%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % T H E E M P I R E T I M E S % % ------------------------------- % % The True Hacker Magazine % % % % October 18th, 1994 Issue 5 % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% This Issues Features: # Selection Author Size - ------------------------------- ------------- ---- X. Introduction armitage 4k 1. Raw Irc in a Nutshell PuD C0ur13r 4k 2. DMS Family of Switches erudite 6k 3. Defcon III Update dark tangent 3k 4. Bust of Mercury (aka merc) & others invalid media 10k 5. LDDS Multimedia, Operator Scams entropy 12k 6. NCSA Telnet x 6k 7. OSCINT Overview (Part 1 of a series) firefly 7k 8. OSCINT (Part 2 of a series) firefly 7k ------------------------------------------------------------------------------ Founder: Albatross Editor: Armitage Contributors: Entropy, Erudite, Firefly, Invalid Media, PuD Courier, The Dark Tangent, X. Special Thanks: Northern Telcom, Sevenup, Noelle. =========================================================================== -=- The Empire Times -=- Introduction Empire Times was once a rumor, but led by the know how of albatross, they created an image, a way of life, an Empire. We brought it back, I thought that there was no reason to let this empire die. This issue just proves that we are back, and will keep going, the last issue was power- packed, but it was not the last. The empire lives on, through busts, complications and hardships. Late? What do you mean late? So maybe you should just consider the _actual_ release date about a week or so, or so, or soo after the date that I tell you I plan to release it? Don't bitch at me, just wait a little while longer, at least you still read it. I still plan on doing it on a monthly schedule, but not exactly month after month, maybe a week or so late every month, but it'll still be considered. "About Monthly". You know how much support I get doing this? Not much, but there are a few helping hands, (firefly, roach..). Other than that... I've had one complaint about this zine, but I don't care, it's not my problem. Manowar --> fuck off, go away, and stop wasting my time. Brought back from the trenches of distractions such as irc. I just thought The Empire Times was something we would do for fun, but somehow people got my mail address, and sent for copy after copy of it. I've assembled a mailing list for the magazine, I never thought we'd get this kind of responses. Hype. That is what everything these days is about. I don't know if that is good, or bad. With all the things that have happened to the (602) locals.. Invalid Media, VaxBuster, Merc and all them. I don't think I want to understand. Whatever the case, someone is out there, someone is leaking, but at this point, I don't care. I remind all of you to stay safe and not to be as open as the next person. Invalid wrote something special for Empire Times about the roundabout happenings in the (602) Scene. At this time I would like to say a few things about current (well at the time I am writing this) events. Invalid Media is looking to put upt on the net. I think that is good and bad, it's good because it'll be net accessible, but I think it's bad because more people will try to get in. I hope it doesn't lose it's private factor. Reminder to all that UPT is up, and still elite, so get the info and call. Digital Anarchy is going better than ever. I'd like to mention it as a really quality bbs, but don't want to offend the other great boards that still exist. Boards are 99% dead, since the erruption of the internet. That is good in some cases, but it does take most of the fun out of dialing. However there are some still worth calling. Empire, Digital Anarchy, Plan-9, Secret Techtonics, Unphamiliar Territories, Planet 10, Unauthorized Access, Lucid Nightmare... Boards arn't the answer, but a social side, and an alternative to irc. Pumpcon is coming around the corner, at the end of October. Okinawa thought it'd be a good idea to make it private. Well if you've seen the info sheet, you'd see that it's not _that_ private. I hope it goes over well, seeing that okinawa and ixom are putting out money, and taking the trouble to do it. I think all in all it will come and go, with not many people remebering it. That _should_ be due to the fact that pumpcon has always been the party con(cept partycon). Whatever happens, I'm sure it will go over nicely. I'm excited about it. Till the next Empire Times, armitage@dhp.com =========================================================================== -=- The Empire Times -=- Issue 5, File 1 of 8 IRC, The Untold Story By PuD C0ur13r You want to IRC, but don't have a client offhand, or you a client is too hard to compile? Well, here's a secret for you. You don't need a client for the irc. Try IRC raw. No, I don't mean a hamburger raw. Sheesh. ;) Really, though, raw is pure IRC. But personally I don't like raw irc. Theres too much information there in Raw, and its a bit confusing. But with info, it should be made easy. Any irc server can be an anonymous IRC site. All you have to do is to telnet to port 6667. ie - telnet irc-2.mit.edu 6665..6667 irc.colorado.edu 6667 irc.uiuc.edu 6667 poe.acc.virginia.edu 6667 hope.gate.net 6667 irc.iastate.edu 6667 cs-pub.bu.edu 6667 Once you are connected, you need to login. you do this with the following two commands : ( note, do not try /user, this doesn't work) user [put your 'real' user name here] 0 0 :[your 'full name] ie - user PuD_r0ks 0 0 :PuD C0ur13r (note - the 0's used to be fields for an ip address. However, this is obtained via backwards checking now so these fields are redundant. On some systems, most notably UMD, this will not work to change the 'real' user name because it supports the identd protocol at port 113.) nick [what you want your nick to be] ie - nick roach (again, don't try /nick. this is raw, not a client.) you can join channels with join #channel ie - join #hack (uhuhuhu, don't do /join either) say your on #hack, and you wanna talk. Well just do this command: privmsg #channel :[whatever you want to say] ie - privmsg #hack : y0y0y0y0, PuD r0ks. (note, the colon is needed). And if you privately want to message someone, try this command. privmsg [person's name] :[whatever else] ie - privmsg armitage : hey, when is the next empire times? the only things you can't do like this that I know of are - emotes and DCC transfers. Emotes are lame anyway, and dcc is blocked out on most if not all anonymous irc sites. So there you have it. IRC raw in a nutshell. But if you try IRC raw, and you think "Bleh, this is pretty wierd. Is there any anon irc sites I can try?" Well here are a few: irc.nsysu.edu.tw login: irc cybernet.cse.fau.edu login: bbs suncc.ccu.edu.tw login: guest or gopher dallet.channel1.com login: irc ilink.nis.za login: irc freenet.detroit.org login: guest There are others, but those are the few that I know that work. If anyone wants to update this article, or improve it (I always need more anonymous irc sites. I could always make a huge article on anon IRC sites. :) email me at roach@tmok.res.wpi.edu SHOUTOUTS: (yhea, I want to shoutout too. ;) armitage: PHRACK BOY, I MEAN ARMITAGE. shadowdancer: d00d, watch out. keep yourself safe. fenris wolf: Without you, this article could not have been made. Thanks. :) albatross: Wassup Homeboy? y-windoze: HEY, WHEN IS MY PUD ARTICLE GOING TO BE PUBLISHED?!? squinky: fry shit up, d00d. Rest of the DC crew: w3rd up. ============================================================================= -=- The Empire Times -=- Issue 5, File 2 of 8 DMS Family of Digital Switching Systems by Erudite In this Infoarticle I hope to cover the capablities and flexabilities of all the DMS Digital Switching Systems, I will also talk about other Northern Telecom Devices and Systems. The majority of the file is based on the DMS-100 system. First we have breif descriptions of the DMS Switches: DMS-10 ------ This is a versatile switch which is cost-effective for the duties that it was created for. It is a digital switch that services suburban and rural areas. It is in service internationally as well as in the US (rural and suburban areas). It allows access to local and long-distance service. It can handle up to 12,000 subscribers. It is the smallest of the DMS family. DMS-100 ------- The purpose of the DMS-100 Switch is to provide coverage and connections to the public network. It is designed to deliver services over subscribers lines and trunks. It provides POTS (Plain Old Telephone Service), along with very sophisticated business services such as ACD (Automatic Call Distribution), ISDN (Integrated Service Digital Network), and MDC (Meridian Digital Centrex). DMS-200 ------- The DMS-200 switch has toll capabilities, it is used for toll-center applications. It provides TOPS (Telephone Operator Position System) which is the world's premier operator service, from Northern Telcom. DMS-100/200 ----------- Simply, this combines the DMS-200 Toll capabilities and applications, with the DMS-100 public networking, which makes it possible for this switch to service subscriber lines, long distance circuits with toll applications. DMS-250 ------- This is the long distance tandem switch that connects long distance calls. It is used by the interexchange carriers. It is powerful, and they are used to connect most of the U.S. population. DMS-300 ------- This is the international exchange, which gates calls internationally. It provides the most advanced range of international services. This international digital switch can interface with almost *any* country in the world. Talk about power. It is known as the International Gateway System. DMS-Supernode ------------- This is faster, and can handle more throughput that the DMS-100. DMS-Supernode SE ---------------- This is a reduced size Supernode system, it has a DMS-Core processing engine, DMS-Bus high-speed messaging component, the Link Peripheral Processor (LPP), and the Enhanced Network non-blocking switching network (ENET), which makes it a cost effective system, combined all into one compact unit. DMS-MTX Cellular Switch ----------------------- Northern Telcom's Cellular Switch. The DMS-MTX was the first cellular switch in Northern American to offer subscribers. DMS Architecture & Functionality Messaging - "DMS-Bus" is the high speed data bus connecting most components of the switch. This makes the DMS-Supernode system a true step up communications platform. Switching - The switching matrix calls to their destination. Currently in planning is future switching fabrics that will allow for broader data applications, including (ATM) Asynchronous Transfer Mode. Maintenance & Billing - The DMS Systems provide full feature testing, and other transaction and maintenance procedures. Multicomputing platform - The DMS systems enables a high capacity, and other "information" age applications and functions. Such as Videoconferencing, transmission of imaging, and dialable ds-1 backup. DMS Family Setup Below will be a simple, common setup of dms systems to form a wide range communications system. DMS-100 ----------------- DMS-200 ----------------- DMS-250 (end office) /(Tandem office) (ld services) / | / | / | / | / DMS-300 DMS-Supernode ---------- DMS-100 (int services) (maint,billing) / | \ | (subscriber lines) | +--- International Gateway DMS Applications and Markets Switch Application Class Market ------- --------------------------- --------- ------------------------- DMS-100 End Office 5 Local Exchange Carriers DMS-200 Toll Office 4 Local Exchange Carriers DMS- 100/200 End Office/Toll Office 5 Local Exchange Carriers DMS-250 Tandem Toll Center 4,3,2,1 Interchange Carriers DMS-300 International Gateway CTI-3,CTX Int. LD Carriers DMS-MTX Mobile Telephone Center Cellular Servers Meridian ACD Srvr Adjunct ACD Switch Local Exchange Carriers Refrences: The DMS100 Advantage (nt) ============================================================================= -=- The Empire Times -=- Issue 5, File 3 of 8 Defcon III Update by The Dark Tangent XXXXXXXXXXXXXXXXXXXXXXXX XX DEF CON Announcement XXXXXXXxxxxXXXXXXXXXXXXXXX XX DEF CON Announcement XXXXXXxxxxxxXXXXXX X X DEF CON Announcement XXXXXxxxxxxxxXXXXXXX X XXXXxxxxxxxxxxXXXX XXXXXXXXX XXXxxxxxxxxxxxxXXXXXXXXXX X XXxxxxxxxxxxxxxxXXXXXX XX X XXXxxxxxxxxxxxxXXXXXXXX XXXXxxxxxxxxxxXXXXXXXX X XX XXXXXxxxxxxxxXXXXXXXXXX XX X XXXXXXxxxxxxXXXXXXXXX X DEF CON Announcement XXXXXXXxxxxXXXXXXXXXXXXXXX DEF CON Announcement XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX DEF CON Announcement Ok, nothing too fancy in this announcement. Just that DEF CON III is going to be happening a little later next year, the first weekend in Augest '95 in Las Vegas. There is a slight problem, however. We grew too large for most of the Hotels. That means it is expensive for me to rent space large enough for everything on the weekends. Sure the convention could be during the weekdays, and everything would cost 1/2 as much, but everyone I talk to tells me to do it on a weekend or not at all, so... Rooms will be around $90 a night for a double. We'll have three areas along one hallway. A double section for the speaking, a section for people to hang out and talk and a section for computer hookups and movies. We have a mailing list up for information, etc. If you want to subscribe mail majordomo@fc.net with "subscribe dc-announce" in the body of the message. There are lots of things being planned, but since shit always happens at the last minute I'm not gonna say anything too early. We'll have more of a focus on technical hacking this year, though. Audio tapes, shirts, etc. are still available from DC II, if you are interested mail dtangent@defcon.org for more info. Thanks Armitage for putting this out... The Dark Tangent -- PGP Key (2.3a & 2.6) Available. Voice (AT&T) 0-700-TANGENT FAX 513-461-3389 DEF CON mailing list, mail: majordomo@fc.net with "subscribe dc-announce" in the body. DEF CON FTP Site: fc.net, /pub/defcon WWW: dfw.net/~aleph1 ============================================================================ -=- The Empire Times -=- Issue 5, File 4 of 8 The Bust of Mercury (aka merc) +other related busts by Invalid Media This is the unofficial textfile describing how merc got busted. A litte background first - merc was the cosysop of Unphamiliar Territory (and ran the board on many occasions when I wasn't up to it), he was also a member of "the Posse" - a group which does not exist (its a figment of Len Rose's imagination). The source(s) for all of this information will not be disclosed and real handle's will not be used to protect many people. If I were speaking of The Dark Druid (for example) I might say Hacker A. Also please note that the source for this information is NOT merc -- he is refusing to talk to anyone at this point in time. I. How it all started Late August, merc was playing around with his lock-picking set and decided to go to a bar. He was standing outside of The Dirty Drummer when a cop strolled by. He was with non-Hacker A when this occurred. They both got questioned and promptly arrested. His truck was seized at this time. The morning of September 1st, merc's apartment was raided by many different groups which include (but not limited to) Secret Service, Federal Bureau of Investigations, IRS, Gail Thackeray (in person!). Merc was (allegedly) dealing with the following: a) Cellular telephony including engineering phones, making fraudlent calls via tumbling and cloning. b) Hacking and gaining complete control of many computer systems (you know, all those that the Posse are accused of hacking). Why was his apartment raided? Well, Gail Thackeray somehow found out about his B&E bust and decided to take action right away - plus she feared that he would go complete cellular and she would not be able to keep track of his activities. II. The following days Well we all knew about his B&E bust but didn't know anything else had happened. I was on irc a couple days after merc's bust and was /msg'd by Hacker B with something along the lines of: "what the hell is stuck up merc's ass? i called him and say hey and he just hung up on me" Not knowing anything other than the B&E bust, I just said that he was most likely paranoid about it and doesn't want to take any chances until things are completely cool again. Having known merc for years, I decided to give him a call since he obviously wouldn't hang up on one of his best friends. RING, RING, RING... "i can't talk to you anymore..." This is where I started getting really concerned. After repeated attempts at trying to call him and stopping over at his apartment (with little to no luck) I decided to give some other people a call. Turns out, that same day Neurosis was busted, Mind Rape was visited, and Richard Finch (a journalist who set us all up with an interview on KFYI radio and who organized many 2600 meetings in Arizona) was also busted. We called up Hacker C. He told us all he knew (and it was basically information we already knew with the following additions): a) merc was under investigation for at least a year b) a wiretap and/or datatap has been plaguing merc for at least an entire year. c) they took fingerprints at merc's apartment d) they didn't know much about Posse so they questioned him for hours on the subject III. Other related busts It seems that on September 1st a lot of people were busted. On Sept- ember 15th, a "security" user on my board, Keith Jensen of Sprint, posted the following message: --Begin UPT capture-- Subject: September 4th From: sprinter@gail.upt.org (Keith Jensen - SPRINT) Date: Thu, 15 Sep 94 16:42:25 PST Organization: (Newsgroup) alt.neutral September 4th at 4:09p, the Police, Secret Service and F.B.I. stormed into the offices of Sprint in New York, promptly arrested me and seized all the computer equiptment in my office. I was charged with hidering an investigation taking place in New Orleans into the escapades of Renegade, Dr. Demonsus, Wiseguy, and Revelation. I have never heard of these people so please tell anything you know about them. I was allegedly providing them with information they needed to gets into TransUnion and Information America through Sprintnet. According to them, I also helped them break into Government and Military systems to obtain more credit card information. They found a RS tone dialer in my office (which was not modified to make it a red box) and charged me with possession of a toll-fraud device. I have no idea what is going on. My office is still empty and raided and I have taken an involuntary month-long vacation from Sprint until this will clear up. Hopefully it will. They asked me a lot of information about The Posse, my connections with 8BBS, Modem over Miami, The Phoenix Project, and MOD. I used to call some of these boards many years ago but never did anything illegal through them and it was over 10 years since I've heard 8BBS brought up. A much pissed of Sprinter --End UPT Capture-- There were a lot of posts about Sprinter's bust as well as merc's. The following was posted by bobby0 on the general chit-chat forum: --Begin UPT Capture-- Subject: merc/etc From: bobby0@gail.upt.org (Bobby Zero - Normal User) Date: Sat, 17 Sep 94 10:16:15 PST Organization: (Newsgroup) alt.system.news Would merc/mr/etc getting busted have anything to do with what happenee er, happened to Sprinter? The timing seems pretty close. Read this in CU digest today: NEW ORLEANS (AP) -- "Dr. Demonicus," "Renegade" and four other hackers used computerz to steal credit card numbers and used them to buy $210,000 in gold coins and high-tech hardware, federal prosecuters said Wednesday (Sep 8, 1994) The nine-count indictment unsealed wednesday charged 5 men from Lousiana and one from New York with conspiracy, computer fraut, access device fraud, and wire fraud, US Attourney Eddie Jordan Jr. said. Some of their hacker nicknames [gawd] were included. They were identified as Dwayne "Dr. Demonicus" Comerger, 22; Brian Ursin, 21; John Christopher "Renegade" Montegut, 24; Timothy "Revelation" Thompson, 21; James McGee, 25; and Raymone "Wiseguy" Savage, 25, of Richmond Hills, N.Y. .. it doesn't mention phx at all, but I thought the timing was just kinda odd. --End UPT Capture-- At this point everyone is scared. A lot of hackers were busted and the main thing they all had in common was an interest in Cellular telephony. A week after Sprinter's post which set us all off, he posted the following: --Begin UPT Capture-- Subject: my bust From: sprinter@gail.upt.org (Keith Jensen - SPRINT) Date: Wed, 21 Sep 94 16:32:36 PST Organization: (Newsgroup) alt.neutral This morning I was promptly visited at my house with one of the arresting officers (Richard Dapesio) who apologized for the arrest and quickly brought me back all the seized equiptment. They even gave me a check for $75 to replace the tone dialer which they took apart and could never put back together again. I was told that the investigation was regarding only The Posse and many people were visited. They told me that they apprehended all of the people who they were going to already (on September 1st, my bust came on the 4th because it took them a couple more days than it should have to get the proper paperwork done). He said they got everyone they were looking for except a few who they can't find because they are mobile. The reason I was apprehended was because there was some information on my system that was placed there by the New Orleans hackers (who are in the Posse group he said) and they thought that I had given them access to my system and its databases, but that wasn't true. They got in through a backdoor I have yet to find. Its running BSD, so if anyone has BSD backdoors please let me know. Was this Operation Sundevil II? 46 hackers busted in one day. All those busted were involved in credit card fraud or (the biggest fear people have now) cellular phone fraud. People were using tumblers to make free phone calls from their cellular phones and that had to be quickly stopped. If you are involved in any way with the following things, I would recommend stopping them: Cellular phone fraud using tumblers or clones Credit card fraud especially from Novell, Microsoft, and other giant computer conglomerates. 46 hackers, 84 computers, hundreds of thousands of dollars in pirated software, and thousands of dollars in carding computer equiptment, software and cellular phones. --End UPT Capture-- Ouch. IV. Conclusion Between August 31st and September 4th, a lot of hackers were busted. The following is a list and reason (I'm just guessing) Hacker Date Status Reason ------ ---- ------ ------ merc 01Sep94 Bust Cellular, Posse involvement Neurosis 01Sep94 Bust Cellular, Making redboxes Mind Rape 01Sep94 Questioned ?? Richard Finch 0?Sep94 Bust 2600 We don't know the current status of merc but he was always a good hacker and friend and we wish him luck. Invalid Media upt@bud.indirect.com upt@cyberspace.org imedia@tdn.net ============================================================================== -=- The Empire Times -=- Issue 5, File 5 of 8 A Guide to the Wonders of LDDS Metromedia and the World of Operator Scamming by Entropy Ever find yourself at a payphone, without a redbox, code, card, or other device by which you might place that essential call to the warez boyz back home? Now assuming you (like most of us) have some supernatural phear of quarters (or just dont have any) you will need to find some other way to place your call. Now its simple. You'll never have to hear another operator say: "Sir, how in gods name are you putting those quarters in so fast?" or "Sir, you have yet to deposit any real money!" PART 1: Third Party Billing --------------------------- - Billing From an Ordinary Payphone You can't 3rd party bill to another payphone. Unless of course you are know of a COCOT that accepts charges and doesn't have an evil explanatory message saying something to the affect of, "This is a payphone, fuck off." It's been that way for awhile now, right? Wrong. It can be done, it can be done easily, and it can be done ANYWHERE IN THE CONTINENTAL UNITED STATES. The key is LDDS Metromedia, the 4th largest long distance carrier in the US. You've probably heard of Metromedia or some other company with a similar name. They are tricksters with many divisions and they are protecting their kodez, therefore they are known by MANY names, some phone books even list LDDS Metromedia, and Metromedia as seperate companies, but to my knowledge they are one and the same. Generally you must be at a bank of phones (2 or more phonez) for these techniques to work, unless you are at a COCOT, but i'll get into that later. Here's how it works. You approach a payphone in hopes of calling your mommy in Atlanta but soon realize your redbox was stolen from your pocket protecter by a group of bad bullies. Casually you move over to the payphone beside yours and jot down its number. If the number isn't on the phone you will have to call an 800 ANI to get it. (A list of 800 ANI's is located at the end of this file.) Removing Entropy's Paper Redbox from the pocket of your Guess jeans you note the 10-direct code for LDDS Metromedia. You return to your original phone and dial: 109990+ACN You will hear: "Welcome to LDDS Metromedia Operator Services, to place a collect call press 1 or to bill this call to a calling card enter the card # now. If you need operator assitance press 0." In order to 3rd party bill you will have to go through an operator. Don't be shy, they are friendly and have never heard of toll fraud in their lives. Press 0 and when the operator comes on tell her you want to place a 3rd party billed call. They will ask you for the # to bill the call so you give them the # of the phone next to you. If you're calling from an actual payphone (as a opposed to a "standard" phone) they will put you on hold to verify the charges and you will hear it ringing in the background. When the phone beside you rings (it will ring) answer it (dont even worry about changing your voice) and tell them you will accept the charges. Heres an example: 1) Dial 109990-516-751-2600 2) Press 0, and wait for the operator. 3) Operator? Yes I'd like to bill this call to my friend at 411. Yes thats right 411. You won't bill to Sherry at directory asistance? Would it help if i gave your her operator number? (Try this from a COCOT, on occasion I have gotten away with billing to directory assistance, but I had to be tricky and give them a nunber like 617- 555-1212. Tricky, tricky eh?) Well then just bill it to SUM-PAY-PHONE. 4) "Yes hello, oh yeah i talked to you a minute ago, yeah I just like to bill my calls to this payph...i mean my other line to save money... Yeah well it's a cellular phone...uh huh, yes I know there if no logic to that I just like to do it that way.... (If she persists.) ...Look lady, I am in a state of permanent psychosis, i'm very scared right now." 5) "y0y0y0 e-man, how ewe doing ?@!$ eye g0t ewe y0r warez!!@$" This works, I am told, because LDDS does not use the database of blocked numbers/payphones, or at least the one they have is horrendously small. Bascially this means you can bill a call to ANYONE, even if they have specifically requested that no collect calls be allowed. And of course, (as you already know) you can 3rd party bill a call to your favorite payphone - legally. Well at least _somewhat_ legally. Yes thats right, the nice operators and helpful customer service representatives concluded after hours of heated discussion that anything LDDS is used for _MUST_ be completely legal - otherwise you couldn't do it. ...And you've been sitting home weekends soldering crystals... Possible problems: P: The operator recognizes your voice. S: 1) Disguise your voice. 2) tell her that was your brother on the other other line and that you are identical twins. 3) You want to fuck her like an animal. P: The phone doesn't ring. S: Your at a phone that does not accept incoming calls. This is a problem, this means it won't work. If you ask the operator whats wrong she will tell you the number you are billing to is no longer in service and that no further information is available about that number. There really isn't anything you can do about it when this happens. P: The number of the payphone isn't on the phone. S: Use an 800 ANI. (See end of file) - Billing from a COCOT To quote 2600 Magazine, "Stupidity is an Olympic event in the COCOT world..." Countless articles have been written on the subject so I will assume the reader is generally familiar with COCOT's (Customer Owned Coin Operated Telephones.) The main weakness behind such phones is that they were (and still are) subscriber loops. Originally the label "payphone" was not associated with COCOT's and they could be abused in countless ways. Now however, many phone companies have them "marked" as payphones, you can't bill to them...etc. If you happen to be at a bank of two or more such phones you can easily dial the operator and 3rd party bill to the phone beside you. Unfortunately there are all sorts of things COCOT's do to keep you from billing to the phones. Many COCOT's don't have the number on them (use an 800 ANI) and in this area most COCOT's have messages for operators saying not to bill to that line. This is however, hardly the most powerful thing one can do with such a phone: when combined with (you guessed it!) LDDS Metromedia a COCOT becomes a dangerous weapon. In this case it is not so much the fault of the phone, but rather LDDS. LDDS Metromedia classifies lines as "standard," a typical residential line, and "payphone." Almost _ALL_ COCOTS are classified by LDDS as "standard" phones. Now to save time and money LDDS has implemented a particular policy having to do with 3rd party billing: they don't verify 3rd party billed calls when made from a standard phone. Thats right, you can pick up your home phone, dial 109990+617-GRENDEL and have the call billed to 202-456- 1414. They will do it without verification. This is great if you want to go to prison when your number shows up on their bill at the end of the month. I am unsure as to whether or not the billed party's number has to needs be valid. If not a phreak would most likely get away with billing from home. LDDS Metromedia will also 3rd Party Bill calls to the phone you are calling from. (Use this as a last resort if you get them to bill a call otherwise.) You've probably realized by now that from a COCOT you should be able to bill a call to the phone you are standing at or any other random number that pops into your head. Using LDDS to bill to a COCOT is even easier than boxing a call. All you have to do is dial 109990+ACN, ask for the operator, and tell her to 3rd party bill the call to wherever you want. Its that damn easy. [Note: Just before the release of this file LDDS began asking for full real (hah) names, they now keep them in a database... Apparently some of Entropy's friends used this billing method a bit much. Just billshit the name, and if they tell you the party is not accepting 3rd calls then try again. No biggie.] Part II: Fucking People Over ---------------------------- Scenario: Your friend just pissed you off. Your friend is going to wish he never pissed you off. Solution: Go to your local COCOT (or someone else's subscriber loop) and call 109990+310-516-1119 (deadline). Ask the operator to bill the call to the assholes house. When you here a loud click the deadline has answered and you can leave the phone hanging there and just walk away. You might even want to put a little "Out of Order" or "Do not hangup" sign on it, or rip the receiver right off the phone. Doing both seems to produce (on the average) much higher bills. Part III: Collect Call Messaging and Operator Phun -------------------------------------------------- This article is about practical methods of placing calls. The information may or may not be new, and some sections may be considered somewwhat lame. But everything in this phile is easy to do...and it works. With that in mind lets move on to Part III. Have you ever wanted to give someone a quick 15 second message without bothering with the usual billing shit? Simply pick up your payphone, or home phone for that matter, smack 0+ACN and just select collect when you are given the option. When it asks you for your name say something like, "Dont accept, the warez are on their way!!" If you speak in a very distinct manner it may say it didn't get your name. Try to slur 3 or 4 words together so it thinks of each slur as being a segment of your name. The same goes for slurring too much, if it hears one long "blahahhhh" it will ask you to repeat. Amazingly this technique even works with live operators. All you have to do is tell them your name is "Dewd 'I have the k0d3z' Michaels" or something to that effect. Tell them its a secret thing between the two of you and if the operator doesnt say it they won't know its you. In most cases the ops are required give them that name. And finally a list of k0d3z needed to do much of the shit in this phile. Abuse them fully. Its a great compact carry-it-everywhere list of ods and ends for the modern phreak. Have phun. Entropy's Paper Redbox To set up a a conf-- ATT Meetme: 1-800-232-1111 Alliance Dialin: 0-700-345-1000/2000 LDDS Metromedia: Dial 109990+ACN Encore: 1-800-288-2880 ANI's: 1-800-568-3197 1-800-959-9090 1-800-769-3766 (hit 1 twice) Deadlines: 310-516-1119 0-DaY GreeTz AnD SuCH!@#$ ------------------------- SuPaH-D00PaH y0y0'z g0 0ut t3w: Armitage, Da TeLc0PiMP X, z00m, Olphart, Kalen and the resta the DC PoSSeY!@>#!11 (We have your inpho.) Send all warez, (GaM3z ONliE Pl33Ze) inph0, h0h0'z, k0d3z, & GiRLiEZ to: entropy@dans.dorm.umd.edu "Phun is phucking a h0h0" -Entropy, Octobah '94 ============================================================================= -=- The Empire Times -=- Issue 5, File 6 of 8 Being Elite with NCSA Telnet (common telnet used in computer labs) written and tested by X College campus is a great place to live. Especially if you have ethernet in your rooms. However if you don't have ethernet, don't be discouraged. Ethernet can be just as easily used from one of the greatly convenient labs on campus, especially those that stay open 24 hours a day. Most campus machines that I have delt with have NCSA Telnet that connects people to the internet. TN3270 is the version that I have used for years, and is the version from which I have tested my information. However I have gotten these simple tricks to work on many other versions including NCSA Telnet 2.5 for the Macintosh. First off you need to find the directory on the network containing the telnet files. Example: F:\APPS\TN3270\ or F:\PROGRAMS\TELNET\ or whatever your administrators have decided to put it in. Unless you have supervisor access on the network, you won't be able to edit the necessary files on the network, therefore you should copy all these telnet files into a temp directory onto the C drive. i.e. C:\TEMP. Next you need to find the file called CONFIG.TEL. This is the file in which all the information is kept, i.e your designated i.p. address. You need to edit this file and since you now have your own version of telnet now on the C drive, you won't hurt anything.. yet. Here is a shortened clip of an example of a CONFIG.TEL file, my comments will be preceded by "***" : CONFIG.TEL -------------------------------------------------------------------------- # WARNING: The values for "myip" and "myname" are reserved for this # Machine only. Do not use these values with any other machine. *** This is exactly what you want to do :) myip=rarp ------------------------------------------------------------------------ Rarp is a program which assigns this pc an i.p. random i.p. address which currently isn't being used. Some schools go ahead and assign each pc with it's own personal i.p. address so they can keep track of what goes on from where. In that case it would look like this: myip=135.2.45.23 (or whatever). Now for the good fun, you can replace myip with your own i.p. address such as another pc, your local unix machine, or your admins pc :). It is a good thing to know beforehand what i.p. you want to take on. It has to be on the same domain as you of course. i.e. 135.2.45.## What happens now? You know that admin that doesn't like you and always keeps a close eye on you? I wonder what would happen if you replace the myip to his i.p. address and then trying to telnet somewhere. Well, once you lets change the i.p. and try. myip=135.2.45.50 If his pc has a name (like it is in the nameserver) then you can telnet into a system and it appears like you are coming from your admins office. Watch C:\TEMP\telnet hobbes.werd.edu Connecting to 129.6.180.32, port TELNET (23) *** all fake, simply for explanation Linux 1.0.9 (hobbes.werd.edu) (ttyp2) Welcome to hobbes! It has been 23 minutes since our last break in. Keep up the good work! -admin Last login: Thu Oct 13 12:15:21 on ttyp3 from PC23.WERD.EDU. You have new mail. hobbes:~> who x ttyp2 Oct 13 13:50 (ADMIN.WERD.EDU) hobbes:~> werd.. so now you appear to be telneting from your admins machine. But what happened to your admin so happily sitting at his terminal in front of his computer? Well, all his telnet sessions simply locked up and he probably had to reboot. This is a great way to hide the fact that you are hacking from a certain machine in the lab and it will throw off any investigation of who was using what machine at what time. Now, you want to get rid of your admin? Simple. Try lots of feeble hack attempts from your pc (now his address) on lots of elite .gov and .mil sites. Run lots of scripts and be sure to leave lots of logs. The FBI will most likely break down his door within the next week or so and haul him off thinking he is some hack dude. As for others in the lab that you have a disliking for, i.e. warez dude, mudder, or even your cpsc teacher down the hall. Figure out what i.p. they are using, change your CONFIG.TEL file to their i.p. and watch them lose their connections. Hopefully they were transfering a file or even battling the evil dreaded 3 headed monster on the elite mud. It goes without saying that you should clean up your C:\TEMP\ directory as you do with anything, don't leave behind stuff that anyone can use to link back to you. Or else your admins will figure out what is happening (not likely) and take care of the problem. Greetz: Y-WiNDOZE, Entropy, Manowar, The R0ach, PuD, amm, and all da warez kiddiez. ============================================================================= -=- The Empire Times -=- Issue 5, File 7 of 8 Open Source Collection INTelligence Part 1 in a series, "An Overview" by Firefly This is an overview of a soon-to-be-regular series on OSCINT, or Open Source Collection INTelligence. I explore this topic not only because it is interesting, but it deals with hackers and Netcruisers in a non- slanderous light ... which I find a refreshing change. I think that when this series is done, you'll have a better idea of how we, the hacking community, are more of an asset -- and a threat -- to the world at large. -- Firefly Resident OSCINT Advocate PART THE FIRST -- OSCINT OVERVIEW With the many advancements in information retreival services, there is a growing threat of information being obtained and used for the wrong reasons. Such improvements include electronic CD-ROM databases for home computers, academic data stored on computers on the Internet, and even modern archival systems in local libraries. Unknowingly, however, the scientific and technical (S&T) community members responsible for creating the Information Explosion by improving these archiveal services has also enabled the public to rather easily obtain the data that is part of classified secrets. Consider nuclear weapons: the American public knows they exist, but their creative process is classified by the government. Yet atomic experiments are conducted daily throughout the S&T community and such experiments -- with results -- are recorded and made available to the public. Theoretically, then, a person could research, locate parts for, and assemble an atomic weapon within their own home -- many files on h/p/a BBSes cover other such lethal concoctions. Proliferation of nuclear weapons is a proven evil. But what effect does the proliferation of information that leads to the proliferation of such weapons take in the intelligence community? What does this do to the definition of national security? What does this mean for the intelligence community? What about Big Business? For starters, national leaders (from the President to the thousand - dollar - suit - wearing mongrels running megamonopoly-like corporations like MicroSLOTH) must sit back and re-evaluate their fundamental definitions of national security, intelligence, and corporate success. In recent years, especially in the Clinton Administration, the definition of national security has changed to include economic issues as key factors that define how secure or stable a nation is. Other transnational factors, such as global warming, national development, and the environment are also crucial in shaping American foreign policy. Information on all these topics exists in the public domain and is not considered a government secret. The end of the Cold War has caused a worldwide debate over many political definitions, especially what constitutes war, peace, and the proper role of the nation-state in the defense of its citizens. Intelligence during the Cold War was a lengthy process that targeted the Soviet Union. Through the years, collected information has been archived by not only intelligence agencies, but private organizations as well, such as LEXIS/NEXIS. Over forty years' worth of information has been archived in libraries and constantly- revised electronic databases. Business information such as stock prices, annual reports, mergers, and other information, is also available to whoever requests it. This raw data is available to the public, academics, researchers, and interested rival nations or corporations as well. With the advent of computer technology and the resulting ability to conduct rapid and global searches as well as instant interpretation and presentation of collected data, information is becoming freely available. A rival nation, after locating relevant data on his target, could incapacitate military and civilian command systems or disrupt urban power grids and the civil infrastructure as a prelude to a larger attack. A business competitor could learn sensitive material and trade secrets from a rival corporation and improve its competive status on the market. Information is readily available on any subject from any perspective. With a little bit of research, interpolation, and brain-work with his findings, a person could cause substantial damage to a rival nation or corporation by stealing unsecured information that freely exists in the public domain. There are three traditional intelligence collection methods. There is open source collection (e.g.: FBIS, Jane's Defence), the traditional and secretive HUMINT methods using spies and agents, and classified technical surveillance (TECHINT). The latter are used to used to gain access to Kremlin safes, high-level PLO meetings, OPEC negotiations, and other areas where United States representatives may not be welcome. The CIA has taken the lead in such collection, and amassed a substantial archive of information from open sources to collate with reports gained through other secretive means to provide their "best- guess" intelligence estimates. Interestingly, however, open source collections account for about 75% of all foreign intelligence gathered, especially in such areas as foreign local politics, culture, quality of life, and public opinion of foreign leaders and policy. Secretly-gathered information usually reveals more high-level information than open sources, however, when the two are joined and accurately processed, a fairly accurate estimate should be possible. Contrary to popular belief, the CIA places a surprisingly high emphasis on OSCINT activities...and then classifies it. Stay tuned -- "OSCINT: What is it?" (when we get into the REALLY good stuff) ============================================================================= -=- The Empire Times -=- Issue 5, File 8 of 8 Open Source Collection INTelligence Part 2 of Open Source Intelligence... by firefly@dans.dorm.umd.edu (and a college graduate too!!) The most prominent open-source advocate is Robert Steele, founder of Open Source Solutions, Inc., a year-old clearinghouse of unclassified information. After establishing a $20 million intelligence center for the U.S. Marines, Steele was shocked to discover that its interface with CIA classified databases could not provide the information that Marines wanted to know, such as the turning radius for ships in Brazilian ports or how much weight a bridge in Jordan could support. Much to his surprise, the information sought was easily found in the "open" market of commercial databases, academic sources, and computer networks. "Secrecy corrupts truth", he professes, much to the chagrin of intelligence specialists who agree that "if it's not secret, it's not worth knowing." Due to his solid standing in the intelligence community and his promise of better information for one-tenth to one-hundredth of the cost of classified material, Steele is the subject of scrutiny of several influential policy makers and colleagues in the intelligence field. This not only publicizes Steele's organization, but also illuminates the cost- effectiveness and true potentials of open sources to both government and private consumers as well. Commercial ventures, such as OSS, although classified as Open Source Intelligence organizations, are primarily research organizations. A large percentage of time spent in OSINT- gathering and collection is done in libraries behind computer workstations on the many computer networks that span the globe with the single purpose of gathering information. In a decade of cutbacks in defense and intelligence funding, both OSINT- gathering activities and the resulting information are cost- effective methods of obtaining competitor information and data on foreign targets. The OSINT customer -- government or corporate -- need not rent a satellite, hire agents, or spend mega-dollars on technical sensing equipment. They need only purchase a newly- updated report tailored exactly to their requirements, subscribe to a newspaper, or read a book or bound reference. In this age of cost-effectiveness being the paramount factor in authorizing government programs, the silent opinion seems to be one of "let some other guy do it" as a way to cut spending in not just intelligence operations, but throughout the government as well. Futurist Alvin Toffler wrote in Powershift that "information is a substitute for time, space, capital, and labor." With the new definition of national security including economic issues, OSINT is an indispensable asset in determining national security and national economic competitiveness. Toffler's "time-space- capital-labor" equates to a college economics textbook discussion of "land-labor-capital" lessons in economic theory. Without these changes in fundamental political definitions, open sources and the advent of information exchange agreements will continue to be the unexplored and ignored intelligence medium of the future, as relatively little economic or trade data is kept secret by the government. Open source information is everywhere. From the daily newspaper to the national libraries, information overloads today's people. This information overload has resulted from computers and the many electronic archives of formerly-printed media. With a request through the Freedom of Information Act, citizens can peruse most government documents and reports legally and easily. Electronic databases on any subject are only a few keystrokes away and open to anyone with a personal computer and phone line. This wealth of information and raw data exists in the shadowy domain of cyberspace. As long as cyberspace remains without a formal structure, government, or hierarchy, anyone can access anything on-line. The use of computers has simplified the ability to analyze and interpret large amounts of data, including the ability to formulate estimates and predictions with limited or hypothetical data. Intelligence, has therefore moved into a new environment with a new set of tradecraft. Today's new intelligence tools are keyboards, modems, and databases used in the shadows of cyberspace. Computers are useful in storing and analyzing information, but are only one tool available to utilize open source information. Television, periodicals, books, and personal interviews can also lead to valuable intelligence information for the OSINT operative. In the business world, stock reports, phantom customers, newsletters, and professional symposiums are all ways of gaining open information about a competitor or rival market. No piece of information is unimportant in OSINT operations. PSYTEP's Paul Caldwell remarked that there are "new modes of intelligence-gathering being born everyday," including TRASHINT (garbage-picking) and RECYCL-INT, (reading discarded papers that are sent to a recycling company for disposal before they are recycled). In essence, OSINT includes these modes of inquiry as well as any investigative technique used by a private investigator. Some of these secret operations, such as RECYCL-INT, are considered "gray-colored", since they are not quite ethical or orthodox, however, they are legal. Many times intelligence is gathered through overt -- albeit unorthodox -- methods, much to the embarrassment of the target company or individual. Placing a person in a position to gain information is relatively easy, especially in the business world. An operative posing as a alley vagrant could ruffle through a commercial garbage dumpster, read discarded papers, and bring "interesting" data back to the investigating office for incorporation into a larger report on a rival's business strategy for the next decade. Far-fetched? PSYTEP collection specialist Ronald Coetzee says that the "sky's the limit on collections...you must be prepared to gather any bit of info you see as relevant for your case." Next Issue -- A Successful OSCINT story we all know of. ============================================================================= The Empire Times Q & A Section. Where can I get The Empire Times? Via BBS This is provided that you are on these systems, none accept many new callers, so the #'s arnt listed. [NPA] [#] [System Name] [System Operator] ----- ------------- ---------------------- ----------------- (301) PRIVATE Empire Albatross (703) PRIVATE Digital Anarchy Armitage (602) PRIVATE Unphamiliar Territory Invalid Media (+49) XXXXXXXXX Secret Techtonics Sevenup Via Anonymous FTP etext.archive.umich.edu (ftp.etext.org) /pub/Zines/Emptimes fc.net /pub/defcon/EMPIRE Via The Empire Times Mailinglist Mail armitage@dhp.com with "subscribe emptimes " in the context of the message. To request old issues, just put "request emptimes # " where # is the issue #. Where can I get in touch with any of the writers? Erudite/Armitage armitage@dhp.com PuD C0ur13r roach@tmok.res.wpi.edu Invalid Media upt@bud.indirect.com Firefly firefly@dans.dorm.umd.edu X x@dans.dorm.umd.edu Entropy entropy@dans.dorm.umd.edu Can I write? And where can I send my Article Submissions? You can mail Armitage or Albatross on either Digital Anarchy or Empire. You can also mail them to me personally at armitage@dhp.com with "Submission" as the title, or in a piece of mail before it.