IBM's Audio Distribution Systems Sure Can Be Fun! (May, 1984)
-------------------------------------------------------------

One day several years ago, a hacker was doing some routine 800 number scanning
on his touch-tone telephone. This has become a very popular pastime because it's
totally free and not easily defined as illegal in itself. Usually, what
somebody does is zero in on a particular 800 exchange and dial many different
numbers (often in sequential order), jotting down the interesting ones. That's
exactly what this person was doing when he made a most interesting discovery.
After hearing literally dozens of modem tones, and "Doo-Dooo-DOOOO! The number
you have reached," "Eastern Airlines, can I help you?" and "Special operator,
what number did you dial?" messages, he heard a recorded female voice say,
"Please keypress your last name." After a millisecond or two, he looked at the
letters on his touch-tone buttons (never get a phone without those letters),
and started to spell out a name. Another recorded voice read back someone's
full name and then the old voice came back and said, "Please keypress your
password." He suddenly got an idea and spelled out the person's first name. It
worked! He had broken in - to something.

What this person found that day (and what many others have been discovering
ever since) was an IBM Audio Distribution System or ADS. Nearly every IBM
regional office has at least one of them. Operating out of an IBM Series I
computer interfaced with a telephone switchboard, their original purpose was to
provide a fast, easy way for IBMer's to contact each other without playing
"telephone tag." All a subscriber has to do is call the system, log in, and
leave or receive aural messages. Commands are entered using touch-tone keys
(*R-record a message, *T-transmit a message, *L-listen to a message, 
*C-customize certain features, *D-disconnect are the main commands. By pressing
a 9 or a #, brief help messages can also be heard.). No computer terminals were
needed here. Nearly anybody could figure out how to use the system.

Fortunately for hackers, IBM people were both careless and apathetic. Many of
them had very easy passwords and others never used the system at all, even
though they had been assigned accounts.

So guess what happened? Friendly tech enthusiasts found their way into these
systems and grabbed accounts left and right. Many of them set up impromptu
networks where they would exchange technical information, phreaking news,
stories, anything! (Sort of like a computer bulletin board, except that your
voice is your keyboard. This proved very beneficial to those phone phreaks that
hadn't integrated themselves into the world of computers - here was a computer
that could be played with without the requirement of a terminal and modem, as
well as the means to communicate with computer hackers for the first time.)
Messages could be as long as 8 minutes or as short as 3 seconds. Users could,
by entering commands, adjust volume and speed, classify their messages
(personal, confidential, personal and confidential, or internal use only),
create distribution lists, change their status, etc. In short, the ADS has
become a favorite toy of phreaker and hacker alike.

There are hundreds of ADS's all around the world, with more being plugged in
every day. IBM is selling the systems to other companies, who then use them for
their own employees, or lease accounts out to other people. IBM tells us that
the price for a system with a 1,000 user capacity is about $110,000. Financing
terms are available, they say.

It is quite reasonable to assume that every ADS that is presently operational
has at least a few usurped accounts on it. Even systems in Italy and England
are being mercilessly invaded by American crackers. What's particularly funny
about all this is that IBM has no way of knowing whether the users of the
system are legitimate or not, since the software is written to prevent
eavesdropping, even from the system operator's account. It is also impossible
to find out what somebody s password is, without being in that person's
account. As one IBM executive told us, "As long as they don't do anything
outrageous [like send abusive messages to other users] and the legitimate user
doesn't tell us that his/her account is being used by someone else, we'll never
know they're in there."

Needless to say, some high-level administrative meetings dealt with this
problem. For IBM, things were starting to get out of control. One group of
phreakers had so many different systems under control that they started to
color code them. Rumor has it that they ran out of colors and were forced to
buy a jumbo box of Crayola Crayons to find out the names of more. On the East
Coast, a system was so heavily inundated with unauthorized users that it was
commonly believed that there were more of them than legitimate users. And,
somewhere in Italy, Midwest accents slowly started to abound on that country's
sole system.

IBM began to make some drastic changes. To prevent intrusions from occurring in
the first place, many of the systems were programmed to delete an account if it
wasn't used within a certain period of time or if the password had not been
changed from the system default (the first letter of the last name repeated
three times). In an attempt to get rid of those that had already broken in,
they started to look at their 800 number user logs, to see which accounts were
constantly being logged into on the toll-free line instead of the local number
or the IBM internal tie-line number. A company employee wouldn't have to use
the 800 number unless he was on the road. But, they reasoned, a phone phreak
would.

On this, of course, they were completely wrong. A phone phreak can make a call
to anywhere he damn well pleases without spending a cent. A few even managed to
access the IBM tie-line! Good phreaks, to avoid suspicion stopped using the
toll-free numbers.

IBM reset passwords on suspect accounts and then went in to see what other
names were linked by "reading" distribution lists and seeing what other names
were being communicated with. The intruders answered this by deleting their
distribution lists and erasing all old messages.

This battle of wills is continuous. One system operator in Los Angeles attached
a recording that told anyone who failed to log in after three tries that their
call had been traced. She later admitted to 2600 that this was simply a scare
tactic used out of desperation.

Ironically enough, some of the worst offenders - as far as leaving doors wide
open - are the system operators themselves. A few operators have left their
privileged accounts' passwords set to the default (three zeroes). This allowed
an intruder to come in and use the special "star-zero" command, which allows
system messages to be changed. (These are the messages that tell the subscriber
what to do next, etc.) "Please keypress your last name," could easily become
"What the hell do you want?" There are hundreds of messages and oftentimes
pranksters would change only the most rarely heard ones, to add to the surprise
of the user who wound up hearing it; "Your message has reached the maximum
length" was reportedly replaced by "You have spoken for too long and you may
not speak again." Any user's password can be reset to the default from the
operator account, so entry to all accounts is indirectly possible after
cracking the operator account. Brand new accounts, though, are created offline.

If you like keeping in touch, an ADS may be just what you're looking for. With
this system, your phriends are always reachable, no matter where they are.

Unless they've left the magical land of touch tones.