Defeating Callback Verification by Dr. Delam So you feel you've finally met your match. While applying at this board that you've applied at before, you use a fake name, address, and phone number. Then comes the part you hate most: the callback verification. "How in hell am I going to get access without giving out my real number?! I guess i'll just have to 'engineer' the sysop." Only this particular sysop is too good. He tries a voice verification, and finds either a bad number or someone who doesn't even know what a BBS is. Now you have to reapply again! If you worked for the phone company or knew how to hack it, maybe you could set yourself up with a temporary number, but unfortunately you don't. So you think hard and come up with an idea: "All need is a local direct dial VMB. Then I can just have the sysop call that and make him think it's my home VMB system... that is, if I can find one to hack." Naw, still too hard. There must be an easier way. Loop? No, who wants to wait forever on a loop - every so often talking with Fred the pissed-off lineman. What else, what else? You can remember the things you used to do as a kid before you even knew what phreaking or hacking was. How about the time you called your friend Chris and at some point in the conversation, when things got boring, Chris said "I'm gonna call Mike now. Bye!" But you didn't want to hang up. You heard click, click... but no dialtone. You say "Hello?" and suddenly you hear Chris shout "Hang up the phone!" Haha! You had discovered a new trick! If you originated the call, you had ultimate control! That means if I call a BBS and it hangs up first, I actually am still connected to the line for a brief period (usually a maximum of 15 seconds); and if the BBS picks up again to dial me for callback verification, it will get me for sure, regardless of the number it has!" This leaves just two problems to solve. The first problem occurs when your modem senses a drop in DTR or loss in carrier from the BBS's modem, it will go on-hook. This means you will have to catch the phone before your modem hangs up. Your modem may have a setting that will ignore these changes. If not, you can build a busy switch. This may be done by placing a 1K ohm resistor and an SPST switch between the ring and tip (red and green) wires of your phone line. Completing this circuit at any time while online has the effect of a permanent off hook condition. The resistance provided is equivalent to the resistance present when your phone is off hook, thus creating a condition the C.O. recognizes as off hook. With good soldering and a good switch, no interference will be present after the switch is thrown while connected. Note: Sysops may find the busy switch useful as a confirmation that the phone line is "busied out" when the BBS is taken down. Sometimes during down times a reboot or power down is necessary, which will cancel any busying effects the modem had set previously, making a busy switch in this case ideal. The second problem occurs when the BBS's modem expects a dialtone after going from on hook to off hook. A dialtone will have to be provided for the BBS's modem before it will try dialing whatever phone number you provided. This requires what I call a "CAVERN box" (CAllback VERificatioN). Like many other boxes, it is a simple generation of tones. For a cheap and inexpensive method, use a tape recorder to record and play back the dialtone. Computer sound generation hasn't been tested, but most PC speakers generate a square wave, while dialtones are sinusoidal. The best chance for accurate, artificial sound generation is with a synthesizer. The two frequencies of a dialtone are 300hz and 420hz. Many musicians recognize 440.00hz as the note A4, and the frequency from which scales are built. Just below A4 on an equal tempered chromatic scale is at 415.30hz. Tuning a synthesizer just shy of a positive quarter tone from the normal scale will yield a G#4 at 420hz and bring the D4 of 293.66hz within an acceptable range of 300hz. Needless to say, once you have prevented your modem from hanging up and have generated a dialtone which has effectively caused the BBS's modem to dial the phone number, you should issue an answer tone by typing the Hayes "ATA" command. You will then be connected with the BBS's modem and will have protected your identification. Thanks to Green Hell for some help in generating concepts presented.