John Thomas Draper: Setting the Record Straight re: Blue Box

The tl;dr cliffnotes: John Draper was not invent the Blue Box.

In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications. John Draper, despite reputation, had not been the first to discover the whistle in Cap’n Crunch cereal boxes in the late 1960s. Recently, an article by Kevin Collier stated that Draper “invented the ‘Little Blue Box,’ an electronic device to better imitate the signal. In 1971, Draper showed his design to two fans, Jobs and Wozniak, who, with Draper’s blessing, began selling an improved version.

Other articles and publications have varying takes on this, some more neutral and accurate, some even more outlandish. For example, recent articles covering John Draper’s sexual misconduct mention his history and why he is well-known. Ars Technica says that he “helped popularize the ‘Little Blue Box'” and the BBC says he “went on to create a ‘blue box’ that generated other tones“. In the case of Ars Technica, that is certainly accurate historically. In the case of BBC, the wording may be taken to some that he created it, as in he was the first to do so. Another example of wording that implies Draper was the first can be seen in a Computer World article from 2011, that says he “then built the phone phreaking tool called blue box that made free calls by making phone calls appear to be toll-free 800-number calls.” Interesting, to me at least, Wikipedia gives a general history of the device, but does not definitively say who invented it.

Perhaps worse, books about computer crime and security get it wrong, and worse than wrong. In “Cybercrime: Investigating High-Technology Computer Crime” by Robert Moore, he clearly states the blue box was “invented by John Draper“. Perhaps the worst example I have seen is in the book “Mobile Malware Attacks and Defense” by Ken Dunham in which he attributes not only the blue box to Draper, but also all of “telephone hacking” when he built it.

Like my blog two years ago, I turn back to ‘Exploding the Phone‘ by Phil Lapsley, a book that I cannot speak highly enough about. Through his extensive and exhaustive research, along with years of interviews, his history of phreaking is comprehensive and fascinating. By using a few key bits from the book, we can quickly see the real history and origin of the blue box. It also makes it crystal clear that John Draper did not invent the blue box. Like the whistle, he did it years later after friends told or showed him the basics.

From page 51, the start of a chapter titled “Blue Box”, it tells the story of a then 18-year-old named Ralph Barclay who read the November 1960 Bell System Technical Journal which contained an article titled “Signaling Systems for Control of Telephone Switching”. After reading the article, Barclay figured out that it had all of the information required to avoid using a pay phone to make a call, and that it could be done “directly”. By page 56, Lapsley describes how Barclay build his first box over a weekend, in an “unpainted metal enclosure about four inches on a side and perhaps two inches deep.” Barclay realized fairly quickly that he needed the box to do more, and as described on page 57, he built a new box because he “needed multifrequency“. “His new device was housed in a metal box, twelve by seven by three inches, that happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself. The blue box had just been born.” This was in 1960 or 1961 and represents the origin of the blue box.

On page 87, Lapsley tells the story of Louis MacKenzie who also spotted the vulnerability based on the 1960 Bell Systems article. MacKenzie went to AT&T and offered to tell them how to fix the ‘blue box’ vulnerability, for a price. When AT&T declined, “MacKenzie’s attorney appeared on the CBS evening news, waving around a blue box and talking about the giant flaw in the telephone system.” By that point, advertisements for blue boxes could be found in some magazines, including the January 1964 issue of Popular Electronics. Thanks to, old issues of Popular Electronics are available including the January 1964 issue! On page 115, we can see the advertisement:

Further along in the history of phreaking, Lapsley covers John Draper’s story related to the blue box. On page 151 it sets the time frame: “Now it was 1969 and he was John Thomas Draper, a twenty-six-year-old civilian.” Page 154 tells the story of when Draper was asked by friends who had already been ‘blue boxing’ by using an electronic organ, to build them a box.

Teresi and Fettgather wanted to know if Draper could build them a multifrequency generator – an MFer, a blue box, a portable electronic gadget that would produce the same paris of tones they were making with Fettgather’s electronic organ. Draper said he could.

He returned home in a state of shock. “I had to build a blue box,” Draper recalls. And that night he did. It was a crude first effort that was difficult to use. It had seven switches: one for 2,600 Hz and six to generate the tones that made up multifrequency digits.

Draper’s first blue box was built in 1969, around eight years after Barclay had built his first unpainted ‘blue box’, and his second box that was actually “a lovely shade of blue“, giving the phreaking tool its iconic name.


To further set the record straight, Lapsley tells the story (p220 – 221) of Steve Wozniak, who “had his [blue box] design worked out” and “was particularly proud of a clever trick he used to keep the power consumption down so the battery would last longer” in 1972. After Wozniak had built his own blue box and refined it, he and Jobs then met John Draper for the first time. While the three traded “blue boxing techniques and circuit designs”, Draper did not show them how to do it, did not show them their first box, or introduce them to the concept.

Thoughts about CNNVD vs. US NVD

[This was originally published on in the 2017 Q3 Vulnerability QuickView report.]

In October, Bill Ladd of Recorded Future released a study comparing CVE and the U.S. National
Vulnerability Database (NVD) with China’s National Vulnerability Database (CNNVD). This report, titled
“The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting” was covered by John Leyden in
The Register
and Dune Lawrence for Bloomberg. Mr. Ladd’s article gives a good breakdown of the
relationship between CVE and NVD, as well as their shortcomings, which many in the industry still don’t
fully understand. We’ll examine Mr. Ladd’s four “key takeaways” and share our thoughts and perspective:

1 – “Organizations need access to the latest vulnerability (CVE) information to manage their exposure to risk.”

There is no disputing that organizations need access to the latest vulnerability information. However, perhaps the most dangerous part of Mr. Ladd’s takeaway is associating CVE with that role. CVE is a USA government funded project that calls itself “a dictionary of publicly known information security vulnerabilities and exposures” and says it “is not a vulnerability database”. Rather, CVE was designed to “provide common names for publicly known problems” with the design of “[allowing] vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services.”

CVE is one of many sources of vulnerability information available. As his own article points out, as well as this report and many other articles, CVE is not a vulnerability database and generally not associated with providing the “latest” information.

2 – “The U.S. National Vulnerability Database (NVD) trails China’s National Vulnerability Database (CNNVD) in average time between initial disclosure and database inclusion (33 days versus 13 days) — China isn’t directly integrated in managing CVEs, but are still able to report vulnerabilities more rapidly than the U.S.”

Mr. Ladd’s analysis is interesting and largely confirms what RBS has known and reported for a long time. Although CNNVD may be quicker to populate their database with some CVE IDs, but organizations focused on NVD vs. CNNVD are missing the larger issue: Both sources (CNNVD and NVD) are not vulnerability databases that can be depended upon to provide vulnerability intelligence to protect your network. Ultimately, those 13 days or 33 days will not matter if the vulnerability used to exploit your organization is not found in either source.

3 – “CNNVD actively gathers vulnerability information across the web. NVD should do this but instead waits for voluntary submission by vendors.”

As stated above, this would be a task MITRE would have to undertake. Unfortunately, even with such a drastic change for MITRE’s process, CVE, NVD, and CNNVD will still be far behind more mature services. This is part of the VulnDB methodology and has resulted in us having all of those CVE IDs mentioned above in our database, and more, while still marked as RESERVED in CVE. More important, that methodology is why there is such a huge difference in the number of vulnerabilities aggregated by RBS over MITRE as we continually find additional vulnerabilities not included in CVE-based databases.

The Register article ends with a quote from Katie Moussouris, who said “NVD is run by a small group with limited resources. Most who need real time vulnerability info don’t rely on it. Commercial services fill that role.” Ms. Moussouris is absolutely correct. Companies, serious about information security, cannot rely solely on CVE, NVD, or CNNVD, if they want to protect their organization’s assets. Finally, please don’t conclude from Ms. Moussouris’ comment that more tax dollars could fix the short-comings in NVD. In our opinion, the issue is more about a lack of vulnerability expertise, process efficiency and the mission to provide a comprehensive and timely vulnerability intelligence database.