457 lines
14 KiB
Plaintext
457 lines
14 KiB
Plaintext
|
|
|
|
The Mark Tabas encounter series
|
|
presents...
|
|
|
|
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Better Homes and Blue Boxing
|
|
Part ii
|
|
Practical Applications
|
|
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
(It is assumed that the reader has read
|
|
and understood Part i of this series).
|
|
|
|
The essential purpose of blue boxing
|
|
in the beginning was merely to receive
|
|
toll services free of charge. Though
|
|
this can still be done, blue boxing has
|
|
essentially outlived its usefulness in
|
|
this area. Modern day "extenders" and
|
|
long distance services provide a safer
|
|
and easier way to make free fone calls.
|
|
However, you can do things with a blue
|
|
box that just can't be done with any-
|
|
thing else. For ordinary toll-fraud, a
|
|
blue box is impractical for the
|
|
following reasons:
|
|
|
|
1. Clumsy equipment required (blue
|
|
box or equivalent)
|
|
2. Most boxed calls must be made
|
|
through an extender. Not for
|
|
safety reasons, but for reasons
|
|
I'll explain later.
|
|
3. Connections are often sacrificed
|
|
because considerable distances
|
|
must be dialed to cross a
|
|
seizable trunk, in addition to
|
|
awkward routing.
|
|
|
|
As stated in reason #2, boxed calls
|
|
are usually made through an extender.
|
|
This is for billing reasons. If you
|
|
recall from Part i, 2600Hz is used as a
|
|
"supervisory" signal. That is, it
|
|
signals the status of a trunk--
|
|
"on-hook" or "off-hook." When you
|
|
seize a trunk (by briefly sending
|
|
2600Hz), your end (the CALLING end)
|
|
goes on hook for the duration of the
|
|
2600Hz and then goes off-hook once
|
|
again when the 2600Hz is terminated.
|
|
The CALLED end recognizes that a call
|
|
is on the way and attaches a register,
|
|
which inerprets the digits which are
|
|
to be sent. Now, understand that even
|
|
though your end has come off-hook
|
|
(no 2600Hz present), the other end is
|
|
still on-hook. You may wonder then,
|
|
why, if the other end (the CALLED end)
|
|
is still on-hook, there is no 2600Hz
|
|
coming the other way on the trunk,
|
|
when there should be. This is correct.
|
|
2600Hz *IS* present on the trunk when
|
|
you seize it and afterwards, but you
|
|
cannot hear it because of a Band
|
|
Elimination Filter (BEF) at your
|
|
central office.
|
|
Back to the problem. Remember that
|
|
when you seize a trunk, 2600Hz is
|
|
indeed coming the other way on the
|
|
trunk because the CALLED end is still
|
|
on-hook, but you don't actually hear
|
|
it because of a filter. However, the
|
|
Bell equipment knows it's there (they
|
|
can "hear" it). The presence of the
|
|
2600Hz is telling the billing equip-
|
|
ment that your call has not yet been
|
|
completed (i.e., the CALLED end is
|
|
still on-hook). When finally you do
|
|
connect with your boxed call, the
|
|
2600Hz from the called end terminates.
|
|
This tells the billing equipment that
|
|
someone picked up the fone at the
|
|
CALLED end and you should begin to be
|
|
billed. So you do start to get billed,
|
|
but for the call to the trunk, NOT the
|
|
boxed call. Your billing equipment
|
|
thinks that you've connected with the
|
|
number you used to seize the trunk.
|
|
|
|
Illustration:
|
|
|
|
1. You call 1+806-258-2222
|
|
(directly)
|
|
2. Status of trunks:
|
|
|
|
<----------------------------------->
|
|
(You) 806-258-2222
|
|
No 2600Hz-------> <------------2600Hz
|
|
|
|
When you seize a trunk (before the
|
|
number you called answers) there is
|
|
no affect on your billing equipment.
|
|
It simply thinks that you're still
|
|
waiting for the call to complete
|
|
(the CALLED end is still on-hook; it
|
|
is ringing, busy, going to recorder
|
|
or intercept operator.
|
|
Now, let's say that you've sezied
|
|
a trunk (806-258-2222) and for example,
|
|
KP+314+949+1705+ST. The call is routed
|
|
from the tandem you seized to:
|
|
314-949-1705.
|
|
|
|
Illustration:
|
|
|
|
<------------------>O<--------------->
|
|
(You) 806 314-949
|
|
tandem
|
|
No 2600Hz----------> <----------2600Hz
|
|
|
|
Note that the entire path towards
|
|
the right (the CALLED end) has no
|
|
2600Hz present and is therefore "off-
|
|
hook." The entire path towards the left
|
|
(the CALLING end) does have 2600Hz
|
|
present on it, indicating that the
|
|
CALLED end has not picked up (or come
|
|
"off-hook"). When 314-949-1705 answers,
|
|
"answer supervision" is given and the
|
|
2600Hz towards the left (the CALLING
|
|
end) terminates. This tells your
|
|
billing equipment, which thinks that
|
|
you're still waiting to be connected
|
|
with 806-258-2222, that you've
|
|
finally connected. Billing then begins
|
|
to 806-258-2222. Not exactly an
|
|
auspicious beginning for an aspiring
|
|
young phone phreak.
|
|
To avoid this, several actions may
|
|
be taken. As previously mentioned,
|
|
one may avoid being charged for the
|
|
number called to seize a trunk by
|
|
using an extender (in which case the
|
|
extender will get billed). In some
|
|
areas, boxing may be accomplished
|
|
using an 800 number, generally in the
|
|
format of 800-858-xxxx (many Amarillo
|
|
numbers) or 800-NN2-xxxx (special
|
|
intra-state class in-WATS numbers).
|
|
However, boxing off of 800 numbers is
|
|
impossible in many areas. In my area,
|
|
Denver, I am served by #1A ESS and it
|
|
is impossible for me to box off of
|
|
any 800 number.
|
|
Years ago, in the early days of blue
|
|
boxing (before my time), phreaks often
|
|
used directory assistance to box off
|
|
of because they were "free" long
|
|
distance calls. However, because of
|
|
competetive long distance companies,
|
|
directory assistance surcharges are
|
|
now $0.50 in many areas. It is
|
|
additionally advised that directory
|
|
assistance numbers not be used to box
|
|
from because of the following:
|
|
Average DA calls last under 2
|
|
minutes. When you box a call, chances
|
|
are that it will last considerably
|
|
longer. Thus, the Bell billing equip-
|
|
ment will make a note of calls to
|
|
directory assistance that last a long
|
|
time. A call to a directory assistant
|
|
lasting for 4 hours and 17 minutes
|
|
may appear somewhat suspicious.
|
|
Although the date, time, and length
|
|
of a DA call do not appear on the bill,
|
|
it is recorded on AMA tape and will
|
|
trip a trouble report if it were to
|
|
last too long. This is how most
|
|
phreaks were discovered in the old
|
|
days. Also, sometimes too many calls
|
|
lasting too long to one 800 number
|
|
may raise a few eyebrows at the local
|
|
security office.
|
|
Assuming you can complete a blue box
|
|
call, the following are listed routings
|
|
for various Bell internal operators.
|
|
These are in the format of KP+NPA+
|
|
special routing+1X1+ST, which I will
|
|
explain later. The 1X1 is the actual
|
|
operator routing, and NPA and NPA+
|
|
special routing are used for out-of-
|
|
area code calls and out-of-area code
|
|
calls requiring special routing,
|
|
respectively.
|
|
|
|
KP+101+ST ...... toll test board
|
|
KP+121+ST ...... inward op
|
|
KP+131+ST ...... directory assistance
|
|
KP+141+ST ...... was rate & route. Now
|
|
only works in 312, 815, 717,
|
|
and a few others. It has
|
|
been replaced with a univer-
|
|
sal rate & route number,
|
|
800+141+1212.
|
|
KP+151+ST ...... overseas completion
|
|
operator (inbound). Works
|
|
only in certain NPAs, such as
|
|
303.
|
|
KP+181+ST ...... in some areas, toll
|
|
station for small towns
|
|
|
|
Thus, if you seize a trunk in 806 NPA
|
|
and wanted an inward (in 806), then you
|
|
would dial KP+121+ST. If you wanted a
|
|
312 inward and were dialing on an 806
|
|
trunk, an area code would be required.
|
|
Thus, you would dial KP+312+121+ST.
|
|
Finally, some places in the network
|
|
require special routing, in addition to
|
|
an area code. An example is Franklin
|
|
Park, Ill. It requires a special
|
|
routing of 032. For this, you would
|
|
dial KP+312+032+121+ST for a Franklin
|
|
Park inward operator.
|
|
Special routings are in the format
|
|
of 0XX. They are used primarily for
|
|
load balance, so that traffic flow
|
|
may be evenly distributed. About half
|
|
of the exchanges in the network
|
|
require special routing. Note that
|
|
special routings are NEVER EVER EVER
|
|
used to dial normal telephone numbers,
|
|
only operators.
|
|
|
|
Operator functions:
|
|
|
|
TOLL TEST BOARD- Generally a cordboard
|
|
position that assists in trunk testing.
|
|
They are not used by operators, only
|
|
switchmen.
|
|
|
|
INWARD- Assists the normal TSPS (0+)
|
|
operator in completing calls out of
|
|
the TSPS's area. Also, inwards perform
|
|
emergency inerrupts when the number to
|
|
be interrupted is out of the area code
|
|
of the original (TSPS) operator. For
|
|
example, a 303 operator has a customer
|
|
that needs an emergency interrupt on
|
|
215-647-6969. The 303 operator gets
|
|
the routing for the inward that covers
|
|
215-647, since she cannot do the
|
|
interrupt herself. The routing is
|
|
found to be only 215+ (no special
|
|
routing required). So, the 303 operator
|
|
keys KP+215+121+ST. An inward answers
|
|
and the 303 says to her, "Inward, this
|
|
is Denver. I need an emergency
|
|
interrupt on 215-647-6969. My
|
|
customer's name is Mark Tabas." The
|
|
inward will then do the interrupt (off
|
|
the line, of course). If the number to
|
|
be interrupted had required special
|
|
routing, such as, say, 312-456-1234
|
|
(spec routing 032), then the 303
|
|
operator would dial KP+312+032+121+ST
|
|
for the inward to do that interrupt.
|
|
|
|
DIRECTORY ASSISTANCE- These are the
|
|
normal NPA+555+1212 operators that
|
|
assist customers with obtaining
|
|
telefone directory listings. Not much
|
|
toll-fraud potential here, except
|
|
maybe $0.50.
|
|
|
|
RATE AND ROUTE- These operators are
|
|
reached by dialing KP+800+141+1212+ST.
|
|
They assist normal (TSPS) operators
|
|
with rates and routings (thus the
|
|
name). The only uses I typically have
|
|
for them are the following:
|
|
|
|
1. Routing information. In the above
|
|
example, when the 303 operator needed
|
|
to dial an inward that served 215-647,
|
|
she needed to know if any special
|
|
routing was required and, if so, what
|
|
it was. Assuming she would use rate
|
|
and route, she would dial them and say
|
|
nicely, "Operator's route, please, for
|
|
215-647." Rate & route would respond
|
|
with "215 plus." This means that the
|
|
operator would dial KP+215+121+ST to
|
|
reach the inward that serves 215-647.
|
|
If there were special routing required,
|
|
such as in 312-456, rate & route would
|
|
respond with "312 plus 032 plus." In
|
|
that case, the operator would dial
|
|
KP+312+032+ST for the inward that
|
|
serves 312-456.
|
|
It is good practice to ask for
|
|
"operator's route" specifically, as
|
|
there are also "numbers route" and
|
|
"directory routes." If you do not
|
|
specifically ask for operator's route,
|
|
rate & route will generally assume
|
|
that is what you want anyway.
|
|
"Numbers" route refers to overseas
|
|
calls. Example, you want to know how to
|
|
reach a number in Geneva, Switzerland
|
|
(and you already have the number). You
|
|
would call routing and say "Numbers
|
|
route, please, Geneva, Switzerland."
|
|
The operator would respond with:
|
|
"Mark 41+22. 011+041+ST (plus) 041+22"
|
|
The "Mark 41+22" has to do with
|
|
billing, so disregard it. The 011+041
|
|
is access to the overseas gateway (to
|
|
be discussed in Part iii) and the 041+
|
|
22+ is the routing for Geneva from the
|
|
overseas sender.
|
|
"Directory" routings are for directory assistance overseas. Example:
|
|
you want a DA in Rome, Italy. You would
|
|
call rate & route and say, "Directory
|
|
routing please, for Rome, Italy." They
|
|
would respond with "011+039+ST (plus)
|
|
039+1108 STart." As in the previous
|
|
example, the 011+039 is access to the
|
|
overseas gateway. The 039+1108 is a
|
|
directory assistant in Rome.
|
|
|
|
2. Nameplace information. Rate & Route
|
|
will give you the location of an NPA+
|
|
exchange. Example: "Nameplace please,
|
|
for 215-648." The operator would
|
|
respond with "Paoli, Pennsylvania."
|
|
This isn't especially useful, since you
|
|
can get the same information (legally)
|
|
by dialing 0, but using rate & route is
|
|
often much faster and it avoids having
|
|
to hang up when you are already on a
|
|
trunk.
|
|
|
|
*NOTE on Rate & Route: As a blue boxer,
|
|
always ask for "IOTC" routings. (e.g.,
|
|
"IOTC operator's route", "IOTC numbers
|
|
route", etc.) This tells them that you
|
|
want cordboard-type routings, not TSPS,
|
|
because a blue boxer is actually just a
|
|
cordboard position (that Bell doesn't
|
|
know about).
|
|
|
|
OVERSEAS COMPLETION OPERATOR (inbound)-
|
|
These operators (KP+151+ST) assist in
|
|
the completion of calls coming in to
|
|
the United States from overseas. There
|
|
are KP+151+ST operators only in a few
|
|
NPAs in the country (namely 303). To
|
|
use one, you would seize a trunk and
|
|
dial KP+303+151+ST. Then you would
|
|
tell the operator, for example,
|
|
"This
|
|
is Bangladesh calling. I need U.S.
|
|
number 215-561-0562 please." [in a
|
|
broken Indian accent]. She would
|
|
connect you, and the bill would be
|
|
sent to Bangladesh (where I've been
|
|
billing my KP+151+ST calls for two
|
|
years).
|
|
|
|
Other internal Bell Operators.
|
|
|
|
KP+11501+ST ...... universal operator
|
|
KP+11511+ST ...... conference op
|
|
KP+11521+ST ...... mobile op
|
|
KP+11531+ST ...... marine op
|
|
KP+11541+ST ...... long distance
|
|
terminal
|
|
KP+11551+ST ...... time & charges op
|
|
KP+11561+ST ...... hotel/motel op
|
|
KP+11571+ST ...... overseas (outbound)
|
|
op
|
|
|
|
These 115X1 operators are identical
|
|
in routing to the 1X1 operators listed
|
|
previously, with one exception. If
|
|
special routing is required (0XX),
|
|
then the trailing 1 is left off.
|
|
|
|
Examples:
|
|
|
|
A 312 universal op ... KP+312+11501+ST
|
|
A Franklin Park (312-456) universal
|
|
op (special routing 032 required)....
|
|
................... KP+312+032+1150+ST
|
|
[The trailing 1 of 11501 is left off].
|
|
|
|
Purposes of 115X1 operators.
|
|
|
|
UNIVERSAL- Used for collect/callback
|
|
calls to coin stations.
|
|
|
|
CONFERENCE- This is a cordboard
|
|
conference operator who will set up a
|
|
conference for a customer on a manual
|
|
operation basis.
|
|
|
|
MOBILE- Assists in completion of calls
|
|
to mobile (IMTS) type telefones
|
|
|
|
MARINE- Assists in completion of calls
|
|
to ocean going vessels.
|
|
|
|
LONG DISTANCE TERMINAL- Now obsolete.
|
|
Was used for completion of long
|
|
distance calls.
|
|
|
|
TIME & CHARGES- Will give exact costs
|
|
of calls. Used to time calls and
|
|
inform customer of exactly how much
|
|
it cost.
|
|
|
|
HOTEL/MOTEL- Handles calls to/from
|
|
hotels and motels.
|
|
|
|
OVERSEAS COMPLETION (outbound)- assists
|
|
in completion of calls to overseas
|
|
points. Only works in some, if any
|
|
NPAs, because overseas assistance has
|
|
been centraized to IOCC (covered in
|
|
Part iii).
|
|
|
|
Note that all KP+1X1+ST and
|
|
KP+115X1+ST operators automatically
|
|
assume that you are a TSPS or cordboard
|
|
operator assisting a customer with a
|
|
call. DO NOT DO ANYTHING TO JEOPARDIZE
|
|
THIS! If you do not know what to do,
|
|
don't call these operators! Find out
|
|
what to do first.
|
|
|
|
This concludes Part iii. There is
|
|
one final part in which I will explain
|
|
overseas dialing, IOCC (International
|
|
Overseas Completion Centre), RQS
|
|
(Rate/Quote System), and some basic
|
|
scanning.
|
|
|
|
.......................................
|
|
(c) February 6, 1900 Mark Tabas
|
|
.......................................
|
|
|
|
|