Talking to Captain Crunch

The October 1971 issue of Esquire magazine carried an article by Ron Rosenbaum that detailed his meetings and phone conversations with a secretive, loosely knit group of people. One was John T Draper – and he’s still angry about what happened.

“Ron should not have published that article,” Draper told PC Plus. The reason behind his anger is that he and the others were ‘phreakers’ – curious individuals who had worked out how to trick the US telephone network into supplying them with free calls. Today, it seems incredible that ‘Ma Bell’ – as the phone system is still known to many Americans – could be so easily hacked. And yet it all started with nothing more complicated than a musical note whistled into a phone.

How phreaking worked

To place a long-distance call in the ’70s, you picked up the phone and were connected to the local exchange, which would then calculate exactly how much to charge you based on the number that you had dialled. If it detected that you were dialling long distance, the exchange would find a free long distance line for you. To find which lines were free, it would step through each, listening for a steady 2600Hz tone that signalled that the line wasn’t in use.

What the early phreakers discovered was that if you dialled a long-distance number and then sounded a tone of 2600Hz into the mouthpiece, the ringing would stop. However, instead of hanging up, the remote exchange would merely assume that the line was about to be used to set up another call, and would simply wait for a new number. The phreaker would then dial a number and call for free.

The early phreakers also discovered that if the initial number that you dialled was a long-distance freephone number, the local exchange wouldn’t charge you. So if you sounded the 2600Hz tone between calls, the local exchange thought that you were still on the initial free call.

Open secrets

To some, phreaking was Ma Bell’s fault. Back in 1959 (or 1954, depending on which source you believe), Bell Labs – the research arm of the US phone system – published a paper in its Technical Journal called ‘In-Band Signal Frequency Signalling’. The paper, impenetrable to most people, explained how the phone system used the same lines that people spoke over to carry commands in the form of audible tones between long-distance AT&T exchanges.

The commands were intended for internal company use only. The idea behind them was to remove the need for the dedicated lines previously required by exchanges to communicate with each other. Today, modern phone systems have such large capacity that in-band signalling – and therefore phreaking – has become obsolete. Back in the 1960s, however, in-band signalling was widespread, and incredibly easy to hack.

Curiously, a whistle given away with Cap’n Crunch breakfast cereal was found to produce a tone (the fourth E above middle C) that was sufficiently close to 2600Hz to convince the network that the line was free. What’s more, other sound sources could also do the trick. Many phreakers used tape recordings of electric organs to fool Ma Bell, and some dedicated types even trained themselves to whistle at the correct pitch.

Phreaking with Ma Bell

Draper initially became embroiled in phreaking by accident. He’d been working on an FM transmitter, which he then mounted in his Volkswagen camper van and drove around his neighbourhood, broadcasting a plea for people to call him if they picked up his signal. Someone did – a teenager called Dennie heard the broadcast and invited Draper over.

Excited that Draper had a working knowledge of electronics, Dennie showed him how to phreak a long-distance exchange using an electronic organ belonging to a fellow phreaker called Jimmy. Together they had slowly begun to map out a small vocabulary of other command signals. They shared what they’d learned with Draper.

“After playing around with Jimmy’s organ, I headed home and dug out my trusty parts bins, found my slide rule and calculated the parts values I would need for each of the frequencies,” says Draper. “In about 45 minutes, I had all six of the oscillators connected to an op-amp, to the phone line through a transformer. Initially I only had a single button for each tone because I didn’t have enough diodes to switch two at a time. It took practice, but I managed to MF numbers – and this was the start of my exploration of the phone system.”

MF means multi-frequency. When you press a button on a touchtone phone, it generates not one but two frequencies, and this is what’s responsible for the characteristically discordant tones you hear. The commands sent between long-distance exchanges were also MF tones, but of a higher frequency than those used to dial numbers.

Remember the Bell Labs Technical Journal? Well, in 1960 it published a second paper about inter-exchange signalling, this time giving the exact frequencies that made up these commands. As knowledge of the 2600Hz tone spread, phreakers started looking for technical manuals that might help them explore further, and inevitably they came across these papers. Like Draper, other phreakers then began building dedicated devices to create these tones.

Becoming Captain Crunch

In the early 1970s, Draper had been using his first name while chatting to other phreakers on conference calls set up to swap phreaking tips. He was very active in finding new exchanges and new sequences of commands to try, so other phreakers suggested that he should try to hide his identity in case they were being tapped. The question was, what should he call himself?

A friend of Draper’s called Joe Engressia had told him that the whistle given away with Cap’n Crunch breakfast cereal could produce the much sought-after 2600Hz frequency that could grant free long distance calls. “I said, ‘Why not call me Captain Crunch?’, and the name stuck,” Draper remembers.

The legend of Captain Crunch and his exploits has since entered into popular culture. In the 1992 film Sneakers, the experience Cosmo has of giving hacking lessons in prison is based on Draper’s real-life jail experiences. An Internet search for ‘Captain Crunch’ will also reveal plenty of usernames of people who are definitely not John Draper.

So, what’s it like being a genuine icon of the global hacking community? “Good on one side, bad on the other. Mixed feelings,” Captain Crunch told us.

Revealing the blue box

While a 2600Hz tone could get you free calls, MF-ing an exchange could get you a whole lot more. For example, you could set up and run a conference facility on an exchange that enabled other phreakers from across America – and even from around the world – to secretly swap the secrets that they had learned. The devices they built to generate these tones were called ‘blue boxes’. With a battery-powered blue box, a phreaker could surf the US telephone network from a roadside payphone. Fraser Lucey was one such phreaker.

In Joe Rosenbaum’s aforementioned Esquire article, he describes a meeting with Lucey, who demonstrated the tremendous capabilities of his blue box. First the pair dialled a number known to belong to a phone box in London, and a passing RAF serviceman returning from leave answered it. Then they tried the number of a woman in Paris, but the line was busy. Next, they called the speaking clock in Sydney, Australia, before finally ringing a recorded weather report in Rome. Phreakers had complete freedom to roam the phone networks of the whole world. However, it was too good to last, and trouble was approaching fast.

After talking to other phreakers, including neighbourhood friends Dennie and Jimmy, Rosenbaum learned about Draper. The article recounts a conversation the pair had, in which Draper explains his motivation for phreaking. “It’s terrible,” says Draper, “because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls. I wasn’t interested in free calls. But when these blind kids told me I could make calls into a computer, my eyes lit up. I wanted to learn about computers. I wanted to learn about Ma Bell’s computers. So I built that little device.”

By this point Draper had further refined his blue box to automate the commands that it sent. Whereas other blue boxes needed to have things typed into them by hand, his was far more precise, and therefore sounded just like another exchange. “It would [pulse] the number in precise intervals,” he told PC Plus, “making it indistinguishable from the phone companies’ own equipment.”

With the power of his supercharged blue box and his extensive knowledge of the commands it was capable of generating, Draper demonstrated to Rosenbaum how you went about routing calls around the phone system, through exchange after exchange. However, it was a demonstration that he would come to regret for a very long time.

“I briefly talked to this Rosenbaum dude, who didn’t even tell me what the blind kids had told him, and without checking with me first, he just went ahead and printed it,” says Draper. “Some information that he put in the article was correct, but the other information he put in there was absolutely false.”

Arrest and trial

Draper knew the game was up when he saw the published article. ”While reading it, my jaw dropped,” he said. “I was appalled at all the mistakes in the article and how sensationalised it was. I knew that I would inevitably be picked up by the FBI; it was just a matter of time. I immediately went home and ditched my super-automated blue box, notes and anything else that pointed to me for this.”

Draper was arrested in May 1972. “All around me, people were going down. Then, in a single day, a major sweep took place, and four people from Seattle, three people from San Jose and five people from LA got busted all at once, within minutes of each other. On the way home, I stopped by the 7-Eleven store and parked in an adjacent school yard. Just as I got out of my car, a car pulled up in front and another one pulled up in back, and four men in suits jumped out and grabbed me. I was thrown against the car, handcuffed and read my rights. I was taken to Santa Clara County and booked for toll fraud.”

Draper got five years probation. However, in 1977 he went back to jail, again for toll fraud. Once there, he found that serious criminals were interested in phreaking, and he began holding secret lessons for them. “It kept me out of trouble with the rest of the inmates,” he told PC Plus. “Nobody would f**k with me.”

Today, Draper is a reformed character. He’s the Chief Technology Officer at media company En2go, putting all of his technological talent towards legal ends.

If you enjoyed this piece, don't forget to check out our article - Who's Hacking Your PC where we go in search of cybercrime's heart of darkness.