Defeating Callback Verification
                               by Dr. Delam

    So you feel you've finally met your match. While applying at this board
that you've applied at before, you use a fake name, address, and phone
number. Then comes the part you hate most: the callback verification. "How in
hell am I going to get access without giving out my real number?! I guess i'll
just have to 'engineer' the sysop." Only this particular sysop is too good.
He tries a voice verification, and finds either a bad number or someone who
doesn't even know what a BBS is. Now you have to reapply again! If you worked
for the phone company or knew how to hack it, maybe you could set yourself up
with a temporary number, but unfortunately you don't. So you think hard and
come up with an idea: "All need is a local direct dial VMB. Then I can just
have the sysop call that and make him think it's my home VMB system... that
is, if I can find one to hack."

    Naw, still too hard. There must be an easier way. Loop? No, who wants to
wait forever on a loop - every so often talking with Fred the pissed-off
lineman. What else, what else? You can remember the things you used to do as
a kid before you even knew what phreaking or hacking was. How about the time
you called your friend Chris and at some point in the conversation, when
things got boring, Chris said "I'm gonna call Mike now. Bye!" But you didn't
want to hang up. You heard click, click... but no dialtone. You say "Hello?"
and suddenly you hear Chris shout "Hang up the phone!" Haha! You had
discovered a new trick! If you originated the call, you had ultimate
control! That means if I call a BBS and it hangs up first, I actually am
still connected to the line for a brief period (usually a maximum of 15
seconds); and if the BBS picks up again to dial me for callback verification,
it will get me for sure, regardless of the number it has!"

    This leaves just two problems to solve.  The first problem occurs when
your modem senses a drop in DTR or loss in carrier from the BBS's modem, it
will go on-hook. This means you will have to catch the phone before your modem
hangs up. Your modem may have a setting that will ignore these changes. If
not, you can build a busy switch. This may be done by placing a 1K ohm
resistor and an SPST switch between the ring and tip (red and green) wires of
your phone line. Completing this circuit at any time while online has
the effect of a permanent off hook condition. The resistance provided is
equivalent to the resistance present when your phone is off hook, thus
creating a condition the C.O. recognizes as off hook. With good soldering and
a good switch, no interference will be present after the switch is thrown
while connected.

    Note: Sysops may find the busy switch useful as a confirmation that the
phone line is "busied out" when the BBS is taken down. Sometimes during down
times a reboot or power down is necessary, which will cancel any busying
effects the modem had set previously, making a busy switch in this case
ideal. The second problem occurs when the BBS's modem expects a dialtone
after going from on hook to off hook. A dialtone will have to be provided for
the BBS's modem before it will try dialing whatever phone number you
provided. This requires what I call a "CAVERN box" (CAllback VERificatioN).
Like many other boxes, it is a simple generation of tones. For a cheap and
inexpensive method, use a tape recorder to record and play back the dialtone.
Computer sound generation hasn't been tested, but most PC speakers generate a
square wave, while dialtones are sinusoidal. The best chance for accurate,
artificial sound generation is with a synthesizer. The two frequencies of a
dialtone are 300hz and 420hz. Many  musicians  recognize 440.00hz as the note
A4, and the frequency from which scales are built. Just below A4 on an equal
tempered chromatic scale is at 415.30hz. Tuning a synthesizer just shy of a
positive quarter tone from the normal scale will yield a G#4 at 420hz and
bring the D4 of 293.66hz within an acceptable range of 300hz.

    Needless to say, once you have prevented your modem from hanging up and
have generated a dialtone which has effectively caused the BBS's modem to
dial the phone number, you should issue an answer tone by typing the Hayes
"ATA" command. You will then be connected with the BBS's modem and will have
protected your identification.

    Thanks to Green Hell for some help in generating concepts presented.