Dvorak was in rare form this week, as he writes something that reads more like an e-mail virus alert chain letter. http://www.pcmag.com/article2/0,2817,2376702,00.asp
Read on for the money quote.
I’m immediately reminded of the online scams that took place during the modem era of communications. You’d be given a number to call, and it would actually be some sort of scam. The local number would connect to a BBS of some sort which would send a code back to the modem to turn off the speaker, so you couldn’t hear the modem disconnect and then redial a number in Bulgaria or some obscure island. You’d then be connected to a phone service that charged $100/minute for the connection. After racking up thousands and thousand of dollars in phone costs, you’d get the bill from your phone company for $30,000.
I was around during the modem era. I even remember that the Hayes command to turn off the speaker was AT M0. Except when it was AT L0. I remember a lot of now-useless information from those long-ago days.
And what I’m trying to figure out is how this is even possible. Because I remember hitting +++ in order to interrupt the modem and send commands to it. But that was the thing. If the modem on the other end transmitted +++ and an AT command, then the modem just sent it through as text. You could even see it at the end of a BBS session, when the remote end hung up. Some modems transmitted the commands to you before they realized that text was intended for them.
So I don’t know how this could work. A rogue BBS would have had to do the following:
1. send a +++ across to put the other modem into command mode
2. send an AT L0 M0 to turn off the speaker
3. send an AT H to hang up the phone
4. send an ATDT command to dial the BBS in Bulgaria or wherever.
Except step 1 is impossible, since Hayes commands have to come from the local host. A friend and I actually experimented with this 21 or 22 years ago because he was running a BBS and was paranoid that a rogue user might be able to lock up his modem.
And then of course step 3 makes step 4 impossible, because once you hang up the phone, the game’s over.
The only way I can see this being possible is through software. But in the BBS era, computers were single-tasking. And just dialing a phone number wasn’t enough to get your computer infected with a virus. You had to download something. Perhaps Dvorak is thinking of dialer malware, which was fairly widespread in the mid 1990s, but that was distributed over the Internet, not BBSs.
I know some of you were around in the BBS era too. Have any of you ever heard this rumor Dvorak speaks of, and any of its details?
In the BBS era that I remember, the phone companies were the ones who got scammed. Phone phreaking was real. You mostly hear about it today in passing, such as when people talk about Steve Wozniak’s blue box, built before he started building computers. But there were people doing it in the late 1980s and early 1990s too. If anything, by then it was more widespread.
Maybe this is what Dvorak is thinking of: Phone phreakers getting caught, then slapped with $30K in unpaid long-distance charges.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Hi Dave,
This happened to a family friend who was not computer savvy, and a similar story was on the local news, both about 10 years ago. Either in an e-mail or a zip file you downloaded, you would inadvertently install a “dialer” where it would mute your modem speaker then dial out to some off-shore ISP, long distance, so as long as you were online you were racking up long distance charges to the other telephone company at very high rates. The friend got a bill for about $3,000 which they had to pay even after complaining to their local government representative. I think the charges might have appeared on the phone bill as an adult entertainment service in some cases. People were embarrassed to bring it to the attention of the authorities, but eventually the local telephone companies had to repay customers and take the loss, but only if the customer made the claim. I believe that many seniors would install the dialer program after clicking on a bogus e-mail link to update their security software or anti-virus, or something similar. In some cases it was connected to certain pornography downloads so people never contacted law enforcement and just paid the bill. I seem to remember a similar story on a Baltimore news program where a child used the off-shore ISP from a dialer program for a whole month and the parents got an enormous phone bill.
Another scam was to send you a bill for something in an e-mail with what looked like a long distance customer service number for the US, but it was some off-shore telephone company, and you would be placed on hold for about 20 minutes to a half hour. Later you got the charges on your telephone bill for a pricey international call. They used to talk about these scams on ZDTV, then called Tech TV, then G 4, and Leo Laporte would warn you about the scams. Laporte’s shows were “Call For Help” and “The Screen Savers” which I used to watch regularly. Dvorak used to have a computer-related current events type show on ZDTV also.
Take care, Joe.
The problem with being an “old timer” is that the memory begins to play tricks. The phone phreaking scam was the rage in those days, not hi-jacking modems. Most people (like me) used the same land line as the modem line, and scheduling time on the phone was pretty important. Even if a rogue BBS could hijack the modem, it got turned OFF when I was finished online, thereby making the attempt moot.
After reading Dvorak’s blurb a couple of times, I’m convinced he’s talking about dialer malware, and just got his facts about how it worked incorrect. And maybe that’s how people *thought* it worked at one point in time, and that’s how he remembered it. But yeah, like you, I can’t imagine any feasible way for a BBS to affect a caller’s machine. To put it simply, our “browsers” (terminal programs) did not have the rights to be changed or controlled by our “sites” (BBSes). I suppose we did get a few things right back then. 😉
The only thing I can think of that could have been done back then would be some sort of call-forwarding scam on the BBS end, something on the phone company’s end that would redirect incoming calls to an off-shore number and rack of charges for the caller. But even with that, I don’t think it could be done with software, and I think the BBS owner would have to be “in on it”.