The Fixer
                                Presents

                             Colored Boxes
                             a 1998 Review

                              File 3 of 4
                            Tone Generators,
                      Bridges, Cheese and Gold Box


   .---------------------------------------------------------------.
   |                        Tone Generators                        |
   `---------------------------------------------------------------'

                                Blue Box
                     (Generates MF signaling tones)

   Since its invention in the early 1960's, more has been written, and
   more programs have been released, on the Blue Box than any other box.

   And no wonder; the Blue Box got spectacular press when it came to
   light in the early 1970's.  There are still a LOT of new text files
   and tone generators being written on the Blue Box, even though it is
   almost completely obsolete in North America and rapidly falling into
   obsolescence everywhere else.  In its heyday, Blue Boxing was like
   playing a guitar: easy to learn, difficult to master.  The masters of
   Blue Boxing had control of the toll network that the phone company's
   brightest engineers and security personnel could not understand.  The
   Joe-Average boxer (likely a college kid impressing friends and chicks or
   a mafioso who bought a box to avoid showing up on phone records) could
   make all the free calls he wanted, with no downside.

   The Blue Box, of course, is that box which siezes control of a toll
   trunk, giving the user the same abilities as a long-distance
   operator. There are now two problems with the Blue Box.  First, the
   system's technology has advanced so that most toll trunks no longer
   use the inband signaling (meaning: signaling is no longer done with
   audible tones) that Blue Boxes rely on.  There are still a precious
   few left in North America but they will be gone soon.  Second, every
   telco security person knows about Blue Boxes very well, and as a
   result, most local exchanges have tone detectors that will either cut
   off the call or sound an alarm or write an entry to a fraud log if
   you attempt to box.

   If you can box from an exchange that has no such detectors, and if you
   can find an inband toll trunk that you can get onto for free (1-800
   number, etc), and if you don't do it from a line where fraudulent
   calls can be traced back to you, THEN you can still blue box and do
   it safely.  Otherwise, you'll find that its day is long gone.

   Plausibility: 100% real.  These boxes were as real as the system they
                 cheated.
   Obsolescence: Almost total - Inband trunks exist but try and find one!
   Skill:        Difficult.  Somewhat complex to construct and use.
                 Usage is not as simple as dialing a phone.
   Risks:        Very High.  You will be caught if you use your own line.




                                 Green Box
                     (Generates Payphone Control Tones)

   The Green Box generates three tones, which are suspiciously the same
   as three particular Blue Box Tones.  The function of these tones were
   to command a payphone to return the caller's money, collect the money
   from a holding chamber into the main coin box, or to have the switch
   call the phone back.  The idea was that an operator would have some
   powers when dealing with payphone callers.

   These are described by text files as part of ACTS but really they are
   just selected MF bluebox tones.  Every blue box is also a green box.

   Although the files written about the green box are credible, the
   whole ACTS system is on its way out and the green box tones
   themselves were scrapped with inband signaling anyway (operators
   today DO NOT have blue boxes at their fingertips).  So green box
   tones no longer work.

   Plausibility: It was a real box but it was far more talked about than
                 actually used, so it's really now more the stuff of
                 legend than anything else.
   Obsolescence: Totally obsolete.  Correct me on this one if I'm wrong.
   Skill:        To build the tone generator would have taken some
                 doing, but taped or PC-Generated tones are a total
                 no-brainer.
   Risks:        Don't try it.  The phone company may have MF detectors
                 set up and think you're trying to blue box.




                                 Pearl Box
                               aka Smurf Box
                        (Variable SF Tone Generator)

   The Pearl Box just generates SF (Single Frequency) tones.  It features
   the ability to "dial up" a tone with a series of knobs, a scheme that
   does offer some precision once the settings for a particular frequency
   are known.

   The usefulness of a Pearl box is *very* limited, at least to a phreak.
   It can generate 2600 and 1850 cps, as well as other SF trunk control
   tones (2280 comes to mind).  But since Blue Boxing is dead anyway, and
   since a Blue Box already has the SF tones you need, a working phreak
   really wouldn't need a box like this.

   The Smurf Box is VAS's twist on the Pearl Box.  VAS correctly
   understands that an IBM-compatible PC can generate SF tones through its
   speaker, but they incorrectly assume that (a) you can connect it to a
   phone line directly without frying anything, (b) that the PC will
   generate SF tones to 32767 Hz, (c) that any phone system anywhere even
   uses SF tones outside the 300-3000 Hz voice band on inband signaling
   systems, (d) that the phone system will properly interpret your PC's
   square wave output when most phone tones use sine waves, and (e) that
   the human ear can only hear tones to 5010 Hz.  All of these things are
   wrong.  Anyway, a novice programmer can write a Pearl/Smurf Box program
   in GWBasic or Turbo Pascal in about 30 seconds, and you didn't need VAS
   to tell you that.

   Plausibility: Not much.  YES you can build a variable tone generator
                 but there's a reason why Esquire hasn't published any
                 articles called "Secrets Of The Little Pearl Box".
   Obsolescence: If you're checking the frequency response of your
                 stereo, it's not obsolete.  If you're blue boxing, then
                 the Pearl Box and the Blue Box and you for that matter
                 are all relics from the 1960's.  Watch Austin Powers a
                 few million times for a clue.
   Skill:        It's not a very complicated construction project but it
                 shouldn't be your first.
   Risks:        Since its use is limited to Blue Boxing, risks are the
                 same as for Blue Boxing.




                                  Red Box
                        (Generates ACTS coin tones)

   As much as the Blue Box was talked about in the 1970s and 1980s, the
   Red Box is the topic of discussion in the 1990s.  The Red Box makes
   the same tones that ACTS payphones use to signal the phone company
   that coins have been deposited.

   If you saw the movie "Hackers" you saw a crude approximation of how
   red box tones could once have been gathered straight from a payphone.
   This really doesn't work; you'll find the tones are muted if you try
   it.  The best way is to make them yourself with one of zillions of
   computer box tone generator programs out there.

   In order for red box tones to work, the payphone you are calling from
   has to be an ACTS payphone - it has to use Red Box tones itself.  The
   audio quality of the tones has to be good, not because of any
   anti-fraud devices the telco has set up but simply because the coin
   tone detectors have a narrow tolerance to avoid false detection of
   speech and background noise as coin tones.

   If an operator comes on and accuses you of boxing, it's because she
   was already listening.  The phone mutes the mic while playing its red
   box tones, she knows this and knows that there shouldn't be any
   street noise, bumping of a tape recorder into the handset, breathing,
   and other sounds while the tones play.  She also knows that the tones
   should be loud, clear and undistorted.  The system doesn't make those
   judgments; a human does and she does so only when the boxer's other
   messing around with the phone has triggered an exception alarm.  Or
   if you were calling long distance and your three minutes are up...

   The red box does still work and is still widely used; those who say
   it doesn't either don't have access to ACTS phones or played really
   bad tones.  It won't work at all on any phone where the party you're
   calling complains about really bad speech quality - those phones are
   likely to be marked "modified to prevent fraud" and the distortion from
   the mouthpiece is the means used to prevent red boxing on those phones.

   There are many, many text files on red box tones; the best method
   involves the use of a tape recorder and an acoustically-sealed (like
   an acoustic coupler modem) speaker for best sound quality and
   elimination of suspicious noise.  The worst methods involve
   "ingenious" means - whistles, recordable hallmark cards, modified
   pocket dialers, yada yada.  None of those things really work well and
   all involve the phreak spending extra money on junk, when the whole
   idea behind phreaking is to not spend money.

   Plausibility: 100 percent fact, and well documented.
   Obsolescence: Doesn't work everywhere, and gradually decreasing in
                 availability.  Forget it on COCOTs, Nortel Millennium
                 Payphones and any payphone not using the ACTS system.
   Skill:        Very little.  It's almost as easy as Razor and Blade
                 demonstrated in "Hackers."  That's probably why it gets so
                 much discussion.
   Risks:        Few if you are careful.  Don't mess with the phone and
                 no operators will come on.  Play good tones and it will
                 work.  And remember, any kind of payphone phreaking
                 that involves gadgets looks suspicious, so there is
                 always the risk that someone might see you and call the
                 police.




                               White Box
                   (Generates DTMF Tones - portable)
                               Silver Box
                (Generates DTMF Tones including A,B,C,D)

   The White Box and Silver Box are almost the same thing - both boxes
   produce the DTMF tones that every pushbutton phone uses.  The difference
   is that the White Box produces the 12 tones we are all familiar with,
   and the Silver Box produces an additional "column" of tones, normally
   placed to the right of the others, marked A, B, C, and D.

   The usefulness of both these boxes is quite limited.

   For starters, you can buy a proper white box at Radio Shack.  It's
   just a portable tone generator.  Amazing, then, that people have been
   arrested just for possessing this commonly available, perfectly legal
   device. Hell, I have even seen wristwatches with white boxes built
   in.  A white box is nothing more than a tone dialer.

   Second, the extra tones on the silver box are only useful on the
   Autovon military network - they are used for prioritizing calls.

   With that said, I find it inconceivable that no phone system anywhere
   out there aside from the military one has fourth-column tones in use
   *somewhere* - for internal testing, and so on.  A, B, C, and D will
   break dial tone on most digital switches.  It's just that no one has
   published any inside information on this yet.

   If a way to take advantage of silver box tones ever surfaces, then
   building a hardware silver box may be worthwhile.  Until then, the
   tones themselves are a technical curiosity best left to computer tone
   generators.

   The Silver Box is sometimes also called a Gray Box.

   Plausibility: 100% real
   Obsolescence: Of little use to most phreaks.
   Skill:        Construction is average difficulty; single chip DTMF
                 generators are easy to find.  Usage is straightforward.
   Risks:        You want to phreak a military network?  Are you nuts?



   .---------------------------------------------------------------.
   |                  Bridges, Cheese and Gold Box                 |
   `---------------------------------------------------------------'

                                 Brown Box
                      aka Conference Box aka Party Box
                         aka Switch Box aka Hoz Box
             (Joins 2 lines to effectively give 3 way calling)

   The [Conference] [Party] [Switch] [Hoz] [Brown] Box (hereinafter just
   called the Brown Box) joins together two lines to effectively give a
   3-way conversation.  If you already have two phone lines (for a BBS,
   fax, whatever) you can save the 50 cents per use charge on three-way
   calling by either building this box OR buy a 2-Line phone at Office
   Depot or Radio Shack that has a 3-way feature. Since you're not
   really stealing the three-way custom calling service, Brown Boxing is
   not fraud.  That's why you can buy 3-way 2-line phones on the open
   market.

   Of these boxes, the plans and description for the Conference Box is
   the only one worth paying any attention to.  Its ASCII diagram is
   easy to follow and it isolates the two lines with a 1:1 transformer,
   as they should be.  It's also the only text file which mentions that
   if you have 3-way calling on both lines, you can effectively get a
   5-way conversation going without anyone else in the conference having
   3-way calling.

   Note: Some text files have described a Brown Box as simply a homemade
         lineman's handset, or a Bud Box (see above).

   Plausibility: 100 percent real.
   Obsolescence: More pointless than obsolete.  Get a 2-line phone!
   Skill:        Some electronics skills useful.
   Risks:        Zero - perfectly legal.  The only way you could get in
                 trouble is if you screw up and damage your phone line.




                                 Cheese Box
   (creates an anonymous loop, purported to turn your phone into a payphone)

   There are two types of cheese box out there, and one seems to be getting
   much more coverage than the other, which is unfortunate because the
   first kind (more commonly seen) is bullshit. The textfile explains that
   the box is so named for the "kind of the box the first one was found in"
   but then goes on to describe something that isn't a box at all!

   The gist of the first cheese box type is that it effectively turns your
   phone into a payphone, untraceable and unreachable by law enforcement.
   This is accomplished by forwarding calls to an operator.

   The problem here is that no matter *who* or *what* you forward calls to,
   your own ANI and Caller ID data still get passed.  Traces still come
   back to you.  And incoming calls go to the operator.  It seems to me
   that it would make more sense to find a way to forward calls dialed to a
   payphone to your home number, if payphones had call forwarding.

   The second type of cheese box is a lot more believable.  It's an
   electronic device which connects two lines, much like a Gold Box, and
   makes them an anonymous loop.  Two people could call either line of this
   loop and not know the other's real phone number, which would have some
   privacy advantages.  If installed between two payphones, even a reverse
   directory lookup of the loop numbers would reveal nothing.  It is likely
   because payphones were used for this that the idea got perverted into
   the first type of box - after all, what use would it be to turn your
   line into a payphone?  Payphones in groups of two or more are common in
   public places, so there was an abundant supply - especially in big
   cities where bookies and organized crime families operate.

   Plausibility: Most of the textfiles you read on the Cheese Box aren't
                 worth the photons to read them.  Read the IIRG Cheese/Gold
                 Box file for the best description of the cheese box.
   Obsolescence: IIRG claims that the cheese box is obsolete but I see no
                 reason why even under ESS and DMS you couldn't still
                 cheesebox today.  Their rationale is that the old cheese
                 boxes included black boxes, which of course only work on
                 older Step by Step switches.  But with other ways of
                 calling for free, the black box part isn't necessary!  One
                 other note: you won't be able to use payphones marked
                 "Outgoing Calls Only".  These are getting more and more
                 common every day, which means that the obsolescence of
                 this box is increasing.
   Skill:        Construction of the device is comparable in difficulty to
                 the Gold Box, and installation would require stealth or a
                 good ruse.  Pose as a phone company technician with a fake
                 company ID tag (And look the part - 30+ years old,
                 clean shaven, short hair, work clothes & tool belt) and
                 no one will hassle you for messing with the payphones.
   Risks:        If the device were used too much, or if you were unlucky,
                 there's a chance someone trying to legitimately use one of
                 your payphones might report a problem to repair service,
                 who'd discover the box and likely alert telco security or
                 the police, who'd likely stake out the phones for a while
                 after.




                          Gold Box aka Divertor Box
          sometimes called Magenta Box or Slush Box or Dark Box
      (Joins two lines; call the first and get the second's dialtone)

   The Gold Box is a great idea that unfortunately is lost in the
   terrible quality of text files that have been written about it.

   The Gold Box joins together two phone lines.  You phone one, and
   immediately are connected to the other one's dial tone.  This, of
   course, has a few problems of its own.  For starters, if your victim
   expects calls to come in, all his normal callers will get his other
   line's dial tone.  They will then get a hold of him some other way
   and let him know of the problem.  Second, he's sure to hear at least
   an abortive mini-ring before the Gold Box picks up.  Some phones with
   electronic ringers will give a full-length ring even if it receives only
   a fractional pulse of ring voltage.  That would be suspicious to say the
   least.  Third, the Box's original design doesn't really have a way to
   terminate the call; your victim would be left with a phone line that
   does nothing but reorder shortly after your first call.  Some of the
   newer designs (after 1985 or so) will respond to the drop in line
   voltage that occurs after the person on the other end hangs up, and
   can terminate & reset that way.

   The Slush Box is an idea by Dispater (of Phrack fame).  It joins two
   business lines in a multi-line business phone system.  Call line 1,
   enter a password, get line 2.

   The solution, of course, is intelligent control of the Gold/Slush box
   by the phreak, and that is what Dispater was getting at (although I
   have never seen anything on the slush box beyond his proposal).

   Here's how I would design and implement something like this (although
   I am getting at the point of giving this box a low plausibility
   rating):  First, I would select at least one line that is not
   normally answered by a human.  A fax line, modem line, what have you.
   That would be the "hot" line which is called OUT from.  Call the
   "Hot" line and sound a tone.  The box I would use would be designed
   to listen for this tone with a PLL tone detector or something and
   when it hears it, would "activate" the box.  When the box is not
   active, both the "hot" and "cool" lines would function normally.
   When the box IS active, a call to the "cool" line causes the box to
   immediately "pick up" the phone and yield the "hot" line's dialtone.
   This would be best implemented against a business, a BBS or ISP, a
   person with a fax or modem line, etc.  The point is that the "hot"
   line has to be one where it is acceptable to the victim to receive
   calls that don't connect on a fairly regular basis, i.e. as often as
   you use the box.

   The Gold Box plans most people have read have none of these features
   and would therefore present a significant risk of detection - in
   which case a quick *69 would compromise you.

   Note that a properly designed Gold/Slush box would not allow the
   Telco to deliver your Caller ID data to the "cool" line, as pickup
   would normally occur instantly, before the signal could be
   transmitted.  Note also that the Caller ID data for the "Hot" line
   would be transmitted to the final dialing destination.  A devastating
   reality for blackmail/framing purposes.

   In 1988, someone named "Street Fighter" wrote a text file with a totally
   different design, that does the same thing as a Gold Box, and called it
   a "Magenta Box."  And in 1991, some plans emerged for a "Divertor
   Box" which specifically explain and handle the problem of call
   termination.  I have not verified either devices' functionality.

   Plausibility: The early plans don't work.  The IIRG plans are still
                 promoted by their authors, I don't know how well they
                 really work.  The basic concept, with development,
                 could work exceptionally well.  But be aware of
                 teenaged lamers who claim to be able to gold box you -
                 most teenaged hackers are NOT hardware hackers and
                 would never be able to make this box work.
   Obsolescence: As long as we have analog telephony, this is a
                 potentially effective method.
   Skill:        Design and construction of a box which would work to
                 this author's high standards would be an advanced
                 construction project requiring optimization of space
                 and power.  This is not for the beginner.
   Risks:        Installation involves some sort of prowling or false
                 pretense to gain initial physical access to the
                 victim's phone lines.  This is inherently somewhat
                 risky, depending on the skills of the installer.

-=( T )=-

Tommy, Sysop, THC BBS (250) 361-4549
www.vvv.com/~tommy
tommy@tommys.spydernet.com
