The Badir brothers ran rings around Israel's telephone
companies for six scam-filled years.
                    Three Blind Phreaks
     (By Michael Kaplan.  Reprinted from Wired   February
2004.)
Inside the chintz-filled living room of the Badir
family's neat and modest home, a feast of freshly roasted
chicken, saffron rice and seasoned vegetable stew
perfumes the air.  Friends and relatives pour through the
front door to congratulate 27-year-old Munther "Ramy"
Badir.  He's just been released from prison after serving
47 months for computer-related crimes.  Outside, Islamic
prayers resonate from speakers on a truck moving slowly
down the dusty streets of Kafr Kassem.  Everyone in this
Israeli village--populated mostly by Arabs--appears
ecstatic to have Ramy back.
     But he does not see their smiles.  Ramy, along with
two of his three brothers, has been blind since birth due
to a genetic defect.  He and his sightless brothers have
devoted their lives to proving they can out-think, out-
program, and out-hack anyone with vision.  (Their sighted
brother, Ashraf, is a baker with no tech leanings.)
They've been remarkably successful.  Ramy says dryly, "A
computer that is safe and protected is a computer stacked
in a warehouse and unplugged."
     Israeli authorities agree.  The 44 charges leveled
against Ramy, Muzher and Shadde Badir in 1999 included
telecommunications fraud, theft of computer data, and
impersonation of a police officer.  The brothers' six-
year spree of hacking into phone systems and hijacking
telephone time ended when they were convicted of stealing
credit card numbers and breaking into the Israeli army
radio station's telephone system to set up an illicit
phone company.  Unwitting customers--mostly Palestinians
on the West Bank and Gaza Strip--paid the fake telco for
long-distance calls that were billed to the station.  The
Badirs' scams were said to have pulled in more than $2
million.
     Ramy, the leader and most technologically savvy of
the brothers, was the only one sentenced to prison.
Muzher, 28, was ordered to perform community service for
six months; Shadde, 22, received a suspended sentence--
not because he was innocent, the judge made clear, but
because of his age.
     Those targeted by the Badirs feel less charitable.
Yekutiel "Kuty" Lavi, a security specialist at Bezeq
International, Israel's largest telco and a frequent
victim of the Badirs, angrily complains, "Every day
people try to steal from us, but nobody has ever stolen
from us the way the Badirs did."
     The Badirs pulled off elaborate phone cons,
employing cell phones, braille-display computers, ace
code-writing skills, and an uncanny ability to
impersonate anyone from corporate suits to sex-starved
females.  On the phone, the brothers morph into verbal
007's, intimidating men, seducing women, and wheedling
classified information from steel-voiced security
personnel.  The phone phreakers' term for this is "social
engineering": using a combination of brains and guile to
obtain codes for trespassing into systems to rejigger
them via strings of touch-tone code.  Combine this talent
with supersensitive hearing--the brothers can dissect an
international connection the way wine expert Robert
Parker pulls notes from a glass of Bordeaux--and you have
what BernieS, a legendary phreaker and contributor to the
hacking journal 2600, calls "a formidable skill set."
     At one point during my visit with the Badirs, I use
my cell phone to make a call.  Before it even connects,
Shadde, who is sitting across the room, recites all 12
digits.
     Ramy smiles at the parlor trick.  "It used to be
disgusting to be blind," he says.  "Today, you scare
people.  You possess skills that those with sight cannot
possibly understand."
     Two hours into an afternoon-long interview with the
Hebrew-speaking Badirs, my translator's lips lock.  He
shrugs and tells me that the Badirs have shifted into a
secret code.  Ramy later explains that as kids he and
Muzher developed their own language--reordering letters
in mathematically complex ways--after they discovered
that other boys were snooping on their conversations.
"People said that God cursed our mother by giving her
three blind sons," recalls Ramy.  "Children beat us on
the backs of our legs.  Those abuses left scars on our
hearts.  But they also forced us to grow stronger."
     The young Badirs closed ranks and vowed that their
blindness would never be an impediment.  They taught
themselves to take apart telephones, to mimic voices and
verbal tics, and to get around Tel Aviv without canes or
guide dogs.  They became obsessed with technology and
telephones.  After encountering their first computer, in
1989, at Tel Aviv's Center for the Blind, Ramy and Muzher
became enchanted with IBM clones.  They hung around Tel
Aviv University while working, with little success, as
software and telephone consultants.  Their early crimes
were the phreaker equivalent of shoplifting a Hershey
bar.
     But Ramy was too ambitious to stop there.  "I taught
myself to program in all the languages: C, C++, Basic,
Java, HTML, PHP, CGI.  I built my own black boxes, blue
boxes and red boxes," which, respectively, circumvent
billing, generate tones to place free calls and simulate
pulses triggered by money dropped into a pay phone.  "I
used those boxes to get into and decode phone systems."
     In 1993, Bezeq technicians caught the Badirs
snagging telephone time for their own use.  Things
quickly escalated when the brothers obtained the codes to
break into PBX's--private branch exchanges--belonging to
Bezeq and to the Israeli headquarters of Comverse, Intel,
Nortel and others.  PBX's are the computerized nerve
centers that operate phone systems; they are designed to
be repaired, updated and altered remotely by technicians
using touch-tone codes.
     "The Badirs regularly called Bezeq, pretending to be
engineers in the field," recalls Eyal Raz, who worked in
the telco's international antifraud unit from 1994 to
1999.  "They called secretaries and said, `I need to get
in to do a repair.  You need to give me the number and
password.'  Sometimes they succeeded, or else they'd get
only the number and try to break the password by using
proprietary programs."  At other times, a secretary would
simply key in the code, providing what seemed like
onetime access but actually enabling the brothers to hear
touch tones and translate them into numbers they could
then use whenever they pleased.
     The three used their access to devise an elaborate
moneymaking scheme.  According to Raz, during the mid-
1990's the brothers made a deal with a phone sex outfit
based in the Dominican Republic.  They would be paid for
driving calls to the service.  The Badirs made the calls
themselves, but the lines were rigged so that Comverse
and Nortel were billed by the phone sex service.
     At the time there were no computer crime laws in
Israel, so Bezeq took it upon itself to try to short-
circuit the Badirs.  "At one point I asked an engineer to
block three lines that the Badirs had opened up for
themselves," recalls Raz.  "They knew that I had put the
blocks on.  So a couple days later, one of them phoned
the engineer and said, `This is Eyal Raz.  Please unblock
those three lines.'  The engineer, who knew my voice,
believed it was me.  He unblocked the lines."  Raz shakes
his head, showing grudging admiration.  "These are very
clever boys."
     In 1995, the Badirs turned their attention to a
business closer to home.  Their target was Israeli phone
sex mogul Ben Zion "Bency" Levy, who maintained a
database of thousands of customer credit card numbers.
Ramy and his brothers went to work on Levy's secretary,
patiently convincing her to provide the information that
would allow them to unlock the credit card numbers and
PIN's.
     "We knew to approach her gently and break through
her psychological barrier," says Muzher.  "We had her
tell us clues that would lead to the password of her
boss's computer."
     "I figured out the personality of her boss, learned
the numbers that were meaningful to him, and used those
numbers to get into his system remotely," says Ramy.  In
the end, the Badirs seized some 20,000 credit card
numbers--and, after being confronted by Levy, caused all
of his telephones to ring continuously with no caller on
the other end of the line.
     In 1996, Levy reported the scam to Israel's National
Fraud Unit.  The following year, a file of Badir-related
complaints--including Levy's--landed on the desk of David
Osmo, an investigator with Israel's national police
force.  Osmo met with Ramy and recalls being amazed at
the speed of the young man's fingers on a phone keypad
when he made a call.  "I told him he is a smart person
who should use his intelligence for good things," Osmo
says.  "Return back to society," he urged.
     Ramy remembers his response to Osmo:  "You can chase
me for 20 years and you will not find anything to convict
me on."
     The Israeli army radio station is guarded as if it
were a military base.  Occupying four floors of a dirty
white building on a busy two-lane street in Jaffa, the
station is protected 24/7 by a half-dozen armed recruits.
In 1998, the brothers joined forces with a group of
Jewish and Arab scam artists and targeted the station,
intending to hijack phone lines and sell call time on
them.
     Though they were convicted of participating in the
scheme, the brothers deny they were involved.  Ramy is
nonetheless willing to speak knowledgeably about the con.
"These were among the most protected lines in the Middle
East," says Ramy.  "They had a lot of scrambling, and big
technology is required to get in."
     Why an army outpost?  "Those lines cannot be tapped
by the police, so there is no monitoring," explains Ramy.
"These are the safest lines on which to do something like
this."
     Authorities maintain that Ramy broke into the army
radio station's phone system and activated a dormant
function called "direct inward systems access" (DISA)
which allows long-distance calls to be placed remotely
and charged to that particular phone account.  He
structured the DISA so that as many as 281 people would
be able to make telephone calls simultaneously on that
single line.
     Once the long-distance access was in place, the
Badirs' partners set up a switchboard inside a shack in
an orange grove in Jaffa.  Voila!--instant phone company.
Customers placed calls from kiosks along the Gaza Strip,
from cloned cell phones, or directly from their homes;
these were routed from the switchboard to the radio
station's DISA.  The Badirs and their partners billed
customers for the calls, while the actual costs were
absorbed by the radio station.
     It wasn't long before the station realized its bills
were excessive and contacted Bezeq.  The company's
security specialists joined with the Israeli national
police in an investigation.  They raided the orange
grove, arresting several low-level workers at the shack.
Only after one of them mentioned that the lines had been
set up by blind technicians, says one source close to the
police, did the probe turn to the Badirs.
     At the time, Ramy and his brothers were already in
the crosshairs.  Suspects in numerous telecommunication
crimes, their home phone was frequently tapped by the
national police.  They reviewed the tap transcripts and
spent a year investigating the brothers, hoping to find
incontrovertible links between them and the pirate phone
company.  An intense cat-and-mouse game developed: the
Badirs on one side, with fraud investigator David Osmo
and prosecutor Doron Porat on the other.
     While Porat was working on the case, his car's GPS
system and e-mail were repeatedly hacked.  "There was a
message waiting for him with his password in it," says
Ramy, sounding quite pleased.  "After that, he changed
his password every hour before giving up on e-mail
altogether and using a typewriter."  The brothers
reportedly contacted Israel's DMV and registered Osmo's
car under another name, causing embarrassing problems for
the investigator when he tried to sell his vehicle.
     "The police experienced bad luck," notes Ramy.
"Their telephone systems went down, their computers
developed bugs.  Osmo got big bills for calls that he
hadn't made.  He believed we were always listening in on
him.  Sometimes Osmo spoke on the telephone and other
calls came across the line as he tried to talk."  Ramy
smiles devilishly.  "He found that to be very annoying."
     Ironically, even as they knew the degree to which
they were being pursued, the Badirs did not show a lot of
restraint over the telephone.  "This was our mistake,"
admits Ramy, who believed that some of his phone lines
were secure.  "We knew the police were chasing us and
trying to catch us.  Our overconfidence led us to think
they would never do it."
     On June 14, 1999, 14 police officers raided the
brothers' home in Kafr Kassem.  Though they found a safe
containing more than $14,000 worth of Jordanian dinars,
investigators did not uncover an expected treasure trove
of hardware, software and notes in braille.  "It's all in
our heads," asserts Ramy.  "The police took my laptop,
which contained programs for running through thousands of
numbers very quickly, but I had it designed to erase
everything on the hard drive if it was opened by somebody
other than me.  They lost all the material."
     Ramy, Muzher and Shadde were arrested on a variety
of charges relating to computer fraud in connection with
their hacks of the radio station and Bency Levy's phone
sex operation.  Police took them from their home in wrist
and leg cuffs, but even in custody, they could not help
but show off by conversing in their secret language and
announcing telephone numbers that were being keyed in by
law enforcers.  "When Doron Porat stood next to me," adds
Ramy, "he took the battery out of his cell phone."
     Ramy was jailed throughout the trial, which dragged
on for 27 months and took the prosecutors way beyond
their depth of technological expertise.  Porat and his
team eventually quit trying to explain how the Badirs did
what they'd been charged with and focused instead on
simply proving they did commit acts like breaking into a
switchboard.
     In her November 2001 ruling, judge Saviona Rotlevi
went easy on Muzher and Shadde but found Ramy guilty of
20 counts concerning Israeli cyberlaw, four counts of
telecom law violation, and 15 counts of other crimes.
The judge sentenced him to 65 months in prison.  Among
his restrictions: All of his calls were to be made with
the assistance of a guard so that he would never touch a
telephone keypad.
     After nearly four years, Ramy was released when a
judge ruled he'd served enough time.  He marks his second
day of freedom by repairing with Muzher and Shadde to a
small cafe on the edge of Kafr Kassem.  Inside, the
brothers order bottles of orange juice and three water
pipes.  They puff deeply, releasing plumes of fruity-
smelling tobacco smoke.
     Despite his years in prison, Ramy appears to have no
financial worries.  Upon arriving home, he promptly
ordered a $20,000 braille-display computer from Germany.
He also spent a couple of hours checking on the
construction of his new four-story house.  Workers broke
ground on it while he was still in prison; completion was
scheduled to coincide with his original release date.
It's a sprawling, solid-looking place, situated on a
prime corner lot in the center of Kafr Kassem.  The top
floor will be a high-tech penthouse where Ramy can hatch
his next move.
     And what will that be?  Ramy claims a couple of
juicy software programs that he began developing in
prison are in the pipeline.  "I am inventing a PBX
firewall," he says.  "I know all the weakest spots of a
telephone system.  I can protect any system from
infiltration."
     Ramy insists there are major companies interested in
his new software.  He talks about big money and big
meetings, but he refuses to show what he's working on and
won't name anybody who's backing him.  One person who
sounds perfectly game to be involved is the brothers' old
nemesis Eyal Raz.  "If he can build that, he'll become a
billionaire," predicts Raz, who now works for a Tel Aviv-
based phone security firm called ECtel.  "The Badirs know
so much and are so talented that I would happily use them
as consultants."
     Ramy insists he has outgrown the scams: "I am going
to the other side, coming up with devices that will keep
the phreakers out."
     You want to believe him, you really do.  Maybe it's
the truth.  Or maybe it's a sweet bit of social
engineering designed to generate positive press and
position the Badir brothers for their next spree.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html