The New Wild West

This article was originally written for and published at N-O-D-E on August 3rd, 2015. It has been posted here for safe keeping.


A few years ago, I was fortunate enough to work professionally with low energy RF devices under a fairly large corporation. We concerned ourselves with wireless mesh networking and were responsible for tying together smart devices, like light bulbs or door locks installed in your home, into an information-driven digital conglomerate. You know those commercials you see on TV where the father remotely unlocks the door for his child or the businesswoman checks to make sure she left the patio light on? That was us. At the touch of a button on your tablet, miles away, you can open the garage door or flip on the air conditioner. These are products that are designed to make life easier.

In research and development, we view things differently than the stressed-out, on-the-go homeowner might. We don’t necessarily think about what the user might want to buy, but ask the question, “when we roll these things out, how will people try to exploit and break them?” In the confines of a tall, mirror-glass office building, my packet sniffer lights up like a Christmas tree. Devices communicate in short bursts through the airwaves, chirping to one another for all to hear. Anyone with the curiosity and some inexpensive hardware can pick up this kind of traffic. Anyone can see what is traveling over the air. Anyone can intervene.



Things weren’t so different a few decades ago. Back in the ‘70s we saw the rise of the phone phreak. Explorers of the telephone system, these pioneers figured out how to expertly maneuver through the lines, routing their own calls and inching further into the realm of technological discovery. We saw innovators like John Draper and even Steve Wozniak & Steve Jobs peeking into the phone system to see how it ticks and what secrets they could unlock. It wasn’t long before people started connecting their personal microcomputers to the phone line, lovingly pre-installed in their houses for voice communication, and explored computerized telephone switches, VAXen, and other obscure machines — not to mention systems controlled by third parties outside the grasp of good old Ma Bell.

This was the wild west, flooded by console cowboys out to make names for themselves. The systems out there were profoundly unprotected. And why not? Only people who knew about these machines were supposed to be accessing them, no use wasting time to think about keeping things secure. Many machines were simply out there for the taking, with nobody even contemplating how bored teenagers or hobbyist engineers might stumble across them and randomly throw commands over the wire. If you had a computer, a modem, and some time on your hands, you could track down and access these mysterious systems. Entire communities were built around sharing information to get into computers that weren’t your own, and more of these unsecured systems popped up every week. It seemed like the possibilities were endless for the types of machines you would be able to connect to and explore.

Today, many will argue that we focus much more on security. We know that there are those who are going to probe our systems and see what’s open, so we put up countermeasures: concrete walls that we think and hope can keep these minds out. But what about newer technologies? How do we handle the cutting edge? The Internet of Things is still a relatively new concept to most people — an infant in the long-running area of computing. We have hundreds if not thousands of networked devices that we blindly incorporate into our own technological ecosystems. We keep these devices in our homes and on our loved ones. There are bound to be vulnerabilities, insecurities, cracks in the armor.


Maybe you don’t like the idea of outlets that know what is plugged into them or refrigerators that know when they’re out of food. Maybe you’re a technological hold-out, a neo-luddite, a cautious person who needs to observe and understand before trusting absolutely. This may feel like the ultimate exercise of security and self-preservation, but how much is happening outside of your control?

When the concept of ubiquitous computing was first developed by Mark Weiser at Xerox PARC in the late ‘80s, few knew just how prominent these concepts would be in 25 years. Ubiquitous computing pioneered the general idea of “computing everywhere” through the possibility of small networked devices distributed through day-to-day life. If you have a cellular telephone, GPS, smart watch, or RFID-tagged badge to get into the office, you’re living in a world where ubiquitous computing thrives.

We’ve seen a shift from the centralized systems like mainframes and minicomputers to these smaller decentralized personal devices. We now have machines, traditional personal computers and smart-phones included, that can act independent of a centralized monolithic engine. These devices are only getting smaller, more inexpensive, and more available to the public. We see hobby applications for moisture sensors and home automation systems using off-the-shelf hardware like Arduinos and Raspberry Pis. The technology we play with is becoming more independant and increasingly able when it comes to autonomous communication. Little intervention is needed from an operator, if any is needed at all.

For all of the benefits we see from ubiquitous computing, there are negatives. While having a lot of information at our fingertips and an intuitive process to carry out tasks is inviting, the intrusive nature of the technology can leave many slow to adopt. As technology becomes more ubiquitous, it may also become more pervasive. We like the idea of a smart card to get us on the metro, but don’t take so kindly to knowing we are tracked and filed with every swipe. Our habits have become public record. In the current landscape of the “open data” movement, everything from our cell phone usage to parking ticket history can become one entry in a pool of data that anyone can access. We are monitored whether we realize it or not.


We have entered uncharted territory. As more devices make their way to market, the more possibilities there are for people to explore and exploit them. Sure, some vendors take security into consideration, but nobody ever thinks their system is vulnerable until it is broken. Consider common attacks we see today and how they might ultimately evolve to infect other platforms. How interesting would it be if we saw a DDoS attack that originated from malware found on smart dishwashers? We have these devices that we never consider to be a potential threat to us, but they are just as vulnerable as any other entity on the web.

Consider the hobbyists out there working on drones, or even military applications. Can you imagine a drone flying around, delivering malware to other drones? Maybe the future of botnets is an actual network of infected flying robots. It is likely only a matter of time before we have a portfolio of exploits which can hijack these machines and overthrow control.

Many attacks taken on computer systems in the present day can trace their roots back over decades. We see a lot of the same concepts growing and evolving, changing with the times to be more efficient antagonists. We could eventually see throwbacks to the days of more destructive viruses appear on our modern devices. Instead of popping “arf arf, gotcha!” on the screen and erasing your hard drive, what if we witnessed a Stuxnet-esque exploit that penetrates your washing machine and shrinks your clothes by turning the water temperature up?

I summon images from the first volume of the dystopian Transmetropolitan. Our protagonist Spider Jerusalem returns to his apartment only to find that his household appliance is on drugs. What does this say about our own future? Consider Amazon’s Echo or even Apple’s Siri. Is it only a matter of time before we see modifications and hacks that can cause these machine to feel? Will our computers hallucinate and spout junk? Maybe my coffee maker will only brew half a pot before it decides to no longer be subservient in my morning ritual. This could be a far-off concept, but as we incorporate more smart devices into our lives, we may one day find ourselves incorporated into theirs.


Just as we saw 30 years ago, there is now an explosion of new devices ready to be accessed and analyzed by a ragtag generation of tinkerers and experimenters. If you know where to look, there is fruit ripe for the picking. We’ve come around again to a point where the cowboys make their names, walls are broken down, and information is shared openly between those who are willing to find it. I don’t know what the future holds for us as our lives become more intertwined with technology, but I can only expect that people will continue to innovate and explore the systems that compose the world around them.

And with any hope, they’ll leave my coffee maker alone.



[WANTED] How to Build A Red Box VHS

I was looking though old issues of Blacklisted! 411 and found an advertisement in a 1995 issue for a 60 minute VHS tape about how to build a red box using a Radio Shack pocket tone dialer. For those who don’t know, red boxes were popular in the ’90s and used by phreakers, scammers, and those who just wanted free payphone calls. By modifying pocket dialers (or even just recording sounds that coins made as they were dropped into a phone), anyone could make a red box which would mimic the tones produced when coins were inserted into a payphone. This means that anywhere you take your red box, you can play back the tones and get free phone calls.

Anyway, this video was made and sold in 1995 by East America Company in Englewood, New Jersey. It retailed for $39 (Plus $5 shipping) and I would love a copy. See the image below for a review of the tape and the original advertisement.



Hacking History – A Brief Look Into Philly’s Hacking Roots

This article was originally written for and published at Philly2600 on November 4th, 2013. It has been posted here for safe keeping.

The tech scene in Philadelphia is booming. We have local startups like Duck Duck Go and TicketLeap, and we have co-working spaces like Indy Hall and Philly Game Forge. We have hackathons like Apps for Philly Transit and Start-up Weekend Health, and we have hackerspaces like Hive 76 and Devnuts. We have user groups like PLUG and PSSUG, and we have conferences like Fosscon and PumpCon. We have events like Philly Tech Week and TEDxPhilly, and we have security meet-ups like PhillySec and, yeah, Philly 2600. The hacker spirit is alive and well in the city of brotherly love, but where did all of this pro-hacker sentiment come from? What came before to help shape our current tech-centric landscape?

It’s surprisingly difficult to approach the topic from the present day. I haven’t been there since the beginning, and the breadcrumbs left over from the era are few and far between. We are left with hints though, but usually from more analog sources. The first issue of 2600 that includes meeting times is volume 10, issue 2, from 1993. Philly 2600 is listed here with numerous others (making the meeting at least 20 years old), but how long did the meeting exist before this? We also know that Bernie S., longtime 2600 affiliate, was the founder of the Philadelphia 2600 chapter. Other than that, there is little to find on paper.


First listing of the Philadelphia 2600 meeting in 2600 Volume 10, Issue 2 (1993).

But what else can we dig up? We do have some other little tidbits of information that apply themselves to the history of Philly 2600. The film Freedom Downtime (2001) has some footage taking place at Stairway #7 of 30th Street Station, the original meeting location. There are also mentions of the meeting in the book Hacker Diaries: Confessions of Teenage Hackers (2002), where one story places a student at the 30th Street meeting in the late 1990’s. More recent references, such as the current 2600 magazine meeting listings have the meeting location moved to the southeast corner of the food court – the location used previous to the current location some 50 feet away.

Mention of Philadelphia 2600 meeting from The Hacker Diaries: Confessions of Teenage Hackers (2002).

Mention of Philadelphia 2600 meeting from The Hacker Diaries: Confessions of Teenage Hackers (2002).

But what about the people who attended? It’s hard to keep track of this aspect, and as time goes on people come and go. Some come for one meeting and are never seen again, but some stick around a while. Eventually, there are no remains of the previous group – the meeting goes through generations. We can get a little information from simple web searches. Old Usenet listings can be a great source for material, here’s a Philadelphia 2600 meeting announcement from 1995 by The Professor. Even more interesting, here’s a Phrack article by Emmanuel Goldstein (publisher of 2600) talking about how he and three others brought Mark Abene (Phiber Optik) to the Philly 2600 meeting before having to drop him off at federal prison in Schuylkill.

Using Internet Archive’s Wayback Machine, we can get an interesting perspective on the members from ten years ago by visiting an archived version of the old website (also at this domain). This is actually something we can explore. It appears that as of mid 2002 to regulars were JQS, Kepi Blanc, Damiend LaTao, Dj`Freak, The Good Revrend Nookie Freak, and GodEmperor Daeymion. Before this, regulars included Satanklawz (former site admin at the time) and Starkweather before the site was passed on to Kepi Blanc. The archived website offers an incredible amount of information such as a WiFi map of the city, several papers, and even (incredibly tiny thumbnails of) meeting photos. It’s clunky and full of imperfections but this website offers a time-capsule-like look into Philly 2600’s past.

The old Philly 2600 logo

The old Philly 2600 logo

But what about other hacker origins in the area?

We know of Pumpcon, one of the USA’s first hacker conferences started in 1993 (almost as old as DEFCON). Pumpcon has been running for over 20 years with an invite-only status. It is often overshadowed and left in the dust by the larger conferences in the country, despite its stature as one of the first of its kind. Pumpcon has not been exclusively held in Philadelphia since its inception. The conference has previously been held in Greenburgh, New York and Pittsburgh. Pumpcon has no central repository of information (why would it?) but a lot of history can be found scouring the web through old ezine articles like this one about Pumpcon being busted and notices like this one announcing Pumpcon VI. I’m currently compiling as many of these resources as I can, but there is an immense amount of data to sift through. Below I have some hard copy from my collection: A review of Pumpcon II from the publication Gray Areas and the incredibly recent Pumpcon 2012 announcement.

Pumpcon II Review (Page 1/2) from Gray Areas Vol. 3 No. 1 (1994)

Pumpcon II Review (Page 1/2) from Gray Areas Vol. 3 No. 1 (1994)

Pumpcon 2012 Announcement

Pumpcon 2012 Announcement

Other groups are harder to find. Numerous groups started up, burned brightly, and were then extinguished. Who knows where those people are now or the extent of what they accomplished. There are of course a few leftovers. One of my own pet projects is the development of an archive of older hacker magazines. A previously popular publication in particular, Blacklisted! 411, sheds a little light on some long-lost Philly hackers. A few issues make reference to Blacklisted! meetings taking place at Suburban Station in Philadelphia and another at the Granite Run Mall run by thegreek[at]hygnet[dot]com (long defunct) in neighboring Delaware County (and surprisingly about five minutes from my house). The earliest occurrence of these meetings I can find of this is in volume 3, issue 3 from August 1996 but either may have started earlier.

Philadelphia/Media Blacklisted meeting listings from Blacklisted! 411 Vol. 3, Issue 3 (1996).

Philadelphia/Media Blacklisted meeting listings from Blacklisted! 411 Vol. 3, Issue 3 (1996)

There are a few other loose ends as well. The recent book Exploding The Phone (2013) by Phil Lapsley catalogs the beginnings of the phreak culture, and makes reference to several fone phreaks in PA, some more notable than others, including Philadelphia native David Condon and some unidentified friends of John Draper (Cap’n Crunch) around the time he was busted by Pennsylvania Bell. We additionally know that some of the main scenes in the previously mentioned Freedom Downtime were filmed in Philadelphia. We also know that there are were hundreds of hacker bulletin board systems in the area from the 1980’s through the 1990’s.

Bell Pennsylvania joke advert, from Exploding the Phone (2013)

Bell Pennsylvania joke advert, from Exploding the Phone (2013)

Let’s change gears now. Our main problem in moving forward is what we do not know. Stories and events have been lost as time goes one, and the hopes of finding them becomes dimmer with each passing year.

If you had some involvement with the Philadelphia hacking scene in the years past, tell someone. Talk to me. Let me interview you. Get your story out there. Share your experiences – I’m all ears.

Those of you out there hosting meetings and starting projects, keep a record of what you’re doing. This is my one request.

We’ve already lost a lot of history. Let’s try saving some.


Jenny, Jenny

Every once in a while, I’ll see this conversation:

<CMack> whoa whoa WHOA
<CMack> there was a project to find Jenny by dialing 867-5309 at every area code in the US
<CMack> That’s not the wild bit
<CMack> The crazy part is just a bit down
<CMack> Area
<CMack> Code Findings(scanned by Famicoman)
<CMack> —- ——————————
<gameman73> HA
<Pat> lol
<CMack> O_O
<!Moonlit> Famicoman_ is a bit of a dark horse like that
<CMack> Did I just win at Six Degrees of Thinstack?

Believe it or not, this basic exchange has happened more than once. I usually end up coming in a day or so after to dispense a few key details. I figured I should take a shot going through how I became involved with this document, so feel free to take off if you’ve heard this one. For everyone still left, read on.

The quote above already covers the main idea of what went on. For a few years here and there, there were some small projects to scan the number 867-5309 with all the prefixes and see who picks up. That’s a lot of numbers. A little under 1000.

The symbolism of the scan is in the number. In 1982, power pop band Tommy Tutone released the song “867-5309/Jenny” which describes a guy finding a girl’s phone number on (presumably) a bathroom wall. The band claims the number was made up, but the song became a one hit wonder. People everywhere started calling the number, asking for “Jenny,” causing thousands if not millions of unwanted calls.

For some perspective, all this was about ten years before I was born.

The band got into a big dispute over using a real (callable) number, and over the years most of these numbers ended up becoming disconnected outright. Even right now, thirty years later, the song still gets airtime. And, or course, someone out there gets tempted to call it.

As I touched on earlier, over the years there were a few scans done of all these numbers just to see what was still out there. Just for fun. A lot of the big names of the scanning scene contributed to these, and they were pretty cool little files to browse through. There wasn’t any schedule to these, they were just sort of done on a whim. In 2006, I saw a forum posting over at BinRev for “Jenny07” and decided to sign up.

In 2006, I was 15 years old and sort of branching out on the internet a bit more than I had before. I got into the historical side of computer hacking and phone phreaking, and set myself up modestly on an IRC channel or two. I didn’t know much but I knew I wanted to get my feet wet. Participating in a scan was a nifty idea to me. I’d put myself back in time 25 years and do things the old fashioned way. I’ve always followed the ideology of looking back at what’s been done to know how one should advance.

So I signed up for the 600 block, which contained my own area code. Now at this time, I didn’t have a cell phone. I also sure as hell was not going to dial 100 numbers and tie up the family land-line  What was a kid to do? You might remember an important promotion for a relatively young piece of VOIP software back in 2006. Skype was trying to get people to register, and were offering free calling credits if you signed up. So here I was with a handful of Skype credits and a few hours of free time on an evening after school. One by one I called the numbers and recorded what I heard on the line (if anything).

It took longer than you’d think. So much so that I didn’t want to do another block even though I had been planning to. It wasn’t difficult, just exhaustive. Still, it was a lot of fun seeing what would happen when connecting to each new number. I submitted my findings back to the forum post along with a few others and eventually my results were rolled into the document which was released to a few sites. There were plans to do this scan again every year or so, but it never seemed to materialize after this one.

So where are we now? Six years later, it’s a nice little reminder of one of my first collaborations in the internet world. It’s a pretty nice feeling seeing my name up there with some “famous” names and knowing I was part of something that was swapped all around the web, ending up on dozens of servers.

It’s a funny conversation starter and I honestly forget about it until someone brings it up and asks what they’re looking at. It’s one of those “Oh yeah, THAT” conversations usually followed by a “Let me explain.” While the file still floats around out there, I decided to toss it up over at the Internet Archive so it can be found always, by anyone. A nice little insurance policy.

Take a look, and have a laugh. I know I did.


Wizzywig Volume Two

Ever since January of this year, I have been waiting for the second book in the Wizzywig series to be ready for distribution. The first volume, subtitled “Phreak” follows a young kid named Kevin Phenicle who goes by the handle Boingthump. Let me say, this isn’t some drab piece of writing you would find in the discount bin at your local book outlet. These are graphic novels, containing anything but a boring story about some kiddie hacker acting out a stereotype. This first book I read about Boingthump was a definite, and somewhat unexpected, treat. The bulk of the story was composed of little snippets of this character’s doings. From his first experience with blueboxing to social engineering pizza, the story is rife with creative scenarios that paint a vivid picture of an anykid in the golden age of phreaking. Suffice it to say I was impressed by just how much fact went into the story, and was curious to see where it would go… or where it would take me.


Fast forward to November. I stumbled across Ed Piskor’s website after forgetting about it for a little while. I found out that the second book had been completed and was ready for purchase, so I quickly snagged myself a copy, which arrived in the mail quickly after my purchase. Upon reading the book, I was happy to see much of the same structure as was present in the first. The story bounced back and forth between present day (Kevin has been incarcerated) and his younger days when he started experimenting with computers, and became immersed in a new, exciting, and scary world found through his phone lines.


The story found in these books is not your cookie cutter hacker epic. Take your Hackers, your Die Hard 4, your Swordfish, and throw them out the window. Ed takes careful attention to detail, nothing here is a stretch of the imagination and you can see he has done his homework in the creation of these novels. Reading along, you’ll be able to see all he has done simply by what is alluded to. No Hollywood garbage trying to make hacking seem glamorous or news stories spewing out tales that this underground world is full of all kinds of dangerous people who can make a computer explode. Ed gives the honest, gritty perspective the genre has hardly ever been represented by.


Summing things up, I don’t know anyone who is showing the world of phreak/hack culture in this fashion. Ed has truely honed his craft, and the fact that he himself is only an admirer of this culture, and not a participant only ampliphies his qualities. If you liked the first one, you probably already have the second, and are waiting patiently for the third and fourth. For those of you who haven’t jumped on the wagon yet, you can purchase both books directly from Ed at his website. There are also previews of both of the books, so you can read a few panels before deciding.

Also, I happen to be “in” the second installment as an angry fellow on page 10.