Beating Caller ID by The Fixer v.1.03 98/08/30 (C) 1998 The Fixer's Tech Room For free distribution - you may freely repost & distribute this but not for profit without permission of the author. See further restrictions at the end of this file. To start off with - 12 Ways to beat Caller ID (0) This doesn't count as a way to beat CID, but there's a general principle to consider when contemplating ways to beat CID. Generally, the CID signal your target sees corresponds to the owner of the dial tone you call him from. If you call direct, you dial from your own dial tone and your line is identified. If you call a third party, and by whatever means manage to acquire his dial tone, and from there dial out, it is the number associated with that second dial tone that your target sees. Some of the ideas following this were developed with this basic idea in mind. (0.5) This also doesn't count, but remember that beating Caller ID as such is only the first layer of your protection. If your calling is sufficiently annoying or criminal, there is *always* a paper trail (ANI data, billing data, trouble reports, *57 traces, etc) leading back to the phone you first called from. That trail is not always easy or worthwhile to track you down with. Whether or not the trail is followed depends entirely upon how pissed off your target is and how much co-operation he can get from the phone company, law enforcement, etc. (1) Use *67. It will cause the called party's Caller ID unit to display "Private" or "Blocked" or "Unavailable" depending on the manufacturer. It is probably already available on your line, and if it isn't, your local phone company will (most likely - please ask them) set it up for free. This is the simplest method, it's 100 percent legal, and it works. (2) Use a pay phone. Not very convenient, costs 25 or 35 cents depending, but it cannot be traced back to your house in any way, not even by *57. Not even if the person who you call has Mulder and Scully hanging over your shoulder trying to get an FBI trace (sic). Janet Reno himself couldn't subpoena your identity. It's not your phone, not your problem, AND it will get past "block the blocker" services. So it's not a totally useless suggestion, even if you have already thought of it. (3) Go through an operator. This is a more expensive way of doing it ($1.25-$2.00 per call), you can still be traced, and the person you're calling WILL be suspicious when the operator first asks for them, if you have already tried other Caller ID suppression methods on them. (4) Use a prepaid calling card. This costs whatever the per-minute charge on the card is, as they don't recognize local calls. A lot of private investigators use these. A *57 trace will fail but you could still be tracked down with an intensive investigation (read: subpoena the card company). The Caller ID will show the outdial number of the Card issuer. (5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is fairly easy to social engineer, but beyond the scope of this file. This is a well-known and well-loved way of charging phone calls to someone else but it can also be used to hide your identity from a Caller ID box, since the PBX's number is what appears. You can even appear to be in a different city if the PBX you are using is! This isn't very legal at all. But, if you have the talent, use it! (6) I don't have proof of this, but I *think* that a teleconference (Alliance teleconferencing, etc.) that lets you call out to the participants will not send your number in Caller ID. In other words, I am pretty sure the dial tone is not your own. (7) Speaking of dial tones which aren't yours, if you are lucky enough to live in an area with the GTD5 diverter bug, you can use that to get someone else's dial tone and from thence their identity. (8) Still on the subject of dial tones which aren't your own, you can get the same protection as with a payphone, but at greater risk, if you use someone else's line - either by just asking to use the phone (if they'll co-operate after they hear what you're calling about) or by the use of a Beige Box, a hardware diverter or bridge such as a Gold Box, or some other technical marvel. (9) This won't work with an intelligent human on the other end, it leaves you exposed if the called party has a regular Caller ID box with memory, and has many other technical problems which make it tricky at best and unworkable for all but experts. A second Caller ID data stream, transmitted from your line after the audio circuit is complete, will overwrite the true data stream sent by the telco during the ringing. If the line you are calling is a BBS, a VMB, or some other automated system using a serial port Caller ID and software, then you can place your call using *67 first, and then immediately after the other end picks up, send the fake stream. The second stream is what the Caller ID software processes, and you are allowed in. See the technical FAQs below for an idea of the problems behind this method; many can be solved. (10) Someone in alt.2600 (using a stolen AOL account, so I can't credit him or her properly) suggested going through 10321 (now 10-10-321) or 10288. Apparently using a 10xxx even for a local call causes "Out of Area" to show up on the Caller ID display. I live in Canada where we don't have 10xxx dialing so I can't verify nor disprove this. (11) There are 1-900 lines you can call that are designed to circumvent Caller ID, ANI, traces, everything. These services are *very* expensive, some as high as $5.00 a minute, but they include long distance charges. This was first published in 1990 in 2600 magazine, and in 1993 the IIRG reported that 1-900-STOPPER still works. Beware - even if you get a busy signal or no answer, you will get charged at 1-900 rates! Another one published in 2600 in 1990: 1-900-RUN-WELL. That one supposedly allows international calls. I'm not about to call either one to find out. Note that you could still be caught if the operators of these services were to be subpoenaed. (12) Use an analog cellular phone. Most providers of plain old analog service show up on Caller ID as "Private" or "Out of Area" or a main switchboard number for the cell network. This is becoming less and less true as cellular providers move to digital cellular and PCS, which pass the phone's number on Caller ID. Corollary: Rent a cellphone by the day. This might even be cheaper than using a prepaid phone card. How Caller ID Works Caller ID is a data stream sent by the phone company to your line between the first and second ring. The data stream conforms to Bell 202, which is a 1200 baud half-duplex FSK modulation. That is why serial Caller ID boxes run at 1200 baud. The data stream itself is pretty straightforward. Here's an example: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D032415122503806467x The first thing of note is the 30 U's. Those are actually sync pulses. A "U" is 55 hex, or 01010101 binary. This is called the "Channel Siezure Signal." After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark" frequency) which usually shows up in the datastream as a character or two of garbage. That is followed by the "message type word", which is 04 hex for standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8 bits for our purposes. That is followed by the "message length word" which tells us how many bytes follow. The next four bytes are the date, in ASCII. In the example above, the date is 0324, or March 24th. The next four bytes after the date are the time, also in ASCII. In the example, the time is 1512, or 3:12pm. The next 10 digits are the phone number that is calling. In the example, the phone number is 250-380-6467. The number is also in ASCII and doesn't contain the hyphens. Some phone companies will leave out the area code and only transmit 7 digits for a local call, others will always send the area code as well. If this were a name-and-number Caller ID data stream, the number would be followed by a delimiter (01h) and another message length byte to indicate the number of bytes in the name. This would be followed by the name itself, in ASCII. If this call originated from an area that doesn't support Caller ID, then instead of the phone number, a capital "O" is transmitted (4F hex). If the call was marked "private" as a result of the caller using *67 or having a permanent call blocking service, then instead of the phone number, a capital "P" (50 hex) would be sent. The very last byte of the data stream is a checksum. This is calculated by adding the value of all the other bytes in the data message (the message type, length, number and name data, and any delimiters) and taking the two's complement of the low byte of the result (in other words, the two's complement of the modulo-256 simple checksum of the CID data). Some Technical FAQ's Q: When I block Caller ID with *67, does it send my number anyway and just set a "private bit" so that the other person's Caller ID Display unit won't display it? A: No. The person you're calling doesn't get your phone number anywhere in his data stream if you block your call that way. All he/she gets is "P" and the date/time of the call. I would like to refer to an experiment I performed in March, 1998 with a Serial Port Caller ID, which delivers the raw data stream to a PC for software interpretation. The following Usenet message (edited for this file) is the report I published on that experiment: Newsgroups: alt.2600 From: The Fixer Date: Tue, 24 Mar 98 16:12:58 -0800 Subject: Caller ID and *67 - The Facts OK, it's time to shovel the bullshit which is piling up in this newsgroup about Caller ID. A few people are saying that when you block your Caller ID with *67, the switch sends your number anyway along with a so-called "private bit" that tells the Caller ID display unit to suppress display of the number. In order to squelch those who'd rather flame back with "show me proof" than just read a FAQ, here is the proof. These are actual raw data captures from a Bell 202 demodulator (better known as a serial port Caller ID) which I captured myself today. They prove conclusively that the "Private Bit" is a myth. Here is what I got in my raw data stream when I called my voice line from one of my BBS lines (which is unlisted, hence the PRIVATE string in the name field): UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^A^H03241512^A2503806467^G^OPRIVATE x This is what I got when I did the same thing with *67: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€^P^A^H03241512^D^AO^H^AP(˙ The number I was calling from was 250-380-6467. That string is clearly displayed in the first (non *67) call. In the number field of the second call, only the letter "O" is transmitted. In the name field, only the letter "P" is transmitted. In both calls, the date and time (03/24, 15:12) is transmitted, but transmission of the calling telephone number is suppressed in the second call. There is no "private flag" suppressing display of the number by the display unit; the calling number is not transmitted at all! For those of you unfamiliar with the CID raw data stream, the U's are actually sync pulses (an ASCII "U" is 01010101 binary). The control characters are field delimiters. The first 8-digit number is the date and time in MMDDHHSS format. The second number in the first call is the phone number, in NPANXXXXXX format. That is followed by the name (for those of us with name & number CID). The ^O (0Fh) just before the name indicates how many characters are in the name - in this case "PRIVATE" is padded out with 8 spaces (20h) to make 15 characters. At the very end is an 8-bit checksum. Believe me, if I were wrong about this, there would be a huge marketing frenzy to sell "*67 proof Caller ID boxes" and I would be making a fortune selling my Serial Caller ID software, which works directly with the data streams illustrated above! Q: Can't I just send noise down the line to scramble the Caller ID signal between the rings? A: No. Your phone line doesn't generate the Caller ID signal. It is made by the switch on your calling party's line, and the audio circuit between your line and his is not completed until after he picks up the phone. Q: Do 1-800 numbers have Caller ID? Can I hide my identity from them? A: Some do have Caller ID, and the *67 block will work, but many more have realtime ANI - Automatic Number Identification. This is an older technology which uses a separate line to deliver your number, and cannot be blocked. And all 800 subscribers get a list of everyone who called them on their monthly bill, blocked or not. Q: Can I hide my identity by sending a fake Caller ID signal down the line before they answer? A: *Generally*, no. The audio circuit between your phone line and their line is not completed until the other party picks up. Once they do, they would hear your fake signal and know what you were doing... unless the person you're calling is very poorly informed or untrained. Even so, most Caller ID devices have memory and so the person you're calling could just as easily scroll back through the box's memory and find your true number. Once upon a time, the phone system worked differently, and the audio circuit WAS connected even before the called party picked up. A device called a "mute" or a "black box" was used to take advantage of this fact and allow anyone calling a line with a black box to do so toll-free. If the system still worked that way (and there's no technical reason why it couldn't in these days of digital switching) then yes, it would be very feasible to send a fake Bell 202 data stream down the line; in fact you'd hear the real one every time you called someone with Caller ID and you'd get a really good feel for the timing involved. But if it worked that way, then black boxes would also still work, and they don't. Q: How about *69? If I protect my call using *67, can they still call me back? A: Not in 604/250 anyway, and probably not most places. Some interesting notes about this: When *69 was first introduced here in 250, if you tried to *69 a blocked call, you would get a recording telling you that the number could not be announced. And it would then offer to connect you anyway! I guess it was business who asked for the change because that meant a telemarketer using *67 would have people call back and their switchboard answer "Sleazebag Marketing, how can I help you?". At that point the number was a white pages lookup away. So BC Tel, and I would venture to guess its parent company GTE and many others, changed it so that *69 won't even call back. If you find in your area that you CAN call back with *69 to a *67 protected number, you're a lucky sonofabitch! Why is that? Well, with the "old" working of *69, you may still be able to get the number of a blocked caller if you are (a) lucky and (b) patient. Take your phone off the hook until midnight (if it's a business) or early afternoon (if it's a person). THEN activate *69. No incoming calls will have come into your line since it was off-hook, so your line's *69 last-call register will still have their phone number in it, and at those times you are far more likely to get an answering machine which may spill the beans as to who called you... clever huh? Final Word Caller ID can be worked around in so many ways that it really offers no value to its subscribers. I am not against the existence of Caller ID, as I have been on the receiving end of harassing phone calls and slimy telemarketers, all of whom I've been able to put in their place thanks to this technology. There's no doubt that Caller ID can help bring those who deserve it to justice. But at the same time, we all have the right to privacy, and the option to not share your identity with someone you're calling is, and always should be, available. For this reason, I think that Caller ID should be available free on every line as part of the basic service. It's worth nothing anyway! --------------------------------------------------------------------------- That's it. This file may be updated as I receive more information. Look for updates on my web site at http://techroom.base.org or if that doesn't work, http://bc1.com/users/fixer --------------------------------------------------------------------------- This file is a freely-distributable copyrighted work. You may repost this file free of charge without modifications, but no for-profit distribution is allowed without prior arrangement with the author. Two individuals who have stolen my work in the past are hereby prohibited and enjoined from possessing or distributing this file: Pinhead the Cenobite and Jolly Roger. If you are either of these individuals, you must delete this file from your system now. If you are not, you may not knowingly allow either of these individuals to receive this file if it is in your power to prevent such reception. Retention of this file on your system or on any backup constitutes acceptance of this term. (C) Copyright 1998 The Fixer's Tech Room, a division of Whirlwind Software (British Columbia). All rights reserved.