Phrack Inc. Volume Two, Issue Eleven, Phile #1 of 12 Index 21787 Welcome to Issue Eleven o

---
Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

==Phrack Inc.== Volume Two, Issue Eleven, Phile #1 of 12 Index ~~~~~ 2/17/87 Welcome to Issue Eleven of the Phrack Inc. electronic newsletter. This issue, I was a bit more reliable about getting the issue out (yes, only 3 days late!). This issue did not come together as easily as I would have hoped due to a number of people being difficult to get a hold of or getting their files, but I filled their places in with other files, so if you had been told you would have a file in this issue, get in contact with me so that it will be featured in Issue Twelve. The following files are featured in this edition of Phrack Inc.: #1 Index to Phrack Eleven by Taran King (1.7K) #2 Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King (6.8K) #3 PACT: Prefix Access Code Translator by The Executioner (7.6K) #4 Hacking Voice Mail Systems by Black Knight from 713 (6.0K) #5 Simple Data Encryption or Digital Electronics 101 by The Leftist (4.1K) #6 AIS - Automatic Intercept System by Taran King (15.9K) #7 Hacking Primos I, II, III by Evil Jay (6.7K) #8 Telephone Signalling Methods by Doom Prophet (7.3K) #9 Cellular Spoofing By Electronic Serial Numbers donated by Amadeus (15.2K) #10 Busy Line Verification by Phantom Phreaker (10.0K) #11 Phrack World News X by Knight Lightning #12 Phrack World News XI by knight Lightning Taran King Sysop of Metal Shop Private ==Phrack Inc.== Volume Two, Issue Eleven, Phile #2 of 12 ==Phrack Pro-Phile VIII== Written and Created by Taran King 2/17/87 Welcome to Phrack Pro-Phile VIII. Phrack Pro-Phile is created to bring info to you, the users, about old or highly important/controversial people. This month, I bring to you one of the older and high profile phreaks of the past... Wizard of Arpanet ~~~~~~~~~~~~~~~~~ Wizard of Arpanet is one of the older of the phreak/hack generation. His main accomplishments include running Inner Circle and Secret Service BBS. Handle: Wizard of Arpanet Call him: Eric Past handles: The Hacker and The Priest Handle Origin: A real programmer on Arpanet was called The Wizard and Eric took his handle from him. Date of Birth: 02/26/69 Age in 9 days of this writing: 18 years old Height: 6'1" Weight: 150 lbs Eye color: Blue Hair color: Dishwaterish blond Computers: Atari 400, Commodore 64 Sysop/Co-sysop of: Secret Service ------------------------------------------------------------------------------ Wizard of Arpanet started as your average BBS caller. He eventually called Central Processing Unit (a local board to him), and there were these funny numbers on the board. He called and tried to connect with his modem, but they turned out to be Sprint dial-ups. The CPU Sysop informed him of what to do and he started calling national BBSs. Boards that helped him to advance include the Twilight Zone (the sysop was the guy that wrote T-Net), OSUNY, Dragon's Lair, and Delta BBS. Wizard organized various groups which included (from earliest to most recent): PHA (Phreakers and Hackers of America) - (included Deep Throat, Phreak King, and Psycho Killer), The Inner Circle (1st one) (included Shockwave Rider, and Satan Knight aka Redrum), and The 2nd Inner Circle (included The Cracker, Mr. America, Napoleon Bonapart, Stainless Steal Rat, Big Brother, Mr. Xerox, Bootleg, Maxwell Wilke, Mandrake The Magician, and Zaphod Beeblebrox). Eric got the number to Arpanet from Dark Dante, and got on the MIT Research System from looking through TAC News. One night he got like 50-60 accounts on the Unix and changed all of the passwords to WIZARD. Stainless Steal Rat, the Sysop of Delta BBS, and The Myth were all up from NJ one weekend, and they were staying the weekend at John Maxfield's house. They went to John's office. Wizard asked Maxfield if he could use his computer to print out some things he had with him and he printed out some stuff from the Stanford Artificial Intelligence address list for Arpanet. John was amazed. "Wow," he said, "I have prime evidence on you." (TK: This may not for sure be an exact quote). He then proceeded to bust our friend, Eric, the next week. He also had a lot of stuff from AUTOVON from some fellow in Washington and started playing with the FTS lines (Federal Telephone System) which he found from, none other than, John Maxfield. They had found the default passwords for TeleMail too, and got the administrator accounts and set up their own BBS on Nassau and Coca-Cola systems plus anywhere else possible. And all of a sudden, it all came down when Mandrake decided to crash parts of TeleMail. Enter, Federal Bureau of Investigations. They had been monitoring Eric for 6 months looking for some evidence to get him on. And thus, they got it. Nothing really happened, but he had to get a lawyer and he got some publicity in the paper. After 90 days, everything they had taken, with the exception of a few documents, was sent back. During those 90 days, Eric worked as a computer security consultant at a bank making $200 an hour (2 hours...). The only "phreaks" he's met are Stainless Steal Rat and Cable Pair. Eric has been mentioned on local TV/News, in newspapers, USA Today, NY Times, Washington Post, Books, and Britannica Encyclopedia (look under Hacker). ------------------------------------------------------------------------------ Interests: Music (preferably jazz, reggae, new wave), Eastern philosophy (Zen Buddhism), reading Jack Kerouac books (a great beatnik writer), driving aimlessly, slowly becoming a social recluse, physics, and Greek mathematicians. Eric's Favorite Things ---------------------- Women: The pursuit thereof (Karen Wilder). Foods: Chinese. Cars: BMW 320-I. Artist: Salvador Dali. Plans for next few months: Next year and a half - travelling to Montreal in April for a week of leisure, then jetting back to beautiful Detroit and continuing his studies at Eisenhower High School. Most Memorable Experiences -------------------------- Realizing all at once that everything you did 3 years ago was stupid. Growing into a new person. Gaining morals and new ideas and a new outlook. Some People to Mention ---------------------- Tuc (For telling him about boxing). Tom Tone (For calling him on his first conference). Magnetic Surfer (Talking to him for the first time after Sherwood Forest went down voice). John Maxfield (Meeting him). Stainless Steal Rat (Meeting him...with John Maxfield). Dark Dante (One of the legends phreakdom). ------------------------------------------------------------------------------ Always follow your instinct and not your desire for you will be sorry because you will be lying to yourself. ------------------------------------------------------------------------------ I hope you enjoyed this file. Look forward to more Phrack Pro-Philes coming in the near future. ...And now for the regularly taken poll from all interviewees. Of the general population of phreaks you have met, would you consider most phreaks, if any, to be computer geeks? No, says Eric, he considers them a new breed of intellect. Thanks for your time, Eric. Taran King Sysop of Metal Shop Private ==Phrack Inc.== Volume Two, Issue Eleven, Phile #3 of 12 .___. .___. |___| |___| | | /^\ /^\ [+]PLP[+]------------------------------------------[+]PLP[+] \^/ ^ ^ \^/ |S| P ^[+]The Executioner[+]^ P |S| |e| PLP ^[+]PhoneLine Phantoms![+]^ PLP |e| |x| P _____[+]The Network Technicians[+]______ P |x| |y| ^ ------------------------ ^ |y| |-| [+] PACT: Prefix Access Code Translator [+] |-| |T| ^ ==================================== ^ |T| |N| [+]Written for PHRACK Inc. Issue Eleven.[+] |N| |T| |T| |-|_______. Call Phreak Klass, Room 2600 ._______|-| |PHRACK XI| [806][799][0016] Login:EDUCATE |PHRACK XI| --------| |________________________________| |-------- |____________________________________| The PACT (Prefix Access Code Translator) feature provides preliminary translation data for features using access codes that are prefixed by a special code. A standard numbering and dialing plan requires that individual line and small business customers' (custom) calling use prefixed access code dialing for feature access. PACT is offered on a per office basis. The PACT is NOT used for the interpretation of Centrex dialing customers. When a call is originated by the customer, a call register is used to store the data about the call. The customer dials a prefix and a 2 digit access code (table a). The PACT then looks at the digits to determine what action should take place. Reorder or special service error messages will be heard if you enter an unassigned code. If the code is accepted, then that particular action will be performed. The PACT consists of the PACT head table and the prefixed access code translator. The PACT feature allows the dialing of a special code for a prefix. These are the '*' and '#'. If you have rotary, then '11' and '12' are used respectively. To use PACT, the prefix must be followed by a 2-digit code. This combination is then defined in terms of type and subtype (table b). TABLE A ____________________________________________________________ | Access Code | Description of function | |________________________|_________________________________| | *2X - *3X (x= 0-9) | Growth to 2 or 3 digit codes | | | (Future may call for these) | | | | | *4X - *5X - *7X | Local Area Signalling Services | | | | | *72 | Call Forwarding Activation | | | | | *73 | Call Forwarding Deactivation | | | | | *74 | 1-digit speed dialing | | | | | *75 | 2-digit speed dialing | | | | | #56 | Circuit Switched Digital | | | Capability | |________________________|_________________________________| The subtranslator is always built 100 words long. A word is a binary code which, when sent as a whole, act as a command. One word is equal to a 2-digit access code. This subtranslator contains the PTW (Primary Translation Word). The PTW contains the feature type subtype and feature subtype index to determine the function of the dialed code. The feature subtype allows four subtype tables to exist for feature type 31 (LASS). Index 0 is for LASS. Index 1 is used for LASS on a pay per usage basis. Index 2 and 3 are currently not used. TABLE B (written in report form) ================================ Feature Type: 0 (Unassigned) Feature Type: 1 (1-digit abbr. dialing) Subtypes: 0 (Speed Call) 1 (Change the Speed Call List) 2 (Invalid) Feature Type: 2 (2-digit dialing.) Subtypes: (Same as Feature 1) Feature Type: 3 (Circuit Switch Digital Capability) Subtype: 1 (CSDC 56 kilo bit service) Feature Type: 4 (Usage Sensitive 3-way) Feature Type: 5 (Cancel Call Waiting) Feature Type: 20 (Call Forwarding Activate) Feature Type: 21 (Call Forwarding deactivate) Feature Type: 22 (Project Acct. Service (Autoplex)) Feature Type: 26 (Customer changeable Inter LATA carrier) Feature Type: 27 (Voice/Data Protection) Feature Type: 28 (MDS-Message Desk Service) Subtypes: 0 (MDS activation) 1 (MDS deactivation) Feature Type: 30 (Residence Data Facility Pooling) Feature Type: 31 (Local Area Signalling Services-LASS) [index 0] Subtypes: 0 (AR-Automatic Recall {Incoming Calls}) 1 (AR-Outgoing calls) 2 (AR activation incoming/outgoing) 3 (AR deactivation) 4 (Customer Originated Trace Activation) 5 (Distinctive Alert Activation) 6 (ICLID activation) 7 (Selective Call Rejection Activation) 8 (Selective Call Forwarding activation) 9 (Private Call Activation) 10 (Distinctive Alert -OFF) 11 (ICLID-OFF) 12 (SCR-OFF) 13 (SCF-OFF) 14 (Private Call-OFF) 15 (Distinctive Alert ON/OFF) toggle for opposite 16 ICLID toggle on/off 17 SCR toggle on/off 18 SCF toggle on/off 19 Private Call on/off 20 Selective Call Acceptance-ON 21 SCA OFF 22 SCA toggle on/off 23 (Computer Access Restriction) on 24 CAR off 25 CAR on/off 26-31 (reserved for future LASS functions) Index 1 Pay Per View subtype: 0 (Order placement) 1 (Order Cancel) The PACT function is extremely important for LASS functions. PACT is what lets you tell your switch what you want done. Without the PACT, communication between you and your CO would not exist. PACT is the base foundation for the use access codes. ============================================================ = If you have any questions or comments, please leave mail = = either on Phreak Klass Room 2600 or at 214-733-5283. = ============================================================ = (c) The Executioner/PLP/TNT = ============================================================ ==Phrack Inc.== Volume Two, Issue Eleven, Phile #4 of 12 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ +=+ Hacking Voice Mail Systems +=+ +=+ Written for Phrack XI +=+ +=+ by:-> Black Knight from 713 +=+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Voice Mail is a relatively new concept and not much has been said about it. It is a very useful tool for the business person and the phreak. The way it works is that somebody wishing to get in touch with you calls a number, usually a 1-800, and punches in on his touch-pad your mailbox number and then he is able to leave a message for you. Business experts report that this almost totally eliminates telephone tag. When a person wishes to pick up his message all he needs to do is call the number enter a certain code and he can hear his messages, transfer them, and do other misc. mailbox utilities. Most VMSs are similar in the way they work. There are a few different ways the VMSs store the voice. One way is that the voice is recorded digitally and compressed and when heard it is reproduced back into the voice that recorded it. Another method that is slower and uses more space, but costs less, stores the voice on magnetic tape, the same type that is used to store data on a computer, and then runs the tape at a slow speed. Using this method the voice does not need to be reproduced in any way and will sound normal as long as the tape is running at a constant speed. On some of the newer VMSs the voice is digitally recorded and is transformed from the magnetic tape at about 2400 bits per second. There are many different types and versions of voice mail systems. Some of the best and easiest to get on will be discussed. Centagram --------- These are direct dial (you don't have to enter a box number). To get on one of these, first have a number to any box on the system. All of the other boxes will be on the same prefix; just start scanning them until you find one that has a message saying that person you are calling is not available. This usually means that the box has not been assigned to anybody yet. Before the nice lady's voice tells you to leave the message, hit #. You will then be prompted for your password. The password will usually be the same as the last four digits of the box's number or a simple number like 1000, 2000, etc. Once you get on, they are very user friendly and will prompt you with a menu of options. If you can't find any empty boxes or want to do more, you can hack but the system administrators box, which will usually be 9999 on the same prefix as the other boxes, will allow you to hear anybody's messages and create and delete boxes. Sperry Link ----------- These systems are very nice. They will usually be found on an 800 number. These are one of the hardest to get a box on because you must hack out a user ID (different from the person's box number) and a password. When it answers, if it says, "This is a Sperry Link voice station. Please enter your user ID," you will have to start trying to find a valid user ID. On most Sperrys it will be a five digit number. If it answers and says, "This is an X answering service," you first have to hit *# to get the user number prompt. Once you get a valid user number will have to guess the password on most systems, it will be 4 digits. Once you get in, these are also very user friendly and have many different options available. RSVP ---- This is probably one of the worst VMSs but it is by far the easiest to get yourself a box. When it answers you can hit * for a directory of the boxes on it (it will only hold 23). If you hit # you will be given a menu of options and when you choose an option you will then be prompted for your ID number. The ID number on an RSVP system will just about always be the same as the mailbox number, which are always only 2 digits. A.S.P.E.N. ---------- The Aspen voice message systems made by Octel Telecommunications is in my opinion the BEST VMS made. To get a box on an Aspen, you need to find an empty box. To find an empty box, scan the box numbers and if one says, "You entered XXXX. Please leave a message at the tone," then this is an empty box. You next just press # and when prompted for your box number enter the number of the empty box and friendly voice of the nice lady will guide you through all of the steps of setting up your box. She first tells you what you can do with the box and then will prompt you with, "Please enter the temporary password assigned to you by your system manager." This password will usually be 4 digits long and the same as the box number like 1000, etc. Once you get on their are many things you can do. You can make a distribution list where if you want to leave a certain message to more than one person, you can enter the list number and all of the boxes on the list will get the message. You can also have the system call you and notify you that you have new messages. These systems also have what they call "Information center mailboxes" that are listen only and can also have a password on them so the person calling has to enter the password before he hears the greeting message. Aspen VMSs have a system managers mailbox that will just about give you total control of the whole system and let you listen to people's mail, create and delete boxes, and many other things. Thank you for reading this file and if you would like to get in touch with me VIA VOICE MAIL call 1-800-222-0311 and hit *2155. //--Black Knight from 713--\\ | for PHRACK XI (1987) | \\--++--++--++--++--++--++-// ==Phrack Inc.== Volume Two, Issue Eleven, Phile #5 of 12 {Simple Data Encryption} By:{The Leftist} Prologue: Well, it's been awhile since I've done one of my activities files. This time I've switched from chemistry to electronics. Hopefully, I will be writing more files similar to this one. Also, I have devised a more sophisticated encryption device, which I may release in the future Do you run a BBS, living in fear that the "feds" are gonna log on, and fool you into giving them a password? Do you wish that you could limit exactly WHO logs onto your board? Well, this file is just for you.. Parts: 1:9 volt battery 1: 74hc/hct04 cmos hex inverter Some basic knowledge of electronics might help, and some wire would be helpful too. If you want to be fancy you can even splurge and get a 9 volt connector. Note: Although it is not required that you put this on an etched PC board, you can do this quite easily, and it makes for a much cleaner job. Ok, the basic idea behind this scheme is this: Data coming to and going from your modem is translated as 1's and 0's. This represents highs and lows, which translate out to code which your computer recognizes as valid data. Now, if you could switch all those 1's to 0's, and 0's to 1's, then you would have a simple way of encrypting your data. That's exactly what the hex inverter does. If it sees a 0, it makes it a 1. If it sees a 1, it makes it a 0. So, what you want to do is have an inverter on your send line, and an inverter on your receive line. The computer you are connected to must also have inverters on its send and receive, or all you will see will be garbage! I tried to be as non-technical as possible in this for all you non-technical types out there. Connections: Hold the chip, and look at it. There should be a little notch in one end. Hold it as illustrated in the schematic: (80 columns) ______________________________ | | 14 13 11 12 10 9 8 | | | | | | | | | __________________ | | | |_ to positive on battery \ 74hc/hct04 | / | |__________________| to negative on battery | | | | | | | | 1 2 3 4 5 6 7______________| | | | | | | | |_________________________________to computer port | | |_______________________________from modem | |________________________________________________to modem conn. |________________________________________________ from computer port Ok, hook the + 9volts up to pin 14, and the negative up to pin 7. There are 6 inverters on this chip. For this, we will be using only 2 of them. Find the wire coming from your computer to the send data line on your modem. Sever this wire, and hook one side of it to pin 1. Hook the other end of it to pin 2. Next, find the receive data line, and sever it. Hook one end of it to pin 3, the other end to pin 4. That's about it.. if you want to use the other inverters on the chip, here's the complete pinouts. Pin# Name and function ---- ----------------- 1,3,5,9,11,13 Data inputs --------------------------------- 2,4,6,8,10,12 Data outputs --------------------------------- 7 Ground --------------------------------- 14 VCC --------------------------------- Remember, that your BBS modem must have one of these devices on it, as well as the user calling. I have tested this on Smartmodems, and it does work. If you have an internal modem, this may be a little difficult for you. ==Phrack Inc.== Volume Two, Issue Eleven, Phile #6 of 12 Taran King Presents... AIS - Automatic Intercept System The DAIS II System by Computer Consoles Incorporated INTRODUCTION... ~~~~~~~~~~~~~~~ Computer Consoles Incorporated (CCI) manufactures various hardware appliances to be used in conjunction with phone companies switches as well as other aspects of the companies' uses, plus computer systems such as their own Unix-supporting systems. DAIS II is the Distributed Automatic Intercept System, which is the system used to announce if the subscriber has dialed a non-working number. This is what you hear, in action, when you dial a wrong number and get the 3 tones plus the announcement or the ONI (Operator Number Identification) intercept operator ("What number did you dial?"). The information from this file comes mostly from an instructional manual sent to me by CCI, who can be reached at 800-833-7477 or 716-482-5000 directly, or may be written to at 97 Humbolt Street, Rochester, NY, 14609. INTERCEPTION ~~~~~~~~~~~~ Most definitely any person who has used a telephone in his life has, by some means or another, come across the dreaded 3 tones, leading up to the ever-so-cumbersome announcement telling of the disconnected or non-working number. This file will go into how the whole system works. After dialing the non-working number, the telco's Class 5 End Office routes the call to DAIS II. ANI Calls ~~~~~~~~~ Provided that the End Office has Automatic Number Identification (ANI) equipment, the equipment then identifies the digits of the called number and sends them to the intercept system. The system receives the called number from the end office, retrieves information for that number from the intercept database, formulates the message, and delivers it to the customer in an automated announcement. These announcements can either be standardized or tailored to the independent telephone companies' needs. If further assistance is required, the caller can then stay on the line and wait for an operator to come onto the line. ONI Calls ~~~~~~~~~ When the End Office is primitive, and they don't have the ANI equipment to do the above ritual, operators are directly involved. These operators are also called into action when there is an ANI or DAIS II failure. When the ONI (Operator Number Identification) call comes in, DAIS II routes the call to the operator. The operator asks for the number that the customer called and then keys it into her KDT (Keyboard Display Terminal). After she hits the command key, the number's information is searched for in the intercept database, the message is formulated, and the automated response is announced. Once again, if the caller needs further assistance, an operator will return to the line to help the subscriber. Operators will return to the line for any number of reasons. They include the following: Unsuccessful Searches - After DAIS II receives the called number from ANI equipment or from an operator, it searches the database to find the intercept message associated with the telephone number. The database contains all 10,000 line numbers for each exchange in the calling area. If the system cannot complete the search, the number was either keyed in incorrectly or there is a problem in the system. The call is then routed to an operator and displays the intercepted number (including NPA) on the KDT screen along with a message indicating why the search could not be completed. If the number was keyed in wrong, the operator will correct the number, or else she will ask the subscriber to re-dial the number. Aborted Announcements - If a search is given successful but for one reason or another the automated announcement cannot be given, the call is routed to an operator. The KDT display shows the intercepted number, the appropriate information for a verbal response, and the message, "VERBAL REPORT." In this case, the operator quotes the message to the caller rather than activating the automated response. Reconnects - If a customer remains on the line for more information after receiving the automated announcement, the system routes the call to an operator. The operator's KDT display shows the called number plus other pertinent information given to the caller in the previous announcement. From here, the operator can respond verbally to the customer's needs, or activate the automated system again. The DAIS II system allows up to 4 reconnects per call, but the possible number of reconnects available ranges from 0-3. With 1 reconnect, the operator must report verbally. Split Referrals - If a number has been changed but replaced with two numbers, this is called a "split referral." When the database finds 2 or more numbers, the DAIS II system routes the customer to an operator, displaying the old number and new listings on the KDT screen. The operator then asks which number they are looking for and keys in the command key to activate the announcement, or else they do the announcement verbally. Operator Searches ~~~~~~~~~~~~~~~~~ Situations may arise where the subscriber needs more information than was given by the automated announcement, or believes the information to be invalid. DAIS II provides for operators to have access to both the intercept and the DA databases at all times as long as the system administrator, who judges the extent to which operators can use the cross-search capability, allows it. Components Of The System ~~~~~~~~~~~~~~~~~~~~~~~~ The telco's Class 5 End Offices contain switching equipment that routes calls to DAIS II. If the office has ANI equipment, the switch routes the called digits to the intercept system in the form of multi-frequency tones. The end offices route calls to DAIS II on dedicated (direct) trunks. These direct trunks can carry ANI traffic or ONI traffic, but not both. If trunk concentrators are used, the concentrator trunks to DAIS II may carry ANI calls, ONI calls, or both, depending on the types of trunks coming into the concentrators from the end offices. The call is identified as ANI or ONI through MF tones transmitted by the concentrators. If an operator must be involved (due to ONI or further assistance), DAIS II routes the call to the telco's ACD (Automatic Call Distributor), which is a switching device that routes calls to any available operator. The intercept data base resides on disk in the ARS (Audio Response System). ARS processors known as Audio Response Controllers (ARCs) search the intercept database. If a call requires an operator's services, the Marker Decoder Unit (MDU) provides ACD routing information to the ARC. The DAIS II Automatic Intercept Communications Controllers (AICCs) route messages between the ARCs and the DAIS II subsystems. An intercept subsystem that is housed at the same location as the database is called a Colocated Automated Intercept System (CAIS). A subsystem located at a distance from the database is known as a Local Automated Intercept System (LAIS). Each subsystem can provide automated announcements without using expensive trunking to route ANI calls to a centralized intercept office. Only calls that require operator assistance are routed on trunks to the ARS site. Because those trunks are only held white the operator identifies the number and are released before the announcement begins, trunk requirements are reduced. The automated announcement is always given by the intercept subsystem. Each CAIS or LAIS site contains a Trunk Time Switch (TTS) and DAIS II Audio Response Units (DARUs). Intercept trunks from the concentrators and the Class 5 End Offices terminate at the TTS. When an ONI call comes in on one of these trunks, the TTS routes it to the ACD. When an ANI call comes in, the TTS routes the called number to the ARC. After the ARC retrieves the appropriate message from the database, it sends that information back to the TTS, which connects a DARU port to the trunk on which the call came in. Then, the DARU produces an automated announcement of the message and delivers it to the caller. ARS hardware generates only DA announcements whereas DAIS II hardware generates only intercept announcements. Automatic Intercept Communications Controller (AICC) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The AICC routes messages between the ARC and the TTS. Two units are required to enhance system reliability. Each pair of AICCs can communicate with up to 4 CAIS or LAIS subsystems. The AICCs are similar to the Audio Communications Controllers (ACCs) in the ARS system, but AICCs use a Bisynchronous Communications Module (BSCM) instead of a LACIM. An AICC can be equipped with up to 8 BSCMs, each of which handles one synchronous communication line to the TTS. The BSCM models selected depend on the location of the AICC with respect to the CAIS/LAIS sites. Standard SLIMs (Subscriber Line Interface Modules) are required for communication with the ARC. Trunk Time Switch (TTS) ~~~~~~~~~~~~~~~~~~~~~~~ The TTS has two types of components: the Peripheral Modules (PMs) and the Common Controls (CCs). The PM contains the printed circuit boards that provide the link between the end office's ANI trunks and the ARC and between the ONI trunks and the ACD. The activity of the PM is under direction of the CC A PM rack contains five types of circuit boards: Multi-frequency Receivers (MFRs), Analog Line Front Ends (ALFEs), T1 Front Ends (T1FEs), Peripheral Module Access Controllers (PMACs), and Multi-purpose Peripheral Devices (MPPDs). The MFRs translate the intercepted number from multi-frequency tones to ASCII digits for ANI calls; for ONI calls that come through a trunk concentrator, the MFRs translate the tones sent by the concentrator to indicate an ONI call. Based on the tones, the MFR determines the type of call: regular, trouble, etc. ALFEs convert incoming analog data to digital form so that it can be switched on the digital network. They also convert outgoing digital data back to analog. Incoming ALFEs provide the link between the TTS and the analog trunks from the Class 5 End Offices. Outgoing ALFEs provide the link between the TTS and the analog trunks to the ACD. ALFE is subdivided into two types for both incoming and outgoing: ALFE-A (contains the control logic, PCM bus termination, and ports for 8 trunks) and ALFE-B (contains ports for 16 trunks, but must be paired with an ALFE-A in order to use the control logic and PCM bus on the backplane). ALFE-As can be used without ALFE-Bs, but not vice versa. Incoming ALFEs support E&M 2-wire, E&M 4-wire, reverse battery, and 3-way signalling trunks. Outgoing ALFEs support E&M 2-wire, reverse battery, and high-low trunking. T1FEs provide the links between the TTS and the D3-type T1 spans from the end offices. They also link the DARU VOCAL board ports and the TTS. Each board has 24 ports in order to handle a single T1 span which carries 24 voice channels. PMAC is based on a Motorola 68000 microprocessor that directs and coordinates data flow within the PM. MPPD boards provide bus termination and the system clocks for the digital network. The MPPD contains a master and a secondary clock, which are synchronized with the frequency of an incoming T-1 span. The module also contains its own clock for use when T-1 synchronization is not available or lost. The MPPD also generates the ringing tones, busy signals, and reorder tones heard by the customer and sends the zip (alert) tone to the operator. The CC controls the interaction between the PM components and the DARU. It contains the Office Dependent Data Base (ODDB), which is a system table that describes the configuration of the TTS. The CC uses the ODDB to determine whether an incoming call is an ANI or ONI trunk. The CC sets up paths through the digital network in order to coordinate the resources of the CAIS/LAIS. It receives messages from the PMAC, stores information necessary for returning a response to the appropriate trunk, and controls message routing to and from the ARC or the operator. It also synchronizes the TTS and the Directory Assistance System (DAS) for operator-caller communications. The CC is a Power-series standalone processor that contains a central processing unit (CPU-2), based on the Motorola 68000 microprocessor. The processor also contains distributed intelligence for controlling the memory subsystem, the IO (input/output) subsystem, and the disk/tape subsystem. Each CC includes a Winchester disk drive, a quarter-inch tape drive, and additional miscellaneous hardware. DAIS II Audio Response Unit (DARU) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The DARU contains the VOCAL boards that produce automated announcements, which are compiled from a vocabulary stored in RAM. A CAIS/LAIS contains 1 to 3 DARUs, each with 48 ports. If a CAIS/LAIS houses more than one DARU, the units are multi-dropped together. One DARU is always linked to the ARCs (either directly or by modems and telephone lines) so that the announcement vocabulary can be downloaded from the ARCs if necessary. :=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=: Much of the information in this file is copied verbatim from the instructional booklet sent to me by CCI. Their documentation is extremely in-depth and well written, and, with some looking over, is easy to understand. Much of the information in here is confusing with all of the acronyms used as well as technical terms, but if you cross-reference acronyms throughout the file, you should be able to see what it stands for. Also, if you don't understand what something does, just think of it in terms of use by the telephone company in the context used and you can generally get an idea of what it does or is used for. I hope you enjoyed this file and continue to read Phrack Inc. files to learn more about the system we use and experience. Any constructive suggestions are welcomed directly or indirectly. Taran King :=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=: ==Phrack Inc.== Volume Two, Issue Eleven, Phile #7 of 12 -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- ! ! # Hacking Primos I, II, III # ! ! # (I&II Revised) # ! ! # By Evil Jay # ! ! -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- Author Note: Ugg! I looked at my first file after it was released and saw a lot of misspellings, errors and other screw-ups and was completely embarrassed. I did not have time to edit the file and I was also writing the second file which dealt with gaining privileges. I threw these two files at Taran King who in turn merged them together. So I humbly apologize for all of the errors in the last file. In this file I will revise the old file and continue with some more methods of gaining access and also list out some very basic commands for beginners. As I said before, if you have any questions you can reach me on any board I am currently inhabiting. Hope to hear from you... *** Gaining Access From Scratch *** I made a mistake in my last file and stated that FAM was not a default. FAM is a default, but it can be taken out by the system administrators. To get a listing of every possible account on a system, it is really quite easy. They are located in the MFD directories. Type: A MFD (Without the "<" and ">" signs) Or just: A MFD Then type LD and hit return. Now, you will see a listing of files and underneath should be a listing of directories appropriately named Directories. These directories are valid User IDs. However, I believe that directories that have an "*" character in them cannot be logged in to. *** Getting Higher Access Revised *** SYS1 is the highest system level there is. Meaning unless commands have to be entered from the supervisors terminal, you can usually do anything with an account that has SYS1 access. Also, I should clarify that SYS1 will not always be the name of the highest access available. It could be named SYSTEM or anything for that matter. You are looking for a file with the extension .CPL - look for this file under any of the SYS1 directories. When you find one, SLIST it. You are looking for a line similar to: A It could look like: A LIB XXX LIB is the directory (user id) name. XXX is the password to that directory (user id). When you have this, log into that account with the directory name and password. If your lucky you'll gain access to that account. I have noticed that a lot of high access accounts sometimes have the password XXXXXX or X. Try these, I am unsure as to whether they are actual defaults or not. Ah, the revision is done! Now some more ways to gain access... *** The Trojan Horse *** Providing you have access, you may or may not be able to edit a file in a high access directory. If you can't then try the above technique and try to hack a higher level account. You will first want to learn the Command Processing Language (CPL). Type HELP CPL for a list of commands and then play around and try to write your own programs. If you don't have a manual handy, look at other CPL programs in other directories you can access. Once you know CPL, all you have to do is edit a CPL file in a high access dir. Add your own high level commands to the program. Then replace the old file, logoff and wait until the operator(s) decide to run your program. Hopefully, if everything goes well your routines will help you with whatever you wanted. However it would be a good idea to have your TH write a file to your directory telling you whether it has been ran or not. I will discuss different Trojan Horses in later issues of Phrack. Once on a Prime it is pretty easy to get other accounts so don't worry about it. Just worry about getting on in the first place. Patience is definitely required since many systems (particularly versions 19 up) tend to hang up after the first invalid id/password combo. *** Basic Commands For Beginners *** This is a list of basic commands you can use once on a Prime system. I will not go in-depth on a command, because you can do that for yourself by typing: HELP SLIST This will list out the contents of a file on a directory. Type in the full file name (plus extension). ATTACH This will attach you to another directory. For a full explanation type HELP ATTACH. LD This will list all the files and subdirectories in a directory. RLS -ALL Commands add up on the stack, and eventually after a pre-determined amount of commands you will get a message telling you that you are "now at command level XX". This command will release all those pent up commands in the stack. CPL This will run a file with the extension ".CPL". COMINPUT This will run a file with the extension ".COM" SEG This will run a file with the extension ".SEG" STATUS USERS This will give you a listing of users and other information currently on the system. STATUS This will give you the status of the system and other information. EDIT (Or ED) This is a text editor. CHANGE_PASSWORD Does just what it says it does. DELETE Deletes a file. LOGOFF I think this is pretty obvious. LOGIN This will log you out and take you back to the login process, providing there is no logins-over-logins set by the administrators. This is a very small list, but will probably help the beginner greatly when he/she first logs on. Hope you enjoyed this issue...Look for Hacking Primos Part IV in Phrack, 12. Mebbe'. -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- ! ! # A Phrack,Inc # ! ! # Presentation # ! ! -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- ========================================================================= ==Phrack Inc.== Volume Two, Issue Eleven, Phile #8 of 12 Telephone Signalling Methods ---------------------------- Written by Doom Prophet This file explains the basic signalling methods in use by the telephone system and is intended for general understanding. The text that follows is not highly technical since this file is for basic understanding and aimed at less experienced phreaks. Still, the more experienced readers may want to read it as a review on the information. Analog--Analog signals are those that have continuously and smoothly varying amplitude or frequency. Speech signals are of this type when you consider tone, pitch and volume levels that vary according to the person speaking. When a person speaks into the transmitter on a telephone, the voice signals are made up of acoustical energy, which are then converted into electrical energy for transmission along a transmission medium. Analog carrier facilities may operate over different media, such as wire lines, multi-wire cable, coaxial cable, or fiber optic cable. Copper wire is the most commonly used for subscriber loops. A technique that allows for many signals to be sent along the same transmission path is called Multiplexing. Analog signals use Frequency Division Multiplexing or FDM. Digital--Instead of the voice signal being processed as an analog signal, it is converted into a digital signal and handled with digital circuits throughout the transmission process. When it arrives at the CO that serves the called telephone, it is converted back to analog to reproduce the original voice transmission. Pulse Code Modulation or PCM is when the binary signal is transmitted in serial form. Binary coding represents bits or binary digits at 0 and 1 levels. These levels have a definite time relationship with one another. Time Division Multiplexing or TDM is the type of multiplexing, sometimes abbreviated as MUX, done for digital transmission. Metallic--Metallic facilities carry only one Voice Frequency (VF) channel. Typically, a metallic facility is used to connect business or residential lines to a CO. Coaxial cable can be used to transmit both Analog and Digital signals as well as Metallic signals. VF channels have a 4000 Hz bandwidth, from 0 to 4000 Hz. However, the in-band range of the voice frequency is between 200 and 3400 Hz. Signals that are out of this frequency range but still within the VF channel are out of band signals. A supervisory equivalent to 2600 for out of band is 3700 Hz. The amount of VF channels vary according to the transmission facilities that are being used. CCIS (Common Channel Interoffice Signalling) is where control or supervisory signals are sent on a separate data link between switching offices. CCIS links operate at 4800 bps, or baud. Signal Transfer Points in the switch send the supervisory information over the dedicated link. This prevents supervisory tones from subscriber stations to register with the telephone network as a change in trunk status. Reverse Battery Signalling- When the called end answers, the polarity and condition of the Ring and Tip leads is reversed to indicate the status of the connection. Conditions for a call being placed, but not yet answered, is ground on the Tip and battery (the CO battery current is flowing through) on the Ring. When the called party answers, by the action of relays in the switching equipment, current is reversed in the calling subscriber loop and battery is placed on the Tip and ground on the Ring, which remains during the talking. E and M- Leads connecting switching equipment to trunk circuits are termed the E and M leads, for receive and transmit. The E lead reflects the far-end or terminating end condition of the trunk. Ground on the E lead indicates that a signal has been received from the other end. The E lead is open when the trunk is idle. The M lead reflects the the near end condition of the trunk. It is grounded when the trunk is idle, and goes to battery condition when the called party goes off hook. Long interoffice and short haul toll trunks use this signalling method. It should be noted that AC signalling is Alternating Current, and is used on the intertoll network, and interoffice and short haul toll trunks. DC, or direct current, is used on two wire or intraoffice connections, and local interoffice trunks. Single Frequency (SF)- Single Frequency is an in-band 2600 Hz signalling system. When a four wire trunk is idle, and is equipped for SF in band signalling, a 2600 Hz tone is being transmitted in both directions. When the trunk is seized at an originating position, the M lead is changed from ground to battery state. This removes the 2600 Hz supervisory tone from the outgoing trunk pair. The loss of the 2600 Hz will be detected at the far end by the SF signalling unit, changing the far end E lead condition from open to ground, causing switching equipment to function. When ground is restored to the M lead, replacing 2600 on the near end trunk, the pulsing of address information begins. Multi-Frequency (MF)- The MF pulsing method uses AC signals in the voice frequency range, and transmits address information between COs by combinations of only 2 of 5 frequencies. MF is used for the sending of address information, as mentioned before. Other signalling methods are still required for trunk control and supervision. There are six MFs comprising MF codes. These are 200 Hz apart in the 700-1700 range. Two frequencies are sent at once, thus explaining the term 'Multi frequency.' MF pulsing is initiated by manual keysets and the TSPS switchboard, or by MF outpulsing senders in ESS and Xbar. MF pulsing is very rapid and only occurs when a connection is being established. KPs, or Key Pulses, are used as a signal to start MF pulsing. STs, or STart tones are used as a signal to indicate the end of MF pulsing. As an example of MF signalling, take a toll switchboard trunk connected to a Xbar Central Office. The operator selects an idle trunk, and presses the KP button on the keyset to signal the distant sender or register link equipment to connect to a MF receiver. The S lamp on the keyset will light when the far end is ready to receive MF pulses. After keypulsing the digits of the called number, the operator presses the ST button, which indicates the end of pulsing and disconnects the keyset from the operator's cord circuit and extinguishes the KP and S lamps. At the terminating CO, the two MF tones of each digit are amplified and limited in the MF receiver unit associated with the incoming sender and register circuit. The frequencies are selected by channel filters in the MF receiver and then detected. The DC voltage that results will operate the proper channel relays to continue with the process of placing the call. Written in July of 1986 ==Phrack Inc.== Volume Two, Issue Eleven, Phile #9 of 12 -------------------------------------------------------------------------- The following is reprinted from the November 1985 issue of Personal Communications Technology magazine by permission of the authors and the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct., Fairfax, VA 22032, 703/352-1200. Copyright 1985 by FutureComm Publications Inc. All rights reserved. -------------------------------------------------------------------------- THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'? 'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr. What's the greatest security problem with cellular phones? Is it privacy of communications? No. Although privacy is a concern, it will pale beside an even greater problem: spoofing. 'Spoofing' is the process through which an agent (the 'spoofer') pretends to be somebody he isn't by proffering false identification, usually with intent to defraud. This deception, which cannot be protected against using the current U.S. cellular standards, has the potential to create a serious problem--unless the industry takes steps to correct some loopholes in the present cellular standards. Compared to spoofing, the common security concern of privacy is not so severe. Most cellular subscribers would, at worst, be irked by having their conversational privacy violated. A smaller number of users might actually suffer business or personal harm if their confidential exchanges were compromised. For them, voice encryption equipment is becoming increasingly available if they are willing to pay the price for it. Thus, even though technology is available now to prevent an interloper from overhearing sensitive conversations, cellular systems cannot--at any cost--prevent pirates from charging calls to any account. This predicament is not new to the industry. Even though cellular provides a modern, sophisticated quality mobile communications service, it is not fundamentally much safer than older forms of mobile telephony. History of Spoofing Vulnerability The earliest form of mobile telephony, unsquelched manual Mobile Telephone Service (MTS), was vulnerable to interception and eavesdropping. To place a call, the user listened for a free channel. When he found one, he would key his microphone to ask for service: 'Operator, this is Mobile 1234; may I please have 555-7890.' The operator knew to submit a billing ticket for account number 1234 to pay for the call. So did anybody else listening to the channel--hence the potential for spoofing and fraud. Squelched channel MTS hid the problem only slightly because users ordinarily didn't overhear channels being used by other parties. Fraud was still easy for those who turned off the squelch long enough to overhear account numbers. Direct-dial mobile telephone services such as Improved Mobile Telephone Service (IMTS) obscured the problem a bit more because subscriber identification was made automatically rather than by spoken exchange between caller and operator. Each time a user originated a call, the mobile telephone transmitted its identification number to the serving base station using some form of Audio Frequency Shift Keying (AFSK), which was not so easy for eavesdroppers to understand. Committing fraud under IMTS required modification of the mobile--restrapping of jumpers in the radio unit, or operating magic keyboard combinations in later units--to reprogram the unit to transmit an unauthorized identification number. Some mobile control heads even had convenient thumb wheel switches installed on them to facilitate easy and frequent ANI (Automatic Number Identification) changes. Cellular Evolution Cellular has evolved considerably from these previous systems. Signaling between mobile and base stations uses high-speed digital techniques and involves many different types of digital messages. As before, the cellular phone contains its own Mobile Identification Number (MIN), which is programmed by the seller or service shop and can be changed when, for example, the phones sold to a new user. In addition, the U.S. cellular standard incorporates a second number, the 'Electronic Serial Number' (ESN), which is intended to uniquely and permanently identify the mobile unit. According to the Electronic Industries Association (EIA) Interim Standard IS-3-B, Cellular System Mobile Station--Land Station Compatibility Specification (July 1984), 'The serial number is a 32-bit binary number that uniquely identifies a mobile station to any cellular system. It must be factory-set and not readily alterable in the field. The circuitry that provides the serial number must be isolated from fraudulent contact and tampering. Attempts to change the serial number circuitry should render the mobile station inoperative.' The ESN was intended to solve two problems the industry observed with its older systems. First, the number of subscribers that older systems could support fell far short of the demand in some areas, leading groups of users to share a single mobile number (fraudulently) by setting several phones to send the same identification. Carriers lost individual user accountability and their means of predicting and controlling traffic on their systems. Second, systems had no way of automatically detecting use of stolen equipment because thieves could easily change the transmitted identification. In theory, the required properties of the ESN allow cellular systems to check to ensure that only the correctly registered unit uses a particular MIN, and the ESNs of stolen units can be permanently denied service ('hot-listed'). This measure is an improvement over the older systems, but vulnerabilities remain. Ease of ESN Tampering Although the concept of the unalterable ESN is laudable in theory, weaknesses are apparent in practice. Many cellular phones are not constructed so that 'attempts to change the serial number circuitry renders the mobile station inoperative.' We have personally witnessed the trivial swapping of one ESN chip for another in a unit that functioned flawlessly after the switch was made. Where can ESN chips be obtained to perform such a swap? We know of one recent case in the Washington, D.C. area in which an ESN was 'bought' from a local service shop employee in exchange for one-half gram of cocaine. Making the matter simpler, most manufacturers are using industry standard Read-Only Memory (ROM) chips for their ESNs, which are easily bought and programmed or copied. Similarly, in the spirit of research, a west coast cellular carrier copied the ESN from one manufacturer's unit to another one of the same type and model--thus creating two units with the exact same identity. The ESN Bulletin Board For many phones, ESN chips are easy to obtain, program, and install. How does a potential bootlegger know which numbers to use? Remember that to obtain service from a system, a cellular unit must transmit a valid MIN (telephone number) and (usually) the corresponding serial number stored in the cellular switch's database. With the right equipment, the ESN/MIN pair can be read right off the air because the mobile transmits it each time it originates a call. Service shops can capture this information using test gear that automatically receives and decodes the reverse, or mobile-to-base, channels. Service shops keep ESN/MIN records on file for units they have sold or serviced, and the carriers also have these data on all of their subscribers. Unscrupulous employees could compromise the security of their customers' telephones. In many ways, we predict that 'trade' in compromised ESN/MIN pairs will resemble what currently transpires in the long distance telephone business with AT&T credit card numbers and alternate long-distance carrier (such as MCI, Sprint and Alltel) account codes. Code numbers are swapped among friends, published on computer 'bulletin boards' and trafficked by career criminal enterprises. Users whose accounts are being defrauded might--or might not--eventually notice higher-than-expected bills and be reassigned new numbers when they complain to the carrier. Just as in the long distance business, however, this number 'turnover' (deactivation) won't happen quickly enough to make abuse unprofitable. Catching pirates in the act will be even tougher than it is in the wireline telephone industry because of the inherent mobility of mobile radio. Automating Fraud Computer hobbyists and electronics enthusiasts are clever people. Why should a cellular service thief 'burn ROMs' and muck with hardware just to install new IDs in his radio? No Herculean technology is required to 'hack' a phone to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb wheel switches described above. Those not so technically inclined may be able to turn to mail-order entrepreneurs who will offer modification kits for cellular fraud, much as some now sell telephone toll fraud equipment and pay-TV decoders. At least one manufacturer is already offering units with keyboard-programmable MINs. While intended only for the convenience of dealers and service shops, and thus not described in customer documentation, knowledgeable and/or determined end users will likely learn the incantations required to operate the feature. Of course this does not permit ESN modification, but easy MIN reprogrammability alone creates a tremendous liability in today's roaming environment. The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It would monitor reverse setup channels and snarf ESN/MIN pairs off the air, keeping a list in memory. Its owner could place calls as on any other cellphone. The Cache-Box would automatically select an ESN/MIN pair from its catalog, use it once and then discard it, thus distributing its fraud over many accounts. Neither customer nor service provider is likely to detect the abuse, much less catch the perpetrator. As the history of the computer industry shows, it is not far-fetched to predict explosive growth in telecommunications and cellular that will bring equipment prices within reach of many experimenters. Already we have seen the appearance of first-generation cellular phones on the used market, and new units can be purchased for well under $1000 in many markets. How High The Loss? Subscribers who incur fraudulent charges on their bills certainly can't be expected to pay them. How much will fraud cost the carrier? If the charge is for home-system airtime only, the marginal cost to the carrier of providing that service is not as high as if toll charges are involved. In the case of toll charges, the carrier suffers a direct cash loss. The situation is at its worst when the spoofer pretends to be a roaming user. Most inter-carrier roaming agreements to date make the user's home carrier (real or spoofed) responsible for charges, who would then be out hard cash for toll and airtime charges. We have not attempted to predict the dollar losses this chicanery might generate because there isn't enough factual information information for anyone to guess responsibly. Examination of current estimates of long-distance-toll fraud should convince the skeptic. Solutions The problems we have described are basically of two types. First, the ESN circuitry in most current mobiles is not tamper-resistant, much less tamper-proof. Second and more importantly, the determined perpetrator has complete access to all information necessary for spoofing by listening to the radio emissions from valid mobiles because the identification information (ESN/MIN) is not encrypted and remains the same with each transmission. Manufacturers can mitigate the first problem by constructing mobiles that more realistically conform to the EIA requirements quoted above. The second problem is not beyond solution with current technology, either. Well-known encryption techniques would allow mobiles to identify themselves to the serving cellular system without transmitting the same digital bit stream each time. Under this arrangement, an interloper receiving one transmission could not just retransmit the same pattern and have it work a second time. An ancillary benefit of encryption is that it would reasonably protect communications intelligence--the digital portion of each transaction that identifies who is calling whom when. The drawback to any such solution is that it requires some re-engineering in the Mobile-Land Station Compatibility Specification, and thus new software or hardware for both mobiles and base stations. The complex logistics of establishing a new standard, implementing it, and retrofitting as much of the current hardware as possible certainly presents a tough obstacle, complicated by the need to continue supporting the non-encrypted protocol during a transition period, possibly forever. The necessity of solving the problem will, however, become apparent. While we presently know of no documented cases of cellular fraud, the vulnerability of the current standards and experience with similar technologies lead us to conclude that it is inevitable. Failure to take decisive steps promptly will expose the industry to a far more expensive dilemma. XXX Geoffrey S. Goodfellow is a member of the senior research staff in the Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025, 415/859-3098. He is a specialist in computer security and networking technology and is an active participant in cellular industry standardization activities. He has provided Congressional testimony on telecommunications security and privacy issues and has co-authored a book on the computer 'hacking' culture. Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an independent consultant with expertise in security and privacy, computer operating systems, telecommunications and technology management. He is an active participant in cellular standardization efforts. He was previously a member of the senior staff at The Johns Hopkins University, after he obtained his BES/EE from Johns Hopkins. Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680. He has played a leading role internationally in cellular technology development. He was with Motorola for 10 years prior to joining American TeleServices, where he designed and engineered the Baltimore/Washington market trial system now operated by Cellular One. -------- A later note indicates that one carrier may be losing something like $180K per month.... ==Phrack Inc.== Volume Two, Issue Eleven, Phile #10 of 12 BUSY LINE VERIFICATION WRITTEN BY PHANTOM PHREAKER This file describes how a TSPS operator does a BLV (Busy Line Verification) and an EMER INT (Emergency Interrupt) upon a busy line that a customer has requested to be 'broken' into. I have written this file to hopefully clear up all the misconceptions about Busy Line Verification and Emergency Interrupts. BLV is 'Busy Line Verification'. That is, discovering if a line is busy/not busy. BLV is the telco term, but it has been called Verification, Autoverify, Emergency Interrupt, break into a line, REMOB, and others. BLV is the result of a TSPS that uses a Stored Program Control System (SPCS) called the Generic 9 program. Before the rise of TSPS in 1969, cordboard operators did the verification process. The introduction of BLV via TSPS brought about more operator security features. The Generic 9 SPCS and hardware was first installed in Tucson, Daytona, and Columbus, Ohio, in 1979. By now virtually every TSPS has the Generic 9 program. A TSPS operator does the actual verification. If caller A was in the 815 Area code, and caller B was in the 314 Area code, A would dial 0 to reach a TSPS in his area code, 815. Now, A, the customer, would tell the operator he wished an emergency interrupt on B's number, 314+555+1000. The 815 TSPS op who answered A's call cannot do the interrupt outside of her own area code, (her service area), so she would call an Inward Operator for B's area code, 314, with KP+314+TTC+121+ST, where the TTC is a Terminating Toll Center code that is needed in some areas. Now a TSPS operator in the 314 area code would be reached by the 815 TSPS, but a lamp on the particular operators console would tell her she was being reached with an Inward routing. The 815 operator then would say something along the lines of she needed an interrupt on 314+555+1000, and her customers name was J. Smith. Now, the 314 Inward (which is really a TSPS) would dial B's number, in a normal Operator Direct Distance Dialing (ODDD) fashion. If the line wasn't busy, then the 314 Inward would report this to the 815 TSPS, who would then report to the customer (caller A) that 314+555+1000 wasn't busy and he could call as normal. However if the given number (in this case, 314+555+1000) was busy, then several things would happen and the process of BLV and EMER INT would begin. The 314 Inward would seize a Verification trunk (or BLV trunk) to the toll office that served the local loop of the requested number (555+1000). Now another feature of TSPS checks the line asked to be verified against a list of lines that can't be verified, such as radio stations, police, etc. If the line number a customer gives is on the list then the verification cannot be done, and the operator tells the customer. Now the TSPS operator would press her VFY (VeriFY) key on the TSPS console, and the equipment would outpulse (onto the BLV trunk) KP+0XX+PRE+SUFF+ST. The KP being Key Pulse, the 0XX being a 'screening code' that protects against trunk mismatching, the PRE being the Prefix of the requested number (555), the SUFF being the Suffix of the requested number (1000), and the ST being STart, which tells the Verification trunk that no more MF digits follow. The screening code is there to keep a normal Toll Network (used in regular calls) trunk from accidentally connecting to a Verification trunk. If this screening code wasn't present, and a trunk mismatch did occur, someone calling a friend in the same area code might just happen to be connected to his friends line, and find himself in the middle of a conversation. But, the Verification trunk is waiting for an 0XX sequence, and a normal call on a Toll Network trunk does not outpulse an 0XX first. (Example: You live at 914+555+1000, and wish to call 914+666+0000. The routing for your call would be KP+666+0000+ST. The BLV trunk cannot accept a 666 in place of the proper 0XX routing, and thus would give the caller a re-order tone.) Also, note that the outpulsing sequence onto a BLV trunk can't contain an Area Code. This is the reason why if a customer requests an interrupt outside of his own NPA, the TSPS operator must call an Inward for the area code that can outpulse onto the proper trunk. If a TSPS in 815 tried to do an interrupt on a trunk in 314, it would not work. This proves that there is a BLV network for each NPA, and if you somehow gain access to a BLV trunk, you could only use it for interrupts within the NPA that the trunk was located in. BLV trunks 'hunt' to find the right trunks to the right Class 5 End Office that serves the given local loop. The same outpulsing sequence is passed along BLV trunks until the BLV trunk serving the Toll Office that serves the given End Office is found. There is usually one BLV trunk per 10,000 lines (exchange). So, if a Toll Office served ten End Offices, that Toll Office would have 100,000 local loops that it served, and have 10 BLV trunks running from TSPS to that Toll Office. Now, the operator (in using the VFY key) can hear what is going on on the line, (modem, voice, or a permanent signal, indicating a phone off-hook) and take appropriate action. She can't hear what's taking place on the line clearly, however. A speech scrambler circuit within the operator console generates a scramble on the line while the operator is doing a VFY. The scramble is there to keep operators from listening in on people, but it is not enough to keep an op from being able to tell if a conversation, modem signal, or a dial tone is present upon the line. If the operator hears a permanent signal, she can only report back to the customer that either the phone is off-hook, or there is a problem with the line, and she can't do anything about it. In the case of caller A and B, the 314 Inward would tell the 815 TSPS, and the 815 TSPS would tell the customer. If there is a conversation on line, the operator presses a key marked EMER INT (EMERgency INTerrupt) on her console. This causes the operator to be added into a three way port on the busy line. The EMER INT key also deactivates the speech scrambling circuit and activates an alerting tone that can be heard by the called customer. The alerting tone that is played every 10 seconds tells the customer that an operator is on the line. Some areas don't have the alerting tone, however. Now, the operator would say 'Is this XXX-XXXX?' where XXX-XXXX would be the Prefix and Suffix of the number that the original customer requesting the interrupt gave the original TSPS. The customer would confirm the operator had the correct line. Then the Op says 'You have a call waiting from (customers name). Will you accept?'. This gives the customer the chance to say 'Yes' and let the calling party be connected to him, while the previous party would be disconnected. If the customer says 'No', then the operator tells the person who requested the interrupt that the called customer would not accept. The operator can just inform the busy party that someone needed to contact him or her, and have the people hang up, and then notify the requesting customer that the line is free. Or, the operator can connect the calling party and the interrupted party without loss of connection. The charges for this service (in my area at least) run 1.00 for asking the operator to interrupt a phone call so you can get through. There is an .80 charge if you ask the operator to verify whether the phone you're trying to reach is busy because of a service problem or because of a conversation. If the line has no conversation on it, there will be no charge for the verification. When the customer who initiated the emergency interrupt gets his telephone bill, the charges for the interrupt call will look similar to this: 12-1 530P INTERRUPT CL 314 555 1000 OD 1 1.00 The 12-1 is December first of the current year; 530P is the time the call was made to the operator requesting an interrupt; INTERRUPT CL is what took place, that is, an interrupt call; 314 555 1000 is the number requested; OD stands for Operator Dialed; the 1 is the length of the call (in minutes); and the 1.00 is the charge for the interrupt. The format may be different, depending upon your area and telephone company. One thing I forgot to mention about TSPS operators. In places where a Remote Trunking Arrangement is being used, and even places where they aren't in use, you may be connected to a TSPS operator in a totally different area code. In such a case, the TSPS that you reach in a Foreign NPA will call up an inward operator for your Home NPA, if the line you requested an EMER INT on was in your HNPA. If the line you requested EMER INT on was in the same NPA of the TSPS that you had reached, then no inward operator would be needed and the answering operator could do the entire process. Verification trunks seem to be only accessible by a TSPS/Inward operator. However, there have been claims to people doing Emergency Interrupts with blue boxes. I don't know how to accomplish an EMER INT without the assistance of an operator, and I don't know if it can be done. If you really wish to participate in a BLV/EMER INT, call up an Inward Operator and play the part of a TSPS operator who needs an EMER INT upon a pre-designated busy line. Billing is handled at the local TSPS so you will not have to supply a billing number if you decide to do this. If you find any errors in this file, please try to let me know about it, and if you find out any other information that I haven't included, feel free to comment. -End of file- ==Phrack Inc.== Volume Two, Issue Eleven, Phile #11 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN *>=-{ Phrack World News }-=<* PWN PWN PWN PWN Issue X PWN PWN PWN PWN Written, Compiled, and Edited PWN PWN by Knight Lightning PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Scan Man Revisited January 19, 1987 ------------------ The following is a reprint from TeleComputist Newsletter Issue Two; SCAN MAN - FED OR PHREAK? (The Other Side) TeleComputist is printing the statement Scan Man has made to us [TeleComputist] in rebuttal to Phrack World News, whom previously printed an article concerning Scan Man in Phrack Issue VIII. Those of you who have seen or read the article in Phrack VIII know that it basically covered information and an intercepted memo alleging Scan Man of going after hackers and turning in codes off his BBS (P-80 Systems, Charleston, West Virginia 304/744-2253) as a TMC employee. Please note that this statement should be read with the article concerning Scan Man in Phrack Issue VIII to get the full understanding. Scan Man started off his statement claiming not to work for TMC, but instead for a New York branch office of Telecom Management (a Miami based firm). He was flown in from Charleston, West Virginia to New York every week for a four to five day duration. Once in New York, Telecom Management made available a leased executive apartment where Scan Man stayed as he worked. His position in Telecom Management was that of a systems analyst, "...and that was it!" Scan Man stated. Scan Man also stated that he had never made it a secret that he was working in New York and had even left messages on his BBS saying this. He also went on to say that he had no part in the arrest of Shawn [of Phreaker's Quest] (previously known as Captain Caveman) by TMC in Las Vegas. Scan Man claimed to have no ties with TMC in Las Vegas and that they would not even know him. Scan Man then went on to say that Shawn had never replied to previous messages Scan man had left asking for TMC codes. Scan Man also said that the messages about TMC were in no way related to him. He claimed to have no ties to TMC, which is a franchised operation which makes even TMC unrelated except by name. Scan Man stated that he called Pauline Frazier and asked her about the inquiry by Sally Ride [:::Space Cadet] who acted as an insider to obtain the information in Phrack VIII. He said that Pauline said nothing to the imposter (Sally Ride) and merely directed him to a TMC employee named Kevin Griffo. Scan Man then went on to say that the same day Sally Ride called Pauline Frazier was the same day he received his notice. And to that Scan Man made the comment, "If I find out this is so heads will roll!" After that comment, Scan Man came up with arguments of his own, starting off with the dates printed in Phrack VIII. He claimed that the dates were off and backed this up by saying Ben Graves had been fired six months previously to the conversation with Sally Ride. Scan Man then went on to ask why it had taken Sally Ride so long to come forward with his information. Scan Man made one last comment, "It's a fucking shame that there is a social structure in the phreak world!" Meaning Sally Ride merely presented his information to give himself a boost socially in the phreak world. This is how it ended. We would like to say that TeleComputist printed the statement by Scan Man to offer both sides of the story. We make no judgements here and take no sides. Reprinted with permission from TeleComputist Newsletter Issue 2 Copyright (C) 1986 by J. Thomas. All Rights Reserved - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ok, that was Scan Man's side to the story, now that he had a few months to come up with one. Lets do a critical breakdown; -*- "He was flown in from Charleston, West Virginia to New York every week for a four to five day duration." Gee, wouldn't that get awfully expensive? Every week...and "made available a leased executive apartment..." He must have been quite an asset to "Telecom Management" for them to spend such large amounts on him. Kinda interesting that he lived in Charleston, West Virginia (where surprisingly enough there is a branch of TMC) and flew to New York every week. -*- "Scan Man claimed to have no ties with TMC in Las Vegas..." Ok, I'll buy that. Notice how he didn't say that he had no ties with TMC in Charleston. Furthermore if he had no ties with TMC in Charleston why would they have his name in their company records? Why would all those employees know him or dislike him for that matter? -*- "Scan Man then went on to say that the same day Sally Ride called Pauline Frazier was the day he received his notice." Well now, how can there be a connection between the two events at all when Scan Man works for Telecom Management and has "no ties with TMC" and claimed "not to work for TMC"? If TMC and Telecom Management are truly independent of each other then nothing Sally Ride said to Pauline Frazier could have affected him in ANY way. That is unless he did work for TMC in the first place. -*- "...and back this up by saying that Ben Graves had been fired six months previously to the conversation with Sally Ride." Well first of all, PWN did not give a date as to when Ben Graves was fired from TMC. Second of all and more important, how does Scan Man know so much about TMC when he works for "Telecom Management" and has "...no ties with TMC..."? The rest of his statements were highly debatable and he showed no proof as to their validity. As for why Sally Ride waited so long to come forward, well he didn't wait that long at all, he came forward to myself in late May/early June of 1986. My decision was to do nothing because there wasn't enough proof. After three months of research we had enough proof and the article was released. With this attempt to cover up the truth, Scan Man has only given more ammunition to the idea that he isn't what he claims to be. Special Thanks to TeleComputist Newsletter ______________________________________________________________________________ The Cracker Cracks Up? December 21, 1986 ---------------------- "Computer 'Cracker' Is Missing -- Is He Dead Or Is He Alive" By Tom Gorman of The Los Angeles Times ESCONDIDO, Calif. -- Early one morning in late September, computer hacker Bill Landreth pushed himself away from his IBM-PC computer -- its screen glowing with an uncompleted sentence -- and walked out the front door of a friend's home here. He has not been seen or heard from since. The authorities want him because he is the "Cracker", convicted in 1984 of breaking into some of the most secure computer systems in the United States, including GTE Telemail's electronic mail network, where he peeped at NASA Department of Defense computer correspondence. He was placed on three years' probation. Now his probation officer is wondering where he is. His literary agent wants him because he is Bill Landreth the author, who already has cashed in on the successful publication of one book on computer hacking and who is overdue with the manuscript of a second computer book. The Institute of Internal Auditors wants him because he is Bill Landreth the public speaker who was going to tell the group in a few months how to make their computer systems safer from people like him. Susan and Gulliver Fourmyle want him because he is the eldest of their eight children. They have not seen him since May 1985, when they moved away from Poway in northern San Diego county, first to Alaska then to Maui where they now live. His friends want him because he is crazy Bill Landreth, IQ 163, who has pulled stunts like this before and "disappeared" into the night air -- but never for more than a couple of weeks and surely not for 3 months. They are worried. Some people think Landreth, 21, has committed suicide. There is clear evidence that he considered it -- most notably in a rambling eight-page discourse that Landreth wrote during the summer. The letter, typed into his computer, then printed out and left in his room for someone to discover, touched on the evolution of mankind, prospects for man's immortality and the defeat of the aging process, nuclear war, communism versus capitalism, society's greed, the purpose of life, computers becoming more creative than man and finally -- suicide. The last page reads: "As I am writing this as of the moment, I am obviously not dead. I do, however, plan on being dead before any other humans read this. The idea is that I will commit suicide sometime around my 22nd birthday..." The note explained: "I was bored in school, bored traveling around the country, bored getting raided by the FBI, bored in prison, bored writing books, bored being bored. I will probably be bored dead, but this is my risk to take." But then the note said: "Since writing the above, my plans have changed slightly.... But the point is, that I am going to take the money I have left in the bank (my liquid assets) and make a final attempt at making life worthy. It will be a short attempt, and I do suspect that if it works out that none of my current friends will know me then. If it doesn't work out, the news of my death will probably get around. (I won't try to hide it.)" Landreth's birthday is December 26 and his best friend is not counting on seeing him again. "We used to joke about what you could learn about life, especially since if you don't believe in a God, then there's not much point to life," said Tom Anderson, 16, a senior at San Pasqual High School in Escondido, about 30 miles north of San Diego. Anderson also has been convicted of computer hacking and placed on probation. Anderson was the last person to see Landreth. It was around September 25 -- he does not remember exactly. Landreth had spent a week living in Anderson's home so the two could share Landreth's computer. Anderson's IBM-PC had been confiscated by authorities, and he wanted to complete his own book. Anderson said he and Landreth were also working on a proposal for a movie about their exploits. "He started to write the proposal for it on the computer, and I went to take a shower," Anderson said. "When I came out, he was gone. The proposal was in mid-sentence. And I haven't seen him since." Apparently Landreth took only his house key, a passport, and the clothes on his back. Anderson said he initially was not concerned about Landreth's absence. After all this was the same Landreth who, during the summer, took off for Mexico without telling anyone -- including friends he had seen just the night before -- of his departure. But concern grew by October 1, when Landreth failed to keep a speaking engagement with a group of auditors in Ohio, for which he would have received $1,000 plus expenses. Landreth may have kept a messy room and poor financial records, but he was reliable enough to keep a speaking engagement, said his friends and literary agent, Bill Gladstone, noting that Landreth's second manuscript was due in August and had not yet been delivered. But, the manuscript never came and Landreth has not reappeared. Steve Burnap, another close friend, said that during the summer Landreth had grown lackadaisical toward life. "He just didn't seem to care much about anything anymore." Typed for PWN by Druidic Death From The Dallas Times Herald ______________________________________________________________________________ Beware The Hacker Tracker December, 1986 ------------------------- By Lamont Wood of Texas Computer Market Magazines If you want to live like a spy in your own country, you don't have to join the CIA or the M15 or the KGB. You can track hackers, like John Maxfield of Detroit. Maxfield is a computer security consultant running a business called BoardScan, which tracks hackers for business clients. He gets occasional death threats and taunting calls from his prey, among whom he is known as the "hacker tracker," and answers the phone warily. And although he has received no personal harassment, William Tener, head of data security for the information services division of TRW, Inc., has found it necessary to call in experts in artificial intelligence from the aerospace industry in an effort to protect his company's computer files. TRW is a juicy target for hackers because the firm stores personal credit information on about 130 million Americans and 11 million businesses -- data many people would love to get hold of. Maxfield estimates that the hacker problem has increased by a factor of 10 in the last four years, and now seems to be doubling every year. "Nearly every system can be penetrated by a 14-year old with $200 worth of equipment," he complains. "I have found kids as young as nine years old involved in hacking. If such young children can do it, think of what an adult can do." Tener estimates that there are as many as 5,000 private computer bulletin boards in the country, and that as many as 2,000 are hacker boards. The rest are as for uses as varied as club news, customer relations, or just as a hobby. Of the 2,000 about two dozen are used by "elite" hackers, and some have security features as good as anything used by the pentagon, says Maxfield. The number of hackers themselves defies estimation, if only because the users of the boards overlap. They also pass along information from board to board. Maxfield says he has seen access codes posted on an east coast bulletin board that appeared on a west coast board less than an hour later, having passed through about ten boards in the meantime. And within hours of the posting of a new number anywhere, hundreds of hackers will try it. "Nowadays, every twerp with a Commodore 64 and a modem can do it, all for the ego trip of being the nexus for forbidden knowledge," sighs a man in New York City, known either as "Richard Cheshire" or "Chesire Catalyst" -- neither is his real name. Cheshire was one of the earliest computer hackers, from the days when the Telex network was the main target, and was the editor of TAP, a newsletter for hackers and phone "phreaks". Oddly enough, TAP itself was an early victim of the hacker upsurge. "The hacker kids had their bulletin boards and didn't need TAP -- we were technologically obsolete," he recalls. So who are these hackers and what are they doing? Tener says most of the ones he has encountered have been 14 to 18 year old boys, with good computer systems, often bright, middle class, and good students. They often have a reputation for being loners, if only because they spend hours by themselves at a terminal, but he's found out-going hacker athletes. But Maxfield is disturbed by the sight of more adults and criminals getting involved. Most of what the hackers do involves "theft of services" -- free access to Compuserve, The Source, or other on-line services or corporate systems. But, increasingly, the hackers are getting more and more into credit card fraud. Maxfield and Cheshire describe the same process -- the hackers go through trash bins outside businesses whose computer they want to break into looking for manuals or anything that might have access codes on it. They may find it, but they also often find carbon copies of credit card sales slips, from which they can read credit card numbers. They use these numbers to order merchandise -- usually computer hardware -- over the phone and have it delivered to an empty house in their neighborhood, or to a house where nobody is home during the day. Then all they have to do is be there when the delivery truck arrives. "We've only been seeing this in the last year," Maxfield complains. "But now we find adults running gangs of kids who steal card numbers for them. The adults resell the merchandise and give the kids a percentage of the money." It's best to steal the card number of someone rich and famous, but since that's usually not possible it's a good idea to be able to check the victim's credit, because the merchant will check before approving a large credit card sale. And that's what makes TRW such a big target -- TRW has the credit files. And the files often contain the number of any other credit cards the victim owns, Maxfield notes. The parents of the hackers, meanwhile, usually have no idea what their boy is up to -- he's in his room playing, so what could be wrong? Tener recalls a case where the parents complained to the boy about the high phone bill one month. And the next month the bill was back to normal. And so the parents were happy. But the boy had been billing the calls to a stolen telephone company credit card. "When it happens the boy is caught and taken to jail, you usually see that the parents are disgruntled at the authorities -- they still think that Johnny was just playing in his bedroom. Until, of course, they see the cost of Johnny's play time, which can run $50,000 to $100,000. But outside the cost, I have never yet seen a parent who was really concerned that somebody's privacy has been invaded -- they just think Johnny's really smart," Tener says. TRW will usually move against hackers when they see a TRW file or access information on a bulletin board. Tener says they usually demand payment for their investigation costs, which average about $15,000. Tales of the damage hackers have caused often get exaggerated. Tener tells of highly publicized cases of hackers who, when caught, bragged about breaking into TRW, when no break-ins had occurred. But Maxfield tells of two 14-year old hackers who were both breaking into and using the same corporate system. They had an argument and set out to erase each other's files, and in the process erased other files that cost about a million dollars to replace. Being juveniles, they got off free. After being caught, Tener says most hackers find some other hobby. Some, after turning 18, are hired by the firms they previously raided. Tener says it rare to see repeat offenders, but Maxfield tells of one 14-year-old repeat offender who was first caught at age 13. Maxfield and Tener both make efforts to follow the bulletin boards, and Maxfield even has a network of double agents and spies within the hacker community. Tener uses artificial intelligence software to examine the day's traffic to look for suspicious patterns. TRW gets about 40,000 inquiries an hour and has about 25,000 subscribers. But that does not address the underlying problem. "The real problem is that these systems are not well protected, and some can't be protected at all," Maxfield says. Cheshire agrees. "A lot of companies have no idea what these kids can do to them," he says. "If they would make access even a little difficult the kids will go on to some other system." As for what else can be done, he notes that at MIT the first thing computer students are taught is how to crash the system. Consequently, nobody bothers to do it. But the thing that annoys old-timer Cheshire (and Maxfield as well) is that the whole hacker-intruder-vandal-thief phenomenon goes against the ideology of the original hackers, who wanted to explore systems, not vandalize them. Cheshire defines the original "hacker ethic" as the belief that information is a value-free resource that should be shared. In practice, it means users should add items to files, not destroy them, or add features to programs, rather than pirate them. "These kids want to make a name for themselves, and they think that they need to do something dirty to do that. But they do it just as well by doing something clever, such as leaving a software bug report on a system," he notes. Meanwhile, Maxfield says we are probably stuck with the problem at least until the phone systems converts to digital technology, which should strip hackers of anonymity by making their calls easy to trace. Until someone figures out how to hack digital phone networks, of course. -TCM Typed for PWN by Druidic Death ______________________________________________________________________________ ==Phrack Inc.== Volume Two, Issue Eleven, Phile #12 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN *>=-{ Phrack World News }-=<* PWN PWN PWN PWN Issue XI PWN PWN PWN PWN Written, Compiled, and Edited PWN PWN by Knight Lightning PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Computer Bulletin Boards January 8, 1986 ------------------------ By The KTVI Channel 2 News Staff in St. Louis Please keep in mind that Karen and Russ are anchor persons at KTVI. All comments in []s are by me.-KL - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Karen: If Santa Claus brought you a computer for Christmas, beware of seeing a few things you may not have bargained for. Computer bulletin boards have spread by the thousands over the past few years and now some people are concerned that the electronic messages may have gotten a bit out of hand. Russ: In its simplest definition, a computer bulletin board is a program or message that can be accessed by other computers via telephone lines. Anyone who has a home computer and a modem can receive and transmit to computer bulletin boards. There are thousands of them nationwide, but some are causing quite a stink [What a profound statement Russ]. [Flash to a picture of a geeky looking teenager] Meet Jason Rebbe, he is a 16 year old computer whiz who a few months ago accidentally tapped into a bulletin board called Dr. Doom's Castle. [Sorry to break in here Russ, but why is this guy a computer whiz? Just because he has a computer? Hey Russ, look a little closer, isn't Jason sitting in front of a Commodore-64? I thought so. Oh yeah one other thing, this BBS Dr. Doom's Castle has no known relation to Dr. Doom (512) or Danger Zone Private.] Dr. Doom gives instructions on how to build bombs and guns [Lions and Tigers and Bears, oh my!]. Jason found the recipe for smoke bombs and tried to make one in his kitchen, it didn't work. [Ba ha ha]. Jason: I heard an explosion in the basement first and that's when I knew something was wrong. I thought it would be really neat to just set it off someday when there was a lot of people around, just as a joke or a prank. [Yeah, that would be K-Rad d00d!]. I didn't expect it to blow up my house. Russ: Jason wasn't hurt, but it cost about 2 grand [that's $2,000 to you and me] to repair the kitchen. Jason's dad didn't take it well. Bob Holloway: Mad wasn't the word for it. I, I was, I was past mad. Russ: Mr. Holloway called Southwestern Bell and AT&T to see what could be done about bulletin boards like Dr. Doom's Castle. The answer was nothing. The Bureau of Alcohol, Tobacco, and Firearms said the same thing. Daniel Hoggart (Bureau of Alcohol, Tobacco, and Firearms): There is no violation in publishing the information. The violation only occurs when someone actually follows through on the instructions and actually constructs a bomb. Russ: Another bulletin board that is becoming more and more prevalent these days is the Aryian Nation. This one [bulletin board] in Chicago says, "If you are an anti-Communist you have made the right connection...on the other hand, if you are consumed with such myths as Judeo-Christianity, you most definitely dialed the wrong number." Stan Anderman (Anti-Defamation League): Some of this really extreme hatred is an attempt to create an environment where violence becomes acceptable. Russ: Like most computer bulletin boards the Aryian Nation message is legal and falls under free speech laws. However, a bill is scheduled to go to congress this session outlawing the kinds of bulletin boards we saw here tonight. But, for the moment, hackers should not be too surprised if something unusual pops up on their computer terminal. [Ahem, Russ, you did it again. All computer users are *NOT* hackers.] Typed For PWN's Usage by Knight Lightning ______________________________________________________________________________ MIT Unix: Victim or Aggressor? January 23 - February 2, 1987 ------------------------------- Is the MIT system an innocent victim of hacker oppression or simply another trap to capture unsuspecting hackers in the act? It all started like this... [Some posts have been slightly edited to be relevant to the topic] ------------------------------------------------------------------------------ MIT Name: Druidic Death Date: 12:49 am Mon Jan 20, 1986 Lately I've been messing around on MIT's VAX in there Physics Department. Recently some one else got on there and did some damage to files. However MIT told me that they'll still trust us to call them. The number is: 617-253-XXXX We have to agree to the following or we will be kicked off, they will create a "hacker" account for us. <1> Use only GUEST, RODNEY, and GAMES. No other accounts until the hacker one is made. There are no passwords on these accounts. <2> Make sure we log off properly. Control-D. This is a UNIX system. <3> Not to call between 9 AM and 5 PM Eastern Standard Time. This is to avoid tying up the system. <4> Leave mail to GEORGE only with UNIX questions (or C). And leave our handles so he'll know who we are. ------------------------------------------------------------------------------ Unix Name: Celtic Phrost Date: 4:16 pm Mon Jan 20, 1986 Thanks Death for the MIT computer, I've been working on getting into them for weeks. Here's another you can play around with: 617/258-XXXX login:GUEST Or use a WHO command at the logon to see other accounts, it has been a long time since I played with that system, so I am unsure if the GUEST account still works, but if you use the WHO command you should see the GUEST account needed for applying for your own account. -Phrost ------------------------------------------------------------------------------ Unix Name: Celtic Phrost Date: 5:35 pm Mon Jan 20, 1986 Ok, sorry, but I just remembered the application account, its: OPEN Gawd, I am glad I got that off my chest! -(A relieved)Celtic Phrost. Also on that MIT computer Death listed, some other default accounts are: LONG MIKE GREG NEIL DAN Get the rest yourself, and please people, LEAVE THEM UNPASSWORDED! ------------------------------------------------------------------------------ MIT Name: Druidic Death #12 Date: 1:16 am Fri Jan 23, 1987 MIT is pretty cool. If you haven't called yet, try it out. Just PLEASE make sure you follow the little rules they asked us about! If someone doesn't do something right the sysop leaves the gripe mail to me. Check out my directory under the guest account just type "cd Dru". Read the first file. ------------------------------------------------------------------------------ MIT Name: Ctrl C Date: 12:56 pm Sat Jan 24, 1987 MIT Un-Passworded Unix Accounts: 617-253-XXXX ALEX BILL GAMES DAVE GUEST DAN GREG MIKE LONG NEIL TOM TED BRIAN RODNEY VRET GENTILE ROCKY SPIKE KEVIN KRIS TIM And PLEASE don't change the Passwords.... -=>Ctrl C<=- ------------------------------------------------------------------------------ MIT Again Name: Druidic Death Date: 1:00 pm Wed Jan 28, 1987 Ok people, MIT is pissed, someone hasn't been keeping the bargain and they aren't too thrilled about it. There were only three things they asked us to do, and they were reasonable too. All they wanted was for us to not compromise the security much more than we had already, logoff properly, not leave any processes going, and call only during non-business hours, and we would be able to use the GUEST accounts as much as we like. Someone got real nice and added themselves to the "daemon" group which is superusers only, the name was "celtic". Gee, I wonder who that could have been? I'm not pissed at anyone, but I'd like to keep on using MIT's computers, and they'd love for us to be on, but they're getting paranoid. Whoever is calling besides me, be cool ok? They even gave me a voice phone to chat with their sysops with. How often do you see this happen? a little perturbed but not pissed... DRU' ------------------------------------------------------------------------------ Tsk, Celtic. Name: Evil Jay Date: 9:39 am Thu Jan 29, 1987 Well, personally I don't know why anyone would want to be a superuser on the system in question. Once you've been on once, there is really nothing that interesting to look at...but anyway. -EJ ------------------------------------------------------------------------------ In trouble again... Name: Celtic Phrost Date: 2:35 pm Fri Jan 30, 1987 ...I was framed!! I did not add myself to any "daemon" group on any MIT UNIX. I did call once, and I must admit I did hang up without logging off, but this was due to a faulty program that would NOT allow me to break out of it, no matter what I tried. I am sure that I didn't cause any damage by that. -Phrost ------------------------------------------------------------------------------ Major Problems Name: Druidic Death Date: 12:20 pm Sat Jan 31, 1987 OK, major stuff going down. Some unidentified individual logged into the Physics Dept's PDP11/34 at 617-253-XXXX and was drastically violating the "agreement" we had reached. I was the one that made the "deal" with them. And they even gave me a voice line to talk to them with. Well, one day I called the other Physics computer, the office AT and discovered that someone created an account in the superuser DAEMON group called "celtic". Well, I was contacted by Brian through a chat and he told me to call him. Then he proceeded to nicely inform me that "due to unauthorized abuse of the system, the deal is off". He was cool about it and said he wished he didn't have to do that. Then I called George, the guy that made the deal and he said that someone who said he was "Celtic Phrost" went on to the system and deleted nearly a year's worth of artificial intelligence data from the nuclear fission research base. Needless to say I was shocked. I said that he can't believe that it was one of us, that as far as I knew everyone was keeping the deal. Then he (quite pissed off) said that he wanted all of our names so he can report us to the FBI. He called us fags, and all sorts of stuff, he was VERY!! [underline twice] PISSED! I don't blame him. Actually I'm not blaming Celtic Phrost, it very easily could have been a frame up. But another thing is George thinks that Celtic Phrost and Druidic Death are one and the same, in other words, he thinks that *I* stabbed him in the back. Basically he just doesn't understand the way the hacker community operates. Well, the deal is off, they plan to prosecute whoever they can catch. Since George is my best friend's brother I have not only lost a friend, but I'm likely to see some legal problems soon. Also, I can forget about doing my graduate work at MIT. Whoever did this damage to them, I hope you're happy. You really messed things up real nice for a lot of people. Celtic, I don't have any reason to believe you messed with them. I also have no reason to think you didn't. I'm not making an accusation against you, but WHOEVER did this, deserves to be shot as far as I'm concerned. Until this data was lost, they were on the verge of harnessing a laser-lithium produced form of nuclear fission that would have been more efficient than using the standard hydrogen. Well, back to the drawing board now. I realize that it's hard to believe that they would have data like this on this system. But they were quite stupid in many other areas too. Leaving the superuser account with no password?? Think about it. It's also possible that they were exaggerating. But regardless, damage seems to have been done. ------------------------------------------------------------------------------ MIT Name: Phreakenstein Date: 1:31 am Sun Feb 01, 1987 Heck! I dunno, but whoever it was, I think, should let himself (the s00per K-rad elyte d00d he is) be known. I wasn't on MIT, but it was pretty dumb of MIT to even let Hackers on. I wouldn't really worry though, they did let you on, and all you have to prove is that you had no reason to do it. ----Phreak ------------------------------------------------------------------------------ I wonder... Name: Ax Murderer #15 Date: 6:43 pm Sun Feb 01, 1987 I highly doubt that is was someone on this system. Since this is an elite board, I think all the users are pretty decent and know right and wrong things to do. Could be that one of the users on this system called another system and gave it out!?? Nahh...shooting the asshole is not enough, let's think of something better. Ax Murderer ------------------------------------------------------------------------------ It was stupid Name: Druidic Death #12 Date: 9:21 pm Sun Feb 01, 1987 It seems to me, or, what I gathered, they felt that there were going to be hackers on the system to begin with and that this way they could keep themselves basically safe. I doubt that it was Celtic Phrost, I don't think he'd be an asshole like that. But I can't say. When I posted, I was pretty pissed about the whole deal. I've calmed down now. Psychic Warlord said something to me voice the other day that made me stop and think. What if this was a set up right from the start? I mean, MIT won't give me specifics on just what supposedly happened, Celtic Phrost denies everything, and the biggest part of it is what George said to me. "We can forgive you for what you did to us if you'll promise to go straight and never do this again and just tell us who all of your friends are that are on the system". I didn't pay much attention to that remark at first, now I'm beginning to wonder... I, of course, didn't narc on anyone. (Who do I know??? hehe) DRU' ------------------------------------------------------------------------------ Well Name: Solid State Date: 11:40 pm Sun Feb 01, 1987 Well if they were serious about the FBI, I wouldn't take this too lightly. Lately at Stanford there has been a lot of investigators that I've pinpointed running around. This is mainly due to the number of break-ins this summer. Anyways, if a large college like MIT says they may call in the FBI, be wary, but don't over-react. SOLID STATE ------------------------------------------------------------------------------ Comments... Name: Delta-Master Date: 7:15 am Mon Feb 02, 1987 It wouldn't surprise me if it was some kind of setup, it's been done before. Delta-Master ------------------------------------------------------------------------------ Oh well... Name: Evil Jay Date: 8:56 am Mon Feb 02, 1987 I think your all wrong. The MIT lines have been around for a long time and are widely known among the rodents. Anyone with a g-file could hack out a password on the system so it looks to me like someone just messed around and just happened to use Phrost as a flunkie. Oh well... -EJ ------------------------------------------------------------------------------ All posts taken from: ___ / ) \___ | | __ \ |_ _ _| _ (_ _ _ _ (___/ | ) ( \ ( | (_) \/\/ __) | ) ( \ \/\/ | ) | \_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_/ "We're not ELITE... we're just cool as hell." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Information Provided indirectly/directly by Ax Murderer/Celtic Phrost/Ctrl C/Delta-Master/Druidic Death Evil Jay/Phreakenstein/Solid State ______________________________________________________________________________ Phortune 500: Phreakdom's Newest Organization February 16, 1987 ---------------------------------------------- For those of you who are in the least bit interested, Phortune 500 is a group of telecommunication hobbyists who's goal is to spread information as well as further their own knowledge in the world of telecommunications. This new group was formed by: Brew Associates/Handsomest One/Lord Lawless/The Renegade Chemist Quinton J. Miranda/Striker/The Mad Hacker/The Spiker These eight members are also known as Board Of Directors (BOD). They don't claim to be *Elite* in the sense that they are they world's greatest hackers, but they ARE somewhat picky about their members. They prefer someone who knows a bit about everything and has talents exclusive to him/herself. One of the projects that Phortune 500 has completed is an individual password AE type system. It's called TransPhor. It was written and created by Brew Associates. It has been Beta tested on The Undergraduate Lounge (Sysoped by Quinton J. Miranda). It is due to be released to the public throughout the next few months. Phortune 500 has been in operation for about 4 months, and has released two newsletters of their own. The Phortune 500 Newsletter is quite like the "People" of contemporary magazines. While some magazines cover the deep technical aspects of the world in which we communicate, their newsletter tries to cover the lighter side while throwing in information that they feel is "of technical nature." The third issue is due to be released by the end of this month. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *>=-> The Phortune 500 Membership Questionnaire <-=<* Note: The following information is of a totally confidential nature. The reason you may find this so lengthy and in depth is for our knowledge of you. We, with Phortune 500, feel as though we should know prospective members well before we allow them into our organization. Pending the answers you supply us, you will be admitted to Phortune 500 as a charter member. Please answer the following completely... .............................................................................. Handle : First Name : Voice Phone Number : Data Phone Number : City & State : Age : Occupation (If Applicable) : Place of Employment (Optional) : Work Phone Number (Optional) : Computer Type : Modem Type : Interests : Areas Of Expertise : References (No More Than Three) : Major Accomplishments (If Any) : .............................................................................. Answer In 50 Words Or Less; ^*^ What Is Phortune 500 in Your Opinion? ^*^ Why Do You Want To Be Involved With Phortune 500? ^*^ How Can You Contribute to Phortune 500? .............................................................................. Please answer each question to the best of your ability and then return to any Phortune 500 Board of Directors Member Or a Phortune 500 BBS: The Private Connection (Limited Membership) 219-322-7266 The Undergraduate AE (Private Files Only) 602-990-1573 Information provided by Quinton J. Miranda & Phortune 500 Board Of Directors ______________________________________________________________________________ PWN Quicknote ------------- At the University of Rhode Island there is supposed to be some undercover agent for Bay Bell. Supposedly he hangs out at the library and watches for people checking out the Bell Technical Journals. Then he asks questions like, 'What do you want those for?' 'Do you know what 2600Hz is?' and other similar questions. He isn't registered at the school and of course has no classes. [Sounds bogus to me...oh well-KL]. Information by Asmodeus Rex (1/21/87) ______________________________________________________________________________

---

E-Mail Fredric L. Rice / The Skeptic Tank