This was no great surprise.autovon was built by AT&T, General Telephone, and Automatic Electric, the same companies that built the civilian telephone network, and they reused as much technology as they could. autovon telephone numbers were seven or ten digits long, just like normal ones. Internally, autovon used multifrequency signaling, just as the civilian network did. You could even call into the regular telephone system from autovon, though you weren’t supposed to be able to go the other way.
However, autovon had some features that made admirals and generals, network engineers, and phone phreaks salivate. Put into operation just a year after the Cuban missile crisis, autovon was a child of the cold war, a telephone network designed to withstand a nuclear attack. The civilian telephone system was built on Bell’s hierarchical network concept, one in which lower-level switching centers forwarded calls to higher-level ones. The higher-level switches, the brainy ones like 4A crossbars, had lots of trunks to other cities. This approach made economic sense, because it minimized the number of switching centers and long-distance lines you needed. But it made military planners worry. What if the higher-level switching centers got taken out by Russian nukes? Civilian telephone central offices were what the military called “soft targets”; they might be solid buildings but they simply weren’t designed to withstand a nearby nuclear blast.
What the military needed, the Pentagon decided, was a “survivable” telephone system, one that could survive a nuclear war. With help from the phone company, the Defense Communications Agency began constructing its own network of telephone switching centers, about seventy of them throughout the United States. Many of these were underground, in hardened bunkers. Unlike the civilian telephone network, autovon was nonhierarchical; there were many more trunk lines between autovon switches than in the civilian network, and they tried to minimize the importance of any one switch. That way the Soviets couldn’t take out just a couple of switching centers and bring down the entire military phone system.
The other unique thing about autovon was something called “precedence.” In the 1960s, the civilian telephone network wasn’t as developed as it is today; there just weren’t enough long-distance telephone circuits. So sometimes you’d try to make a long-distance call and you’d be treated to a recording telling you, primly, “We’re sorry, all circuits are busy now. Won’t you please try your call again later?”
That didn’t sit well with the military brass. If you’re calling the president to let him know the country was under attack, you don’t want to have to listen to any recordings about all circuits being busy. So the Defense Communications Agency and its telephone company contractors came up with a scheme called precedence dialing, the idea being that some calls are more important than others. If you’re ordering pizza, that’s low precedence. If you’re reporting war with the Soviets, that’s high precedence. If the network was busy, higher-precedence calls trump lower-precedence calls, automatically booting them and seizing their lines if necessary to get the important traffic through. This led to autovon touch-tone phones having sixteen buttons, not just the twelve we’re used to. These extra buttons weren’t just any buttons. They were shiny and red, arranged in a neat military column to the right of the keypad. They were labeled, cryptically, “FO,” “F,” “I,” and “P.”
&
nbsp; That is: Flash Override. Flash. Immediate. Priority. The precedence levels, in other words. Flash Override was the highest precedence, to be used only by the president, secretary of defense, members of the Joint Chiefs of Staff, or commanders reporting an attack on the United States.
Be honest. Who doesn’t want a phone on his desk with a Flash Override button? Even if you’re just ordering a pizza, wouldn’t it make you feel good to press Flash Override first? Nothing says “I’m important” like Flash Override.
autovon was an ego blow job delivered via a sixteen-button keypad. The admirals and generals loved it. So did the network engineers. And so did the phone phreaks. It was, after all, another network—one with cool buttons—to explore.
Perrin struggled with what to do about Sheridan. “He would call in. He would talk so fast, you couldn’t write fast enough, so we recorded everything that he gave us and then later on we transcribed it and we just told him that we wrote fast,” Perrin recalls. “He was telling you things . . . I mean, he starts telling you stuff about getting into the Russian satellite system and I have no idea about the Russian satellite system. I mean, I didn’t even know about autovon. So from the standpoint of its functionality and those kinds of things, he was talking way past what I could understand.”
Perrin spent a day or two trying to figure out what to do. Finally he decided to get the FBI involved. The Bureau might have a better idea of how to handle things. And maybe it was hooked up with technical spooks who might be better able to evaluate Sheridan’s claims. Perrin met with the FBI on December 5, 1975. He gave their agents an overview of the Sheridan matter and described the various outlandish claims that Sheridan had made. Perrin felt that there was enough information on Sheridan at this point to charge him with threatening to “bomb the telephone company”—remember the creepy late-night phone calls and bomb threats that started this whole thing—but he wasn’t sure if that was the right way to go. Perhaps the FBI had some ideas. Maybe they could call Strategic Air Command in Omaha or the Secret Service in Washington and check some of this stuff out?
The FBI agents didn’t seem to take things very seriously, Perrin says. They told him that they would get back to him.
Meanwhile, the question of what to do about Sheridan was also making its way up the food chain within the telephone company. Pacific Telephone, where Perrin worked, was the Bell System’s West Coast operating company. Like all the local Bell companies, it reported to AT&T, its corporate parent, at 195 Broadway in New York City. Pacific Telephone decided to get AT&T involved, since Sheridan was talking about things that were bigger than just California, things like autovon and defense systems and satellites. In turn, the higher-ups at AT&T corporate headquarters decided they needed to talk to the Justice Department about it, since United States government communications were involved. AT&T higher-ups had throw weight. A meeting was soon scheduled with the attorney general in Washington, D.C., on December 17, 1975. In the meantime, AT&T decided that this matter was to be held in the strictest confidence. And that meant Perrin couldn’t talk to anyone about it anymore. Anyone, Perrin asked? Did that include the FBI? Anyone.
Physics teaches us that the fastest thing in the universe is the speed of light. Common sense and organizational politics teach us the fastest thing is actually the rumor mill. So it was no surprise, Perrin says, that the FBI somehow instantly got word that its bosses at the Justice Department would soon be meeting with AT&T officials regarding this Sheridan kid. Suddenly the FBI was very interested. It was suddenly decided the Bureau needed to talk to Perrin immediately. But now Perrin couldn’t talk to the Bureau. Perrin put the FBI off until the meeting with the attorney general, where it was decided, predictably, that the FBI was the right agency for the phone company to work with on this matter.
On December 22, 1975, Perrin took Sheridan to meet with Special Agent Bob Jacobs. Jacobs was one of the FBI Los Angeles tech squad or “sound” agents. He and his fellow tech squad agents were responsible for the Bureau’s high-tech field ops in the Los Angeles area, things like wiretaps, room bugs, and car tracking devices. Jacobs and Sheridan seemed to hit it off. Among other things they discussed Sheridan visiting Draper in person next week. Could Sheridan bring back information or documents from Draper? Maybe. Could the Bureau help Sheridan out a little bit with his rent? Maybe.
On January 7, 1976, Perrin met with Special Agent Bill Snell, one of Jacob’s FBI tech squad colleagues. Sheridan’s visit to Draper had born fruit. Snell gave Perrin a four-page typeset technical document that Sheridan had gotten from Draper titled “autovon Access Info.” Sheridan even offered to demonstrate the techniques described in the document for the FBI and AT&T if they wanted. Sheridan also told the FBI that Draper had a small assembly line going for red boxes that were to be sold in the near future. He was actively using a blue box from the house across the street from People’s Computer Company, or PCC, a small nonprofit in Menlo Park dedicated to teaching people about computers. And Draper was also red boxing from a pay phone just down the street from PCC, Sheridan reported.
The autovon document caused quite a stir. It described, in detail, how to use a blue box to access the military’s phone system from the civilian telephone network via a phreaking technique called guard banding. Guard banding added a higher-pitched tone—usually 3,200 Hz, or seventh octave G—into the 2,600 Hz normally used by a blue box to reset a trunk line. If your call went through several telephone switches, guard banding allowed you to control exactly which switch you were talking to, simply by varying the volume of this higher-pitched tone. This in turn meant that you could stack tandems, building up a call to a particular place one link—in other words, one telephone switch—at a time. This was similar to the tandem stacking technique described in the Esquire article, but guard banding was a newer and more powerful method that worked on a wider variety of telephone switches, including the brainy 4A toll tandems.
Sheridan’s document explained how guard banding could be used to hack into autovon. First you call directory assistance in Alaska and whistle off with 2,600 Hz. You’re now talking to a civilian telephone switch in Alaska that also happened to have connections to the military’s autovon telephone network. You’d then use your blue box to tell the Alaska switch to connect you to a military telephone switch at Kalakaket Radio Relay Station in Alaska, originally part of the military’s Arctic communication system for the Distant Early Warning line. You’d then use guard banding to send a mix of 2,600 Hz and 3,200 Hz down the line. This skips over the Alaska switch and instead resets your connection to the Kalakaket Creek switch, which then waits for your commands. You now use your blue box to send Kalakaket Creek digits to get you to Pedro Dome Radio Relay Station, also in Alaska. By adding this second link on to your call, you’re now fully inside the military’s network; as far as Pedro Dome is concerned, you came in from the U.S. Air Force network via Kalakaket Creek station and thus look like a completely legitimate military telephone user. This means you can now tell Pedro Dome to connect you to whatever autovon telephone number you want. You can even set the precedence of your call, from routine up to Flash Override, just by sending the right digits with your blue box.
AT&T representatives met with the FBI in Washington, D.C., on January 9 to discuss the autovon problem. AT&T Long Lines security supervisor Nelson Saxe recalls, “The FBI’s biggest concern was: can the phone phreaks scramble fighters by using autovon?” AT&T hastened to assure them that this wasn’t possible; it might be possible to order pilots to their aircraft using autovon, but any orders to actually launch aircraft would have to come over a separate, point-to-point alerting network called JCSAN/COPAN. And the phone phreaks hadn’t broken into JCSAN/COPAN. Well, not as far as anyone knew, anyway.
As these things go, it was not the most reassuring of reassurances.
Discussion turned to Sheridan’s offer to demonstrate autovon access. The FBI favored a demo in Los Angeles, and soon. Sax
e’s notes from the meeting show that agents in the FBI’s Los Angeles office felt Sheridan was “mentally unstable” and might “go off” at any time. Who knew how long they had to work with him? AT&T attorneys were against a Sheridan demo, arguing that the less contact anyone had with the informant the better. After all, how were they going to successfully prosecute Sheridan if he could later stand up in court and tell the jury, “Not only did the phone company and FBI know I was playing with the autovon network, they asked me to demonstrate it to them!” And since the FBI and AT&T now had a detailed document describing exactly how to break into autovon, why did they need a demonstration from Sheridan? Couldn’t the engineers at Bell Labs just duplicate his attack on their own? In fact, it wasn’t clear that Sheridan himself had actually ever accessed autovon. He simply may have gotten the information from Draper and might not actually know how to do it himself. It wouldn’t help anybody if there really was a security vulnerability in autovon, but Sheridan convinced them all otherwise by botching the demo. As Saxe put it, “We’re not about to go out to Los Angeles to see Sheridan fail to get a call through on autovon!”
In the end, the FBI was holding all the cards that mattered; the Bureau had the informant and it wanted a demo. If the AT&T people didn’t want to attend, well, that was AT&T’s business.
AT&T relented. Plans began forming for a joint FBI–AT&T demo of autovon hackery in Los Angeles in a week or two.
Nineteen
Crunched
THE SAME MONTH that Paul Sheridan was starting his career as an informant for both Pacific Telephone and the FBI and being asked to take trips up to the Bay Area to snuffle around John Draper, the December 1975 issue of the phone phreak newsletter TAP carried the following letter to the editor.
Exploding the Phone : The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell (9780802193759) Page 30