+=============================================================================+ | ## ## ## ###### ###### ###### ### ### ###### ###### ## ## ## | | ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## | | ## ## ### ##### ## ## ###### ## ## ###### ## ## #### | | ## ## ## ## ###### ## ## ## ## ## ## ## ## ## ## | +=============================================##==============================+ | | | [ The Journal of Priveleged Information ] | | | +-----------------------------------------------------------------------------+ | Volume I, Issue 001 By: 'Above the Law' | +-----------------------------------------------------------------------------+ | | |Informatik--Bringing you all the information you should know... | | and a lot you shouldn't... | | | +=============================================================================+ /* Introduction */ By the Informatik staff Welcome to the inaugural issue of Informatik, an electronic periodical devoted to the distribution of information not readily available to the public, with a particular emphasis on technology and the computing world. First and foremost, this publication is dedicated to the freedom of information. This journal is made possible by The First Amendment of the U.S. Constitution which states: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; OR ABRIDGING THE FREEDOM OF SPEECH OR OF THE PRESS; or the right of the people peaceably to assemble, and to petition the Government for redress of grievances. In this and coming issues, we plan to exercise our First Amendment rights to the best of our ability. We will print feature articles on hacking, phreaking, and various other illicit activities. We also plan on bringing you recent news and gossip from the underground, anything news of interest to hackers, phreakers, grifters, cyber-punks, and the like. Informatik will also provide a plethora of information on the inner workings of corporate America and the U.S. Government. DO distribute this freely! Remember this is not illegal, this is information. Enjoy, Mack Hammer & Sterling [Editors] Please note that the information provided by this newsletter is strictly to interest and inform. We can not condone nor recommend the actual application of this knowledge with malicious intent. Thank you. ///////////////* CONTENTS: *\\\\\\\\\\\\\\\ Volume I, Issue 001 Release date October 4, 1991 =========================================== 01) An Ounce of Prevention: Making the Telcos Hacker-Proof By: Mack Hammer 02) Introduction to Radio Telecommunications Interception By: Sterling 03) Loops Explained By: Anonymous 04) T-File Classic #1: A Novice's Guide to Hacking By: The Mentor 05) Summary of FBI Computer Systems By: Ralph Harvey 06) Dictionary of Phreaker's Terms By: Various Sources 07) Tid-Bytes By: Informatik Staff 08) Hot Flashes--The Underground News Report By: Various Sources [/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/] /[/]/[/] [/]/[/]/ [/]/ /[/] /[/] ===== An Ounce of Prevention ===== [/]/ [/]/ == Making the Telcos Hacker-Proof == /[/] /[/] [/]/ [/]/ ------- by: ------- /[/] /[/] --- Mack Hammer --- [/]/ [/]/ /[/] /[/]/[/] [/]/[/]/ [/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/]/[/] Know thine enemy. Good advice for any battle. For the hacker or phreaker, one's primary opponents are computer security professionals. Since the greatest feather for any cyberpunk's cap is exploitation of a Telco, the behavior of Telco employees is of particular importance. Telco's spend a lot of time studying what hackers do, what information they have, and then trying to apply this information to thwarting the attempts of would be intruders in their systems. Therefore, it seems like hackers and phreakers should be aware of what the Telcos are doing to stop them. Most hackers know about ANI Feature Group D and the other electronic countermeasures used by the Telcos to track down hackers, but how are Telco employees trained to detect and thwart attempts at social engineering, and how do the Telcos respond to break-ins that are detected? This article will discuss basic electronic countermeasures, the training and advice given to employees, and the response of the Telcos to known threats to their systems. /* Hardware */ Before one commits toll fraud (discouraged by this publication), or before they dial up a known carrier, questions race through their mind. The first and foremost is, "Are they tracing this call?" It makes you wonder, how many calls are actually traced? Unfortunately, which telcos trace and which don't varies from company to company. Needless to say, the Big Three long distance carriers (AT&T, U.S. Sprint, and MCI) record both the originator and reciever of every long distance phone call made on their system. For verification of this, call U.S. Sprint and ask for a billing report several months old. Rather than the spiffy little invoice you usually get, you'll recieve a crappy screen dump from a computer with "best possible quality" or something similar stamped on it. It lists, among other things, each call, along with the numbers of both parties. As you can see, this renders toll fraud using any of said systems practically impossible. Many local long distance systems, on the other hand, don't have the facilities necessary for tracing telephone calls. Use your own best judgement. As far as the regional telephone companies are concerned (Bell South, Pacific Bell, etc.), I have heard that newer ESS systems record ALL numbers dialed, including mistakes. I find it hard to believe that this is true, or if it is, that these records are easily retrieved and sifted through. In any case, tracing is quite possible, and in some cases, is quite probable. Use your better judgement, and remember, the bigger the company, the bigger the risk. /* Prevention through employee awareness */ Among telcos today, much attention is given to employee awareness. Nearly all telco employees are trained to recognize and prevent social engineering and hacking. Unfortunately for the telcos employee laziness and complacence often leads employees to replace caution with sloth. For example, much attention has been given to "trashing" or "dumpster diving," and employees are encouraged to shred sensitive documents. In all my trashing experience, however, I have NEVER found shredded paper. The same holds true for social engineering, explicit instructions are given to telco employees to lessen the threat of information leaks through clever social engineering. Employees are encouraged to get the caller's phone number and call them back, but this does not often occur. This advice for beefing up security was given in an article in "Enterprise," a magazine printed by Southwestern Bell. * Get rid of trivial passwords. * Routinely change passwords. * Review password files. * Restrict access to "read only." * Know to whom you're talking. * Shred as many documents as possible. * Post a warning which will be displayed whenever one logs into a computer. * Lock up terminals, personal computers, and floppy disks when they are not in use. * Eliminate unnecessary access lines. * Disconnect modems when they are not in use. * Avoid public domain software. * Report suspicious activity. As you can see, computer security personnel have gotten smart. They are well aware of most hacker tricks, and are doing their best to explain them to all of the other employees. Hackers now rely on the forgetfulness and laziness of normal employees for success, not the ignorance of system managers. Telco security personnel are much more apt to check audit trails than they once were. Suspicious activities such as late-night logins, the use of test and demo accounts, and the like are carefully monitored. One should use the telco computers during peak hours so that strange activity won't be noticed by already busy system managers. Security professionals also carefully monitor activities in the hacker world. They keep a watchful eye on hacker BBSes and publications. Each finding, either a breach in security or increased knowledge amongst hackers is recorded, prioritized and then published in various security documents. One should be especially cautious of any "beginner" who asks a lot of strange questions, because the telcos must have at least some people on the inside. One can also assume that if one telco or corporation has a particularly effective strategy for stopping hackers, or a successful awareness campaign, it will spread like wildfire to all telcos. Despite the fact that telcos are competitors, and are especially secretive since their business depends on a technological edge, they are happy to share all security information, since the ruination of the computer underground is one of their primary goals. This leads us to the final section of this article. . . /* Responses to security breaches */ What do the telcos do when they detect a security breach? This may be the most important question the hacker can ask. Of course, one's goal is to explore the system in question without being detected, but if the worst happens and your intrusion is discovered, it's good to know what steps the telco will take to prevent your future intrusion. The first thing to remember when hacking into a telco's computer is, if you're caught, you will be prosecuted. . . If there's any way they can get you in court, you can bet your bottom dollar you'll be there. Unlike other businesses, which may ignore the occasional security breach because they don't feel like it's a major problem, the telcos live in fear of hackers, and do their utmost to prevent entry into their systems. Telcos make it a point to document every security risk, whether it's a break-in on their system, a bug in an operating system, or some new information found on a BBS. These detections are often published in telco literature in an attempt to educate all of the employees of the telephone company. /* Summing it up */ Overall, the telcos finally seem to have gotten wise to most of the scams run by today's hacker. Despite the fact that telcos are often the victims of hacking and phreaking (thank goodness), they are much less susceptible to infiltration through hacking, trashing, and social engin- eering than they once were. The moral of the story is, today's security measures are breeding a harder working hacker, one who must constantly watch his back and look before he leaps. /+++++++++++++++++++++++++++\ ++ ++ +++ Introduction To Radio +++ +++ Telecommunication +++ +++ Interception. +++ ++ ++ \+++++++++++++++++++++++++++/ [By *Sterling*] The purpose of this article is to explain how to use a scanner and radio receiver to eavesdrop on private calls from homes, offices, cars, ships, aircraft, and trains. I will discusses the best methods of monitoring, the equipment needed, and list the necessary frequencies. Why scan? --------- It is quite a simple, and in most cases LEGAL, to listen-in on cellular, cordless, ship/shore, air/ground, pagers, etc. The benefits of such monitoring, aside from entertainment, can be quite high to the discerning listener. Callers quite often route to their favorite LD carrier to place long distance calls. They call their voice mail systems, private company lines and diverters. If you are have a specific interest in an individual or company you may peek in on their "private" conversations, learn who they are calling and what they are up to. Apart from radio-telephone communication scanner hobbyists are entertained by whatever they overhear on their radios. Police cars, fire engines, ambulances, armored cars, trains, taxis, airplanes, and buses are all equipped with radios and you can listen in on them. You can monitor the local police and fire departments to hear about events before the news reporters screw them up. Hostage dramas, bank robberies, car crashes, chemical spills, tornado sightings are all there.You can hear a high speed police chase, Secret Service agents on a sting operation, and undercover FBI agents as they stake out a suspect. How about listening to a presidential candidate discuss strategy with his adviser from a 415 MHz radiophone in Air Force 1, or a team of G-men protect him while transmitting in the 167 MHz range? Listen to your neighbors deal drugs over their cordless telephone, or as their conversations are picked up and transmitted over the airwaves by their sensitive baby monitor intercom. It's all there in the 46 and 49 MHz ranges. What Equipment is needed? ------------------------- Scanners are available in two varieties: crystal controlled and programmable. The crystal controlled models are cheaper, but require the user purchase and install a $5 crystal for EACH frequency of interest. Programmable (synthesized) units don't require crystals and usually have a keypad that permits you to store frequencies into channels. Programmables are now so cheap it doesn't make sense to buy a crystal unit as your main scanner unless you get it for under $45 or so. You can get a battery operated hand held scanner, a bigger "base" scanner which is powered from an AC outlet, or a mobile scanner which connects to your auto's electrical system. Make sure your first scanner: 1. Has a "search" feature, which allows it to search all the frequencies between two frequency limits of your choosing. The lowest cost programmables can't search. 2. covers the 800 MHz band, which is where cellular-telephone is broadcast. 3. Has an AC-adaptor available, as scanners eat batteries. 4. Has an earphone jack as you may want to record your findings. If you're not sure whether you'll like scanning, don't want to spend much money, a 16 channel radio will do. In general, the more channels and banks, the better. Deluxe scanners can be controlled by a personal computer, although this feature isn't important to most scanner owners. Currently, the more popular scanners include the Uniden/Bearcat 760XLT (a/k/a 950XLT) and Radio Shack PRO-2022 and PRO-2006 base/mobiles, and the Uniden/Bearcat 200XLT (a/k/a 205XLT) and Radio Shack PRO-37 portables. All scanners come with a built in antenna, permitting reception up to about 20 miles or so. Outdoor antennas can extend reliable reception to 100 miles or more. A breakdown of exactly what there is to listen to out there: Cordless phones: ---------------- It seems like everyone has a cordless phone now days. Cordless phones are quite easy to monitor. Cordless phones are duplex, they transmit sound from the handset to the base, and the base transmits both callers voices back to the handset. Obviously this is the frequency you want to listen in on. Cordless phones are broken into ten channels. They are as follows: Channel Frequency (in MHz) ---------------------------- 1 46.610 2 46.630 3 46.670 4 46.710 5 46.730 6 46.770 7 46.830 8 46.870 9 46.930 10 46.970 Most cordless phones have the channel number stuck on the back of the handset, and some have multiple channels. The easiest thing to do is simply scan the whole list of ten. The main problem with cordless phones is the range. They are seldom able to broadcast further than a block or so away. If you want to monitor a users phone calls, the best method is to hook up a Voice-Actuated Cassette recorder to a handheld scanner, wrap the whole combo in a ziplock bag and lay it in their shrubs. Come back the next day and you have a complete record of all calls made and received on their cordless. With the use of a touch-tone decoder you can even determine who they have been calling! Cellular Telephone: ------------------- Cellular telephones are quite useful sources of information. Doctors, lawyers, the phone company and business officials all regularly use celluar phones. LD cellular calls can be quite expensive to say the least, so most users prefer to use Sprint, AT&T, etc. as their long distance carrier. Thus you can quite often hear them giving out their calling card number to the operator. Here is a method of determining which frequencies are used in a cellular system, and which ones are in what cells. If the system uses OMNICELLS, as most do, you can readily find all the channels in a cell if you know just one of them, using tables constructed with the instructions below. Cellular frequencies are assigned by channel number, and for all channel numbers, in both wireline and non-wireline systems, the formula is: Transmit Frequency = (channel number x .030 MHz) + 870 MHz Receive Frequency = (channel number x .030 Mhz) + 825 Mhz "Band A" (one of the two blocks) uses channels 1 - 333. To construct a table showing frequency by cells, use channel 333 as the top left corner of a table. The next entry to the right of channel 333 is 332, the next is 331, etc., down to channel 313. Enter channel 312 underneath 333, 311 under 332, etc. Each channel across the top row is the first channel in each CELL of the system; each channel DOWN from the column from the the first channel is the next frequency assigned to that cell. You may have noted that each channel down is 21 channels lower in number. Usually the data channel used is the highest numbered channel in a cell. "Band B" uses channels from 334 to 666. Construct your table in a similar way, with channel 334 in the upper left corner, 335 the next entry to the right. The data channel should be the lowest numbered channel in each cell this time. You want to tune-in on the non-data, RECEIVE channels. The transmit channel is a low power signal from the mobile source to the microwave tower, which rebroadcasts both caller's voices. The Data channel is used to send such things as the callers serial number, and connecting cell information, this information is not audible, though I hope to discuss this in depth with a later article. Scan from around 870 MHz to 894 MHz and note any signals you receive. Once you find a frequency listed in the following chart, you know that your area also uses all other channels in that cell for that particular band. Cellular Phone Band A (Channel 1 is Data) Cell # 1 -------------------------------------------------- Channel 1 (333) Tx 879.990 Rx 834.990 Channel 2 (312) Tx 879.360 Rx 834.360 Channel 3 (291) Tx 878.730 Rx 833.730 Channel 4 (270) Tx 878.100 Rx 833.100 Channel 5 (249) Tx 877.470 Rx 832.470 Channel 6 (228) Tx 876.840 Rx 831.840 Channel 7 (207) Tx 876.210 Rx 831.210 Channel 8 (186) Tx 875.580 Rx 830.580 Channel 9 (165) Tx 874.950 Rx 829.950 Channel 10 (144) Tx 874.320 Rx 829.320 Channel 11 (123) Tx 873.690 Rx 828.690 Channel 12 (102) Tx 873.060 Rx 828.060 Channel 13 (81) Tx 872.430 Rx 827.430 Channel 14 (60) Tx 871.800 Rx 826.800 Channel 15 (39) Tx 871.170 Rx 826.170 Channel 16 (18) Tx 870.540 Rx 825.540 Cell # 2 -------------------------------------------------- Channel 1 (332) Tx 879.960 Rx 834.960 Channel 2 (311) Tx 879.330 Rx 834.330 Channel 3 (290) Tx 878.700 Rx 833.700 Channel 4 (269) Tx 878.070 Rx 833.070 Channel 5 (248) Tx 877.440 Rx 832.440 Channel 6 (227) Tx 876.810 Rx 831.810 Channel 7 (206) Tx 876.180 Rx 831.180 Channel 8 (185) Tx 875.550 Rx 830.550 Channel 9 (164) Tx 874.920 Rx 829.920 Channel 10 (143) Tx 874.290 Rx 829.290 Channel 11 (122) Tx 873.660 Rx 828.660 Channel 12 (101) Tx 873.030 Rx 828.030 Channel 13 (80) Tx 872.400 Rx 827.400 Channel 14 (59) Tx 871.770 Rx 826.770 Channel 15 (38) Tx 871.140 Rx 826.140 Channel 16 (17) Tx 870.510 Rx 825.510 Cell # 3 -------------------------------------------------- Channel 1 (331) Tx 879.930 Rx 834.930 Channel 2 (310) Tx 879.300 Rx 834.300 Channel 3 (289) Tx 878.670 Rx 833.670 Channel 4 (268) Tx 878.040 Rx 833.040 Channel 5 (247) Tx 877.410 Rx 832.410 Channel 6 (226) Tx 876.780 Rx 831.780 Channel 7 (205) Tx 876.150 Rx 831.150 Channel 8 (184) Tx 875.520 Rx 830.520 Channel 9 (163) Tx 874.890 Rx 829.890 Channel 10 (142) Tx 874.260 Rx 829.260 Channel 11 (121) Tx 873.630 Rx 828.630 Channel 12 (100) Tx 873.000 Rx 828.000 Channel 13 (79) Tx 872.370 Rx 827.370 Channel 14 (58) Tx 871.740 Rx 826.740 Channel 15 (37) Tx 871.110 Rx 826.110 Channel 16 (16) Tx 870.480 Rx 825.480 Cell # 4 -------------------------------------------------- Channel 1 (330) Tx 879.900 Rx 834.900 Channel 2 (309) Tx 879.270 Rx 834.270 Channel 3 (288) Tx 878.640 Rx 833.640 Channel 4 (267) Tx 878.010 Rx 833.010 Channel 5 (246) Tx 877.380 Rx 832.380 Channel 6 (225) Tx 876.750 Rx 831.750 Channel 7 (204) Tx 876.120 Rx 831.120 Channel 8 (183) Tx 875.490 Rx 830.490 Channel 9 (162) Tx 874.860 Rx 829.860 Channel 10 (141) Tx 874.230 Rx 829.230 Channel 11 (120) Tx 873.600 Rx 828.600 Channel 12 (99) Tx 872.970 Rx 827.970 Channel 13 (78) Tx 872.340 Rx 827.340 Channel 14 (57) Tx 871.710 Rx 826.710 Channel 15 (36) Tx 871.080 Rx 826.080 Channel 16 (15) Tx 870.450 Rx 825.450 Cell # 5 -------------------------------------------------- Channel 1 (329) Tx 879.870 Rx 834.870 Channel 2 (308) Tx 879.240 Rx 834.240 Channel 3 (287) Tx 878.610 Rx 833.610 Channel 4 (266) Tx 877.980 Rx 832.980 Channel 5 (245) Tx 877.350 Rx 832.350 Channel 6 (224) Tx 876.720 Rx 831.720 Channel 7 (203) Tx 876.090 Rx 831.090 Channel 8 (182) Tx 875.460 Rx 830.460 Channel 9 (161) Tx 874.830 Rx 829.830 Channel 10 (140) Tx 874.200 Rx 829.200 Channel 11 (119) Tx 873.570 Rx 828.570 Channel 12 (98) Tx 872.940 Rx 827.940 Channel 13 (77) Tx 872.310 Rx 827.310 Channel 14 (56) Tx 871.680 Rx 826.680 Channel 15 (35) Tx 871.050 Rx 826.050 Channel 16 (14) Tx 870.420 Rx 825.420 Cell # 6 -------------------------------------------------- Channel 1 (328) Tx 879.840 Rx 834.840 Channel 2 (307) Tx 879.210 Rx 834.210 Channel 3 (286) Tx 878.580 Rx 833.580 Channel 4 (265) Tx 877.950 Rx 832.950 Channel 5 (244) Tx 877.320 Rx 832.320 Channel 6 (223) Tx 876.690 Rx 831.690 Channel 7 (202) Tx 876.060 Rx 831.060 Channel 8 (181) Tx 875.430 Rx 830.430 Channel 9 (160) Tx 874.800 Rx 829.800 Channel 10 (139) Tx 874.170 Rx 829.170 Channel 11 (118) Tx 873.540 Rx 828.540 Channel 12 (97) Tx 872.910 Rx 827.910 Channel 13 (76) Tx 872.280 Rx 827.280 Channel 14 (55) Tx 871.650 Rx 826.650 Channel 15 (34) Tx 871.020 Rx 826.020 Channel 16 (13) Tx 870.390 Rx 825.390 Cell # 7 -------------------------------------------------- Channel 1 (327) Tx 879.810 Rx 834.810 Channel 2 (306) Tx 879.180 Rx 834.180 Channel 3 (285) Tx 878.550 Rx 833.550 Channel 4 (264) Tx 877.920 Rx 832.920 Channel 5 (243) Tx 877.290 Rx 832.290 Channel 6 (222) Tx 876.660 Rx 831.660 Channel 7 (201) Tx 876.030 Rx 831.030 Channel 8 (180) Tx 875.400 Rx 830.400 Channel 9 (159) Tx 874.770 Rx 829.770 Channel 10 (138) Tx 874.140 Rx 829.140 Channel 11 (117) Tx 873.510 Rx 828.510 Channel 12 (96) Tx 872.880 Rx 827.880 Channel 13 (75) Tx 872.250 Rx 827.250 Channel 14 (54) Tx 871.620 Rx 826.620 Channel 15 (33) Tx 870.990 Rx 825.990 Channel 16 (12) Tx 870.360 Rx 825.360 Cell # 8 -------------------------------------------------- Channel 1 (326) Tx 879.780 Rx 834.780 Channel 2 (305) Tx 879.150 Rx 834.150 Channel 3 (284) Tx 878.520 Rx 833.520 Channel 4 (263) Tx 877.890 Rx 832.890 Channel 5 (242) Tx 877.260 Rx 832.260 Channel 6 (221) Tx 876.630 Rx 831.630 Channel 7 (200) Tx 876.000 Rx 831.000 Channel 8 (179) Tx 875.370 Rx 830.370 Channel 9 (158) Tx 874.740 Rx 829.740 Channel 10 (137) Tx 874.110 Rx 829.110 Channel 11 (116) Tx 873.480 Rx 828.480 Channel 12 (95) Tx 872.850 Rx 827.850 Channel 13 (74) Tx 872.220 Rx 827.220 Channel 14 (53) Tx 871.590 Rx 826.590 Channel 15 (32) Tx 870.960 Rx 825.960 Channel 16 (11) Tx 870.330 Rx 825.330 Cell # 9 -------------------------------------------------- Channel 1 (325) Tx 879.750 Rx 834.750 Channel 2 (304) Tx 879.120 Rx 834.120 Channel 3 (283) Tx 878.490 Rx 833.490 Channel 4 (262) Tx 877.860 Rx 832.860 Channel 5 (241) Tx 877.230 Rx 832.230 Channel 6 (220) Tx 876.600 Rx 831.600 Channel 7 (199) Tx 875.970 Rx 830.970 Channel 8 (178) Tx 875.340 Rx 830.340 Channel 9 (157) Tx 874.710 Rx 829.710 Channel 10 (136) Tx 874.080 Rx 829.080 Channel 11 (115) Tx 873.450 Rx 828.450 Channel 12 (94) Tx 872.820 Rx 827.820 Channel 13 (73) Tx 872.190 Rx 827.190 Channel 14 (52) Tx 871.560 Rx 826.560 Channel 15 (31) Tx 870.930 Rx 825.930 Channel 16 (10) Tx 870.300 Rx 825.300 Cell # 10 -------------------------------------------------- Channel 1 (324) Tx 879.720 Rx 834.720 Channel 2 (303) Tx 879.090 Rx 834.090 Channel 3 (282) Tx 878.460 Rx 833.460 Channel 4 (261) Tx 877.830 Rx 832.830 Channel 5 (240) Tx 877.200 Rx 832.200 Channel 6 (219) Tx 876.570 Rx 831.570 Channel 7 (198) Tx 875.940 Rx 830.940 Channel 8 (177) Tx 875.310 Rx 830.310 Channel 9 (156) Tx 874.680 Rx 829.680 Channel 10 (135) Tx 874.050 Rx 829.050 Channel 11 (114) Tx 873.420 Rx 828.420 Channel 12 (93) Tx 872.790 Rx 827.790 Channel 13 (72) Tx 872.160 Rx 827.160 Channel 14 (51) Tx 871.530 Rx 826.530 Channel 15 (30) Tx 870.900 Rx 825.900 Channel 16 (9) Tx 870.270 Rx 825.270 Cell # 11 -------------------------------------------------- Channel 1 (323) Tx 879.690 Rx 834.690 Channel 2 (302) Tx 879.060 Rx 834.060 Channel 3 (281) Tx 878.430 Rx 833.430 Channel 4 (260) Tx 877.800 Rx 832.800 Channel 5 (239) Tx 877.170 Rx 832.170 Channel 6 (218) Tx 876.540 Rx 831.540 Channel 7 (197) Tx 875.910 Rx 830.910 Channel 8 (176) Tx 875.280 Rx 830.280 Channel 9 (155) Tx 874.650 Rx 829.650 Channel 10 (134) Tx 874.020 Rx 829.020 Channel 11 (113) Tx 873.390 Rx 828.390 Channel 12 (92) Tx 872.760 Rx 827.760 Channel 13 (71) Tx 872.130 Rx 827.130 Channel 14 (50) Tx 871.500 Rx 826.500 Channel 15 (29) Tx 870.870 Rx 825.870 Channel 16 (8) Tx 870.240 Rx 825.240 Cell # 12 -------------------------------------------------- Channel 1 (322) Tx 879.660 Rx 834.660 Channel 2 (301) Tx 879.030 Rx 834.030 Channel 3 (280) Tx 878.400 Rx 833.400 Channel 4 (259) Tx 877.770 Rx 832.770 Channel 5 (238) Tx 877.140 Rx 832.140 Channel 6 (217) Tx 876.510 Rx 831.510 Channel 7 (196) Tx 875.880 Rx 830.880 Channel 8 (175) Tx 875.250 Rx 830.250 Channel 9 (154) Tx 874.620 Rx 829.620 Channel 10 (133) Tx 873.990 Rx 828.990 Channel 11 (112) Tx 873.360 Rx 828.360 Channel 12 (91) Tx 872.730 Rx 827.730 Channel 13 (70) Tx 872.100 Rx 827.100 Channel 14 (49) Tx 871.470 Rx 826.470 Channel 15 (28) Tx 870.840 Rx 825.840 Channel 16 (7) Tx 870.210 Rx 825.210 Cell # 13 -------------------------------------------------- Channel 1 (321) Tx 879.630 Rx 834.630 Channel 2 (300) Tx 879.000 Rx 834.000 Channel 3 (279) Tx 878.370 Rx 833.370 Channel 4 (258) Tx 877.740 Rx 832.740 Channel 5 (237) Tx 877.110 Rx 832.110 Channel 6 (216) Tx 876.480 Rx 831.480 Channel 7 (195) Tx 875.850 Rx 830.850 Channel 8 (174) Tx 875.220 Rx 830.220 Channel 9 (153) Tx 874.590 Rx 829.590 Channel 10 (132) Tx 873.960 Rx 828.960 Channel 11 (111) Tx 873.330 Rx 828.330 Channel 12 (90) Tx 872.700 Rx 827.700 Channel 13 (69) Tx 872.070 Rx 827.070 Channel 14 (48) Tx 871.440 Rx 826.440 Channel 15 (27) Tx 870.810 Rx 825.810 Channel 16 (6) Tx 870.180 Rx 825.180 Cell # 14 -------------------------------------------------- Channel 1 (320) Tx 879.600 Rx 834.600 Channel 2 (299) Tx 878.970 Rx 833.970 Channel 3 (278) Tx 878.340 Rx 833.340 Channel 4 (257) Tx 877.710 Rx 832.710 Channel 5 (236) Tx 877.080 Rx 832.080 Channel 6 (215) Tx 876.450 Rx 831.450 Channel 7 (194) Tx 875.820 Rx 830.820 Channel 8 (173) Tx 875.190 Rx 830.190 Channel 9 (152) Tx 874.560 Rx 829.560 Channel 10 (131) Tx 873.930 Rx 828.930 Channel 11 (110) Tx 873.300 Rx 828.300 Channel 12 (89) Tx 872.670 Rx 827.670 Channel 13 (68) Tx 872.040 Rx 827.040 Channel 14 (47) Tx 871.410 Rx 826.410 Channel 15 (26) Tx 870.780 Rx 825.780 Channel 16 (5) Tx 870.150 Rx 825.150 Cell # 15 -------------------------------------------------- Channel 1 (319) Tx 879.570 Rx 834.570 Channel 2 (298) Tx 878.940 Rx 833.940 Channel 3 (277) Tx 878.310 Rx 833.310 Channel 4 (256) Tx 877.680 Rx 832.680 Channel 5 (235) Tx 877.050 Rx 832.050 Channel 6 (214) Tx 876.420 Rx 831.420 Channel 7 (193) Tx 875.790 Rx 830.790 Channel 8 (172) Tx 875.160 Rx 830.160 Channel 9 (151) Tx 874.530 Rx 829.530 Channel 10 (130) Tx 873.900 Rx 828.900 Channel 11 (109) Tx 873.270 Rx 828.270 Channel 12 (88) Tx 872.640 Rx 827.640 Channel 13 (67) Tx 872.010 Rx 827.010 Channel 14 (46) Tx 871.380 Rx 826.380 Channel 15 (25) Tx 870.750 Rx 825.750 Channel 16 (4) Tx 870.120 Rx 825.120 Cell # 16 -------------------------------------------------- Channel 1 (318) Tx 879.540 Rx 834.540 Channel 2 (297) Tx 878.910 Rx 833.910 Channel 3 (276) Tx 878.280 Rx 833.280 Channel 4 (255) Tx 877.650 Rx 832.650 Channel 5 (234) Tx 877.020 Rx 832.020 Channel 6 (213) Tx 876.390 Rx 831.390 Channel 7 (192) Tx 875.760 Rx 830.760 Channel 8 (171) Tx 875.130 Rx 830.130 Channel 9 (150) Tx 874.500 Rx 829.500 Channel 10 (129) Tx 873.870 Rx 828.870 Channel 11 (108) Tx 873.240 Rx 828.240 Channel 12 (87) Tx 872.610 Rx 827.610 Channel 13 (66) Tx 871.980 Rx 826.980 Channel 14 (45) Tx 871.350 Rx 826.350 Channel 15 (24) Tx 870.720 Rx 825.720 Channel 16 (3) Tx 870.090 Rx 825.090 Cell # 17 -------------------------------------------------- Channel 1 (317) Tx 879.510 Rx 834.510 Channel 2 (296) Tx 878.880 Rx 833.880 Channel 3 (275) Tx 878.250 Rx 833.250 Channel 4 (254) Tx 877.620 Rx 832.620 Channel 5 (233) Tx 876.990 Rx 831.990 Channel 6 (212) Tx 876.360 Rx 831.360 Channel 7 (191) Tx 875.730 Rx 830.730 Channel 8 (170) Tx 875.100 Rx 830.100 Channel 9 (149) Tx 874.470 Rx 829.470 Channel 10 (128) Tx 873.840 Rx 828.840 Channel 11 (107) Tx 873.210 Rx 828.210 Channel 12 (86) Tx 872.580 Rx 827.580 Channel 13 (65) Tx 871.950 Rx 826.950 Channel 14 (44) Tx 871.320 Rx 826.320 Channel 15 (23) Tx 870.690 Rx 825.690 Channel 16 (2) Tx 870.060 Rx 825.060 Cell # 18 -------------------------------------------------- Channel 1 (316) Tx 879.480 Rx 834.480 Channel 2 (295) Tx 878.850 Rx 833.850 Channel 3 (274) Tx 878.220 Rx 833.220 Channel 4 (253) Tx 877.590 Rx 832.590 Channel 5 (232) Tx 876.960 Rx 831.960 Channel 6 (211) Tx 876.330 Rx 831.330 Channel 7 (190) Tx 875.700 Rx 830.700 Channel 8 (169) Tx 875.070 Rx 830.070 Channel 9 (148) Tx 874.440 Rx 829.440 Channel 10 (127) Tx 873.810 Rx 828.810 Channel 11 (106) Tx 873.180 Rx 828.180 Channel 12 (85) Tx 872.550 Rx 827.550 Channel 13 (64) Tx 871.920 Rx 826.920 Channel 14 (43) Tx 871.290 Rx 826.290 Channel 15 (22) Tx 870.660 Rx 825.660 Channel 16 (1) Tx 870.030 Rx 825.030 Cell # 19 -------------------------------------------------- Channel 1 (315) Tx 879.450 Rx 834.450 Channel 2 (294) Tx 878.820 Rx 833.820 Channel 3 (273) Tx 878.190 Rx 833.190 Channel 4 (252) Tx 877.560 Rx 832.560 Channel 5 (231) Tx 876.930 Rx 831.930 Channel 6 (210) Tx 876.300 Rx 831.300 Channel 7 (189) Tx 875.670 Rx 830.670 Channel 8 (168) Tx 875.040 Rx 830.040 Channel 9 (147) Tx 874.410 Rx 829.410 Channel 10 (126) Tx 873.780 Rx 828.780 Channel 11 (105) Tx 873.150 Rx 828.150 Channel 12 (84) Tx 872.520 Rx 827.520 Channel 13 (63) Tx 871.890 Rx 826.890 Channel 14 (42) Tx 871.260 Rx 826.260 Channel 15 (21) Tx 870.630 Rx 825.630 Cell # 20 -------------------------------------------------- Channel 1 (314) Tx 879.420 Rx 834.420 Channel 2 (293) Tx 878.790 Rx 833.790 Channel 3 (272) Tx 878.160 Rx 833.160 Channel 4 (251) Tx 877.530 Rx 832.530 Channel 5 (230) Tx 876.900 Rx 831.900 Channel 6 (209) Tx 876.270 Rx 831.270 Channel 7 (188) Tx 875.640 Rx 830.640 Channel 8 (167) Tx 875.010 Rx 830.010 Channel 9 (146) Tx 874.380 Rx 829.380 Channel 10 (125) Tx 873.750 Rx 828.750 Channel 11 (104) Tx 873.120 Rx 828.120 Channel 12 (83) Tx 872.490 Rx 827.490 Channel 13 (62) Tx 871.860 Rx 826.860 Channel 14 (41) Tx 871.230 Rx 826.230 Channel 15 (20) Tx 870.600 Rx 825.600 Cell # 21 -------------------------------------------------- Channel 1 (313) Tx 879.390 Rx 834.390 Channel 2 (292) Tx 878.760 Rx 833.760 Channel 3 (271) Tx 878.130 Rx 833.130 Channel 4 (250) Tx 877.500 Rx 832.500 Channel 5 (229) Tx 876.870 Rx 831.870 Channel 6 (208) Tx 876.240 Rx 831.240 Channel 7 (187) Tx 875.610 Rx 830.610 Channel 8 (166) Tx 874.980 Rx 829.980 Channel 9 (145) Tx 874.350 Rx 829.350 Channel 10 (124) Tx 873.720 Rx 828.720 Channel 11 (103) Tx 873.090 Rx 828.090 Channel 12 (82) Tx 872.460 Rx 827.460 Channel 13 (61) Tx 871.830 Rx 826.830 Channel 14 (40) Tx 871.200 Rx 826.200 Channel 15 (19) Tx 870.570 Rx 825.570 ************************************************** Cellular Phone Band B (Channel 1 is Data) Cell # 1 -------------------------------------------------- Channel 1 (334) Tx 880.020 Rx 835.020 Channel 2 (355) Tx 880.650 Rx 835.650 Channel 3 (376) Tx 881.280 Rx 836.280 Channel 4 (397) Tx 881.910 Rx 836.910 Channel 5 (418) Tx 882.540 Rx 837.540 Channel 6 (439) Tx 883.170 Rx 838.170 Channel 7 (460) Tx 883.800 Rx 838.800 Channel 8 (481) Tx 884.430 Rx 839.430 Channel 9 (502) Tx 885.060 Rx 840.060 Channel 10 (523) Tx 885.690 Rx 840.690 Channel 11 (544) Tx 886.320 Rx 841.320 Channel 12 (565) Tx 886.950 Rx 841.950 Channel 13 (586) Tx 887.580 Rx 842.580 Channel 14 (607) Tx 888.210 Rx 843.210 Channel 15 (628) Tx 888.840 Rx 843.840 Channel 16 (649) Tx 889.470 Rx 844.470 Cell # 2 -------------------------------------------------- Channel 1 (335) Tx 880.050 Rx 835.050 Channel 2 (356) Tx 880.680 Rx 835.680 Channel 3 (377) Tx 881.310 Rx 836.310 Channel 4 (398) Tx 881.940 Rx 836.940 Channel 5 (419) Tx 882.570 Rx 837.570 Channel 6 (440) Tx 883.200 Rx 838.200 Channel 7 (461) Tx 883.830 Rx 838.830 Channel 8 (482) Tx 884.460 Rx 839.460 Channel 9 (503) Tx 885.090 Rx 840.090 Channel 10 (524) Tx 885.720 Rx 840.720 Channel 11 (545) Tx 886.350 Rx 841.350 Channel 12 (566) Tx 886.980 Rx 841.980 Channel 13 (587) Tx 887.610 Rx 842.610 Channel 14 (608) Tx 888.240 Rx 843.240 Channel 15 (629) Tx 888.870 Rx 843.870 Channel 16 (650) Tx 889.500 Rx 844.500 Cell # 3 -------------------------------------------------- Channel 1 (336) Tx 880.080 Rx 835.080 Channel 2 (357) Tx 880.710 Rx 835.710 Channel 3 (378) Tx 881.340 Rx 836.340 Channel 4 (399) Tx 881.970 Rx 836.970 Channel 5 (420) Tx 882.600 Rx 837.600 Channel 6 (441) Tx 883.230 Rx 838.230 Channel 7 (462) Tx 883.860 Rx 838.860 Channel 8 (483) Tx 884.490 Rx 839.490 Channel 9 (504) Tx 885.120 Rx 840.120 Channel 10 (525) Tx 885.750 Rx 840.750 Channel 11 (546) Tx 886.380 Rx 841.380 Channel 12 (567) Tx 887.010 Rx 842.010 Channel 13 (588) Tx 887.640 Rx 842.640 Channel 14 (609) Tx 888.270 Rx 843.270 Channel 15 (630) Tx 888.900 Rx 843.900 Channel 16 (651) Tx 889.530 Rx 844.530 Cell # 4 -------------------------------------------------- Channel 1 (337) Tx 880.110 Rx 835.110 Channel 2 (358) Tx 880.740 Rx 835.740 Channel 3 (379) Tx 881.370 Rx 836.370 Channel 4 (400) Tx 882.000 Rx 837.000 Channel 5 (421) Tx 882.630 Rx 837.630 Channel 6 (442) Tx 883.260 Rx 838.260 Channel 7 (463) Tx 883.890 Rx 838.890 Channel 8 (484) Tx 884.520 Rx 839.520 Channel 9 (505) Tx 885.150 Rx 840.150 Channel 10 (526) Tx 885.780 Rx 840.780 Channel 11 (547) Tx 886.410 Rx 841.410 Channel 12 (568) Tx 887.040 Rx 842.040 Channel 13 (589) Tx 887.670 Rx 842.670 Channel 14 (610) Tx 888.300 Rx 843.300 Channel 15 (631) Tx 888.930 Rx 843.930 Channel 16 (652) Tx 889.560 Rx 844.560 Cell # 5 -------------------------------------------------- Channel 1 (338) Tx 880.140 Rx 835.140 Channel 2 (359) Tx 880.770 Rx 835.770 Channel 3 (380) Tx 881.400 Rx 836.400 Channel 4 (401) Tx 882.030 Rx 837.030 Channel 5 (422) Tx 882.660 Rx 837.660 Channel 6 (443) Tx 883.290 Rx 838.290 Channel 7 (464) Tx 883.920 Rx 838.920 Channel 8 (485) Tx 884.550 Rx 839.550 Channel 9 (506) Tx 885.180 Rx 840.180 Channel 10 (527) Tx 885.810 Rx 840.810 Channel 11 (548) Tx 886.440 Rx 841.440 Channel 12 (569) Tx 887.070 Rx 842.070 Channel 13 (590) Tx 887.700 Rx 842.700 Channel 14 (611) Tx 888.330 Rx 843.330 Channel 15 (632) Tx 888.960 Rx 843.960 Channel 16 (653) Tx 889.590 Rx 844.590 Cell # 6 -------------------------------------------------- Channel 1 (339) Tx 880.170 Rx 835.170 Channel 2 (360) Tx 880.800 Rx 835.800 Channel 3 (381) Tx 881.430 Rx 836.430 Channel 4 (402) Tx 882.060 Rx 837.060 Channel 5 (423) Tx 882.690 Rx 837.690 Channel 6 (444) Tx 883.320 Rx 838.320 Channel 7 (465) Tx 883.950 Rx 838.950 Channel 8 (486) Tx 884.580 Rx 839.580 Channel 9 (507) Tx 885.210 Rx 840.210 Channel 10 (528) Tx 885.840 Rx 840.840 Channel 11 (549) Tx 886.470 Rx 841.470 Channel 12 (570) Tx 887.100 Rx 842.100 Channel 13 (591) Tx 887.730 Rx 842.730 Channel 14 (612) Tx 888.360 Rx 843.360 Channel 15 (633) Tx 888.990 Rx 843.990 Channel 16 (654) Tx 889.620 Rx 844.620 Cell # 7 -------------------------------------------------- Channel 1 (340) Tx 880.200 Rx 835.200 Channel 2 (361) Tx 880.830 Rx 835.830 Channel 3 (382) Tx 881.460 Rx 836.460 Channel 4 (403) Tx 882.090 Rx 837.090 Channel 5 (424) Tx 882.720 Rx 837.720 Channel 6 (445) Tx 883.350 Rx 838.350 Channel 7 (466) Tx 883.980 Rx 838.980 Channel 8 (487) Tx 884.610 Rx 839.610 Channel 9 (508) Tx 885.240 Rx 840.240 Channel 10 (529) Tx 885.870 Rx 840.870 Channel 11 (550) Tx 886.500 Rx 841.500 Channel 12 (571) Tx 887.130 Rx 842.130 Channel 13 (592) Tx 887.760 Rx 842.760 Channel 14 (613) Tx 888.390 Rx 843.390 Channel 15 (634) Tx 889.020 Rx 844.020 Channel 16 (655) Tx 889.650 Rx 844.650 Cell # 8 -------------------------------------------------- Channel 1 (341) Tx 880.230 Rx 835.230 Channel 2 (362) Tx 880.860 Rx 835.860 Channel 3 (383) Tx 881.490 Rx 836.490 Channel 4 (404) Tx 882.120 Rx 837.120 Channel 5 (425) Tx 882.750 Rx 837.750 Channel 6 (446) Tx 883.380 Rx 838.380 Channel 7 (467) Tx 884.010 Rx 839.010 Channel 8 (488) Tx 884.640 Rx 839.640 Channel 9 (509) Tx 885.270 Rx 840.270 Channel 10 (530) Tx 885.900 Rx 840.900 Channel 11 (551) Tx 886.530 Rx 841.530 Channel 12 (572) Tx 887.160 Rx 842.160 Channel 13 (593) Tx 887.790 Rx 842.790 Channel 14 (614) Tx 888.420 Rx 843.420 Channel 15 (635) Tx 889.050 Rx 844.050 Channel 16 (656) Tx 889.680 Rx 844.680 Cell # 9 -------------------------------------------------- Channel 1 (342) Tx 880.260 Rx 835.260 Channel 2 (363) Tx 880.890 Rx 835.890 Channel 3 (384) Tx 881.520 Rx 836.520 Channel 4 (405) Tx 882.150 Rx 837.150 Channel 5 (426) Tx 882.780 Rx 837.780 Channel 6 (447) Tx 883.410 Rx 838.410 Channel 7 (468) Tx 884.040 Rx 839.040 Channel 8 (489) Tx 884.670 Rx 839.670 Channel 9 (510) Tx 885.300 Rx 840.300 Channel 10 (531) Tx 885.930 Rx 840.930 Channel 11 (552) Tx 886.560 Rx 841.560 Channel 12 (573) Tx 887.190 Rx 842.190 Channel 13 (594) Tx 887.820 Rx 842.820 Channel 14 (615) Tx 888.450 Rx 843.450 Channel 15 (636) Tx 889.080 Rx 844.080 Channel 16 (657) Tx 889.710 Rx 844.710 Cell # 10 -------------------------------------------------- Channel 1 (343) Tx 880.290 Rx 835.290 Channel 2 (364) Tx 880.920 Rx 835.920 Channel 3 (385) Tx 881.550 Rx 836.550 Channel 4 (406) Tx 882.180 Rx 837.180 Channel 5 (427) Tx 882.810 Rx 837.810 Channel 6 (448) Tx 883.440 Rx 838.440 Channel 7 (469) Tx 884.070 Rx 839.070 Channel 8 (490) Tx 884.700 Rx 839.700 Channel 9 (511) Tx 885.330 Rx 840.330 Channel 10 (532) Tx 885.960 Rx 840.960 Channel 11 (553) Tx 886.590 Rx 841.590 Channel 12 (574) Tx 887.220 Rx 842.220 Channel 13 (595) Tx 887.850 Rx 842.850 Channel 14 (616) Tx 888.480 Rx 843.480 Channel 15 (637) Tx 889.110 Rx 844.110 Channel 16 (658) Tx 889.740 Rx 844.740 Cell # 11 -------------------------------------------------- Channel 1 (344) Tx 880.320 Rx 835.320 Channel 2 (365) Tx 880.950 Rx 835.950 Channel 3 (386) Tx 881.580 Rx 836.580 Channel 4 (407) Tx 882.210 Rx 837.210 Channel 5 (428) Tx 882.840 Rx 837.840 Channel 6 (449) Tx 883.470 Rx 838.470 Channel 7 (470) Tx 884.100 Rx 839.100 Channel 8 (491) Tx 884.730 Rx 839.730 Channel 9 (512) Tx 885.360 Rx 840.360 Channel 10 (533) Tx 885.990 Rx 840.990 Channel 11 (554) Tx 886.620 Rx 841.620 Channel 12 (575) Tx 887.250 Rx 842.250 Channel 13 (596) Tx 887.880 Rx 842.880 Channel 14 (617) Tx 888.510 Rx 843.510 Channel 15 (638) Tx 889.140 Rx 844.140 Channel 16 (659) Tx 889.770 Rx 844.770 Cell # 12 -------------------------------------------------- Channel 1 (345) Tx 880.350 Rx 835.350 Channel 2 (366) Tx 880.980 Rx 835.980 Channel 3 (387) Tx 881.610 Rx 836.610 Channel 4 (408) Tx 882.240 Rx 837.240 Channel 5 (429) Tx 882.870 Rx 837.870 Channel 6 (450) Tx 883.500 Rx 838.500 Channel 7 (471) Tx 884.130 Rx 839.130 Channel 8 (492) Tx 884.760 Rx 839.760 Channel 9 (513) Tx 885.390 Rx 840.390 Channel 10 (534) Tx 886.020 Rx 841.020 Channel 11 (555) Tx 886.650 Rx 841.650 Channel 12 (576) Tx 887.280 Rx 842.280 Channel 13 (597) Tx 887.910 Rx 842.910 Channel 14 (618) Tx 888.540 Rx 843.540 Channel 15 (639) Tx 889.170 Rx 844.170 Channel 16 (660) Tx 889.800 Rx 844.800 Cell # 13 -------------------------------------------------- Channel 1 (346) Tx 880.380 Rx 835.380 Channel 2 (367) Tx 881.010 Rx 836.010 Channel 3 (388) Tx 881.640 Rx 836.640 Channel 4 (409) Tx 882.270 Rx 837.270 Channel 5 (430) Tx 882.900 Rx 837.900 Channel 6 (451) Tx 883.530 Rx 838.530 Channel 7 (472) Tx 884.160 Rx 839.160 Channel 8 (493) Tx 884.790 Rx 839.790 Channel 9 (514) Tx 885.420 Rx 840.420 Channel 10 (535) Tx 886.050 Rx 841.050 Channel 11 (556) Tx 886.680 Rx 841.680 Channel 12 (577) Tx 887.310 Rx 842.310 Channel 13 (598) Tx 887.940 Rx 842.940 Channel 14 (619) Tx 888.570 Rx 843.570 Channel 15 (640) Tx 889.200 Rx 844.200 Channel 16 (661) Tx 889.830 Rx 844.830 Cell # 14 -------------------------------------------------- Channel 1 (347) Tx 880.410 Rx 835.410 Channel 2 (368) Tx 881.040 Rx 836.040 Channel 3 (389) Tx 881.670 Rx 836.670 Channel 4 (410) Tx 882.300 Rx 837.300 Channel 5 (431) Tx 882.930 Rx 837.930 Channel 6 (452) Tx 883.560 Rx 838.560 Channel 7 (473) Tx 884.190 Rx 839.190 Channel 8 (494) Tx 884.820 Rx 839.820 Channel 9 (515) Tx 885.450 Rx 840.450 Channel 10 (536) Tx 886.080 Rx 841.080 Channel 11 (557) Tx 886.710 Rx 841.710 Channel 12 (578) Tx 887.340 Rx 842.340 Channel 13 (599) Tx 887.970 Rx 842.970 Channel 14 (620) Tx 888.600 Rx 843.600 Channel 15 (641) Tx 889.230 Rx 844.230 Channel 16 (662) Tx 889.860 Rx 844.860 Cell # 15 -------------------------------------------------- Channel 1 (348) Tx 880.440 Rx 835.440 Channel 2 (369) Tx 881.070 Rx 836.070 Channel 3 (390) Tx 881.700 Rx 836.700 Channel 4 (411) Tx 882.330 Rx 837.330 Channel 5 (432) Tx 882.960 Rx 837.960 Channel 6 (453) Tx 883.590 Rx 838.590 Channel 7 (474) Tx 884.220 Rx 839.220 Channel 8 (495) Tx 884.850 Rx 839.850 Channel 9 (516) Tx 885.480 Rx 840.480 Channel 10 (537) Tx 886.110 Rx 841.110 Channel 11 (558) Tx 886.740 Rx 841.740 Channel 12 (579) Tx 887.370 Rx 842.370 Channel 13 (600) Tx 888.000 Rx 843.000 Channel 14 (621) Tx 888.630 Rx 843.630 Channel 15 (642) Tx 889.260 Rx 844.260 Channel 16 (663) Tx 889.890 Rx 844.890 Cell # 16 -------------------------------------------------- Channel 1 (349) Tx 880.470 Rx 835.470 Channel 2 (370) Tx 881.100 Rx 836.100 Channel 3 (391) Tx 881.730 Rx 836.730 Channel 4 (412) Tx 882.360 Rx 837.360 Channel 5 (433) Tx 882.990 Rx 837.990 Channel 6 (454) Tx 883.620 Rx 838.620 Channel 7 (475) Tx 884.250 Rx 839.250 Channel 8 (496) Tx 884.880 Rx 839.880 Channel 9 (517) Tx 885.510 Rx 840.510 Channel 10 (538) Tx 886.140 Rx 841.140 Channel 11 (559) Tx 886.770 Rx 841.770 Channel 12 (580) Tx 887.400 Rx 842.400 Channel 13 (601) Tx 888.030 Rx 843.030 Channel 14 (622) Tx 888.660 Rx 843.660 Channel 15 (643) Tx 889.290 Rx 844.290 Channel 16 (664) Tx 889.920 Rx 844.920 Cell # 17 -------------------------------------------------- Channel 1 (350) Tx 880.500 Rx 835.500 Channel 2 (371) Tx 881.130 Rx 836.130 Channel 3 (392) Tx 881.760 Rx 836.760 Channel 4 (413) Tx 882.390 Rx 837.390 Channel 5 (434) Tx 883.020 Rx 838.020 Channel 6 (455) Tx 883.650 Rx 838.650 Channel 7 (476) Tx 884.280 Rx 839.280 Channel 8 (497) Tx 884.910 Rx 839.910 Channel 9 (518) Tx 885.540 Rx 840.540 Channel 10 (539) Tx 886.170 Rx 841.170 Channel 11 (560) Tx 886.800 Rx 841.800 Channel 12 (581) Tx 887.430 Rx 842.430 Channel 13 (602) Tx 888.060 Rx 843.060 Channel 14 (623) Tx 888.690 Rx 843.690 Channel 15 (644) Tx 889.320 Rx 844.320 Channel 16 (665) Tx 889.950 Rx 844.950 Cell # 18 -------------------------------------------------- Channel 1 (351) Tx 880.530 Rx 835.530 Channel 2 (372) Tx 881.160 Rx 836.160 Channel 3 (393) Tx 881.790 Rx 836.790 Channel 4 (414) Tx 882.420 Rx 837.420 Channel 5 (435) Tx 883.050 Rx 838.050 Channel 6 (456) Tx 883.680 Rx 838.680 Channel 7 (477) Tx 884.310 Rx 839.310 Channel 8 (498) Tx 884.940 Rx 839.940 Channel 9 (519) Tx 885.570 Rx 840.570 Channel 10 (540) Tx 886.200 Rx 841.200 Channel 11 (561) Tx 886.830 Rx 841.830 Channel 12 (582) Tx 887.460 Rx 842.460 Channel 13 (603) Tx 888.090 Rx 843.090 Channel 14 (624) Tx 888.720 Rx 843.720 Channel 15 (645) Tx 889.350 Rx 844.350 Channel 16 (666) Tx 889.980 Rx 844.980 Cell # 19 -------------------------------------------------- Channel 1 (352) Tx 880.560 Rx 835.560 Channel 2 (373) Tx 881.190 Rx 836.190 Channel 3 (394) Tx 881.820 Rx 836.820 Channel 4 (415) Tx 882.450 Rx 837.450 Channel 5 (436) Tx 883.080 Rx 838.080 Channel 6 (457) Tx 883.710 Rx 838.710 Channel 7 (478) Tx 884.340 Rx 839.340 Channel 8 (499) Tx 884.970 Rx 839.970 Channel 9 (520) Tx 885.600 Rx 840.600 Channel 10 (541) Tx 886.230 Rx 841.230 Channel 11 (562) Tx 886.860 Rx 841.860 Channel 12 (583) Tx 887.490 Rx 842.490 Channel 13 (604) Tx 888.120 Rx 843.120 Channel 14 (625) Tx 888.750 Rx 843.750 Channel 15 (646) Tx 889.380 Rx 844.380 Cell # 20 -------------------------------------------------- Channel 1 (353) Tx 880.590 Rx 835.590 Channel 2 (374) Tx 881.220 Rx 836.220 Channel 3 (395) Tx 881.850 Rx 836.850 Channel 4 (416) Tx 882.480 Rx 837.480 Channel 5 (437) Tx 883.110 Rx 838.110 Channel 6 (458) Tx 883.740 Rx 838.740 Channel 7 (479) Tx 884.370 Rx 839.370 Channel 8 (500) Tx 885.000 Rx 840.000 Channel 9 (521) Tx 885.630 Rx 840.630 Channel 10 (542) Tx 886.260 Rx 841.260 Channel 11 (563) Tx 886.890 Rx 841.890 Channel 12 (584) Tx 887.520 Rx 842.520 Channel 13 (605) Tx 888.150 Rx 843.150 Channel 14 (626) Tx 888.780 Rx 843.780 Channel 15 (647) Tx 889.410 Rx 844.410 Cell # 21 -------------------------------------------------- Channel 1 (354) Tx 880.620 Rx 835.620 Channel 2 (375) Tx 881.250 Rx 836.250 Channel 3 (396) Tx 881.880 Rx 836.880 Channel 4 (417) Tx 882.510 Rx 837.510 Channel 5 (438) Tx 883.140 Rx 838.140 Channel 6 (459) Tx 883.770 Rx 838.770 Channel 7 (480) Tx 884.400 Rx 839.400 Channel 8 (501) Tx 885.030 Rx 840.030 Channel 9 (522) Tx 885.660 Rx 840.660 Channel 10 (543) Tx 886.290 Rx 841.290 Channel 11 (564) Tx 886.920 Rx 841.920 Channel 12 (585) Tx 887.550 Rx 842.550 Channel 13 (606) Tx 888.180 Rx 843.180 Channel 14 (627) Tx 888.810 Rx 843.810 Channel 15 (648) Tx 889.440 Rx 844.440 Restoring cellular reception. Some scanners have been blocked from receiving the cellular band. This can be corrected. It started out with the Realistic PRO-2004 and the PRO-34, and went to the PRO-2005. To restore cellular for the 2004, open the radio and turn it upside down. Carefully remove the cover. Clip one leg of D-513 to restore cellular frequencies. For the PRO-2005, the procedure is the same, except you clip one leg of D-502 to restore cellular reception. On the PRO-34 and PRO-37, Cut D11 to add 824-851 and 869-896 MHz bands with 30 kHz spacing All these are described in great detail in the "Scanner Modification Handbook" volumes I. and II. by Bill Cheek, both available from Communications Electronics Inc. (313) 996-8888. They run about $18 apiece. Pagers: ------- Pocket pagers and the like operate in the area of 150-160 MHz. Phone-Patches: -------------- A phone patch is a way to use a telephone via two-way radio. Basically how it works is the patch is connected to a repeater and a phone. The patch will interpret signals from a transceiver to activate itself and call out to the desired party. This then allows the person with the transceiver to call anyone from his handheld radio unit. Phone-Patches are usually located on most bands, as they are simply an attachment to the repeater. Police, Fire, Ambulance and the like: ------------------------------------- The easiest way to find these frequencies is to go to Radio Shack and buy their listing, it runs around $8, and is set up for groups of neighboring states. Hell, photocopy the pages you want and then return it! But generally these are located in 450-460 MHz. Typical Band Usage: ------------------- The FCC dictates who uses what bands for radio broadcast. Following is a breakdown of the general distribution of FCC licensing. These are by NO means set in stone, there are always exceptions. Abbreviations: BA Remote Broadcast (Radio & TV) CA General Mobile (Radio) CAP Civil Air Patrol IB Business IF Forest Products IM Motion Picture Industry IP Petroleum Industry IS Special Industry (Construction, farming, etc.) IT Telephone Maintenance IW Power and Water Utilities IX Manufacturers IY Relay Press (Newspaper Reporters) LA Automotive Emergency ( Tow Trucks) LJ Motor Carriers, Trucks LR Railroad LU Motor Carrier, Buses LX Taxi MC Maritime Limited Coast (private stations) MG Maritime Government (Coast Guard) MP Maritime Public Coast (marine telephone) MS Maritime Shipboard PF Fire PH Highway Maintenance PL Local Government PM Medical Services PO Forestry Conservation PP Police PS Special Emergency RA Mobile Telephone (aircraft) RC Mobile Telephone (radio common carrier) RT Mobile Telephone (landline companies) BIFC Boise Interagency Fire Cache Govt: UAF Air Force UAR Army UBW Boundary and Water Commission UCE Evironmental Research Labs UCF Maritime Fisheries Service UCG Coast Guard UCM Maritime Administration UCO Ocean Survey UCP National Capitol Police UCW National Weather Service UCX Department of Commerce UEP Environmental Protection Agency UER Department of Energy UFA Federal Aviation Administration UFC Federal Communications Commision UGC Soil Conservation Service UGF Forest Service UGS General Services Administration UGX Department of Agriculture UHW Dept. of Health and Human Services UIB Bonneville Power Administration UIF Bureau of Sport Fisheries and Wildlife UIG Geological Survey UII Bureau of Indian Affairs UIL Bureau of Land Management UIM Bureau of Mines UIP National Park Service UIR Bureau of Rclamation UIS Southwestern Power Administration UIX Department of the Interior UNO United Nations UNS Nasa UPO Postal Service USA Misc. Federal Government USD State Department USN Navy UTC Bureau of Customs UTM Bureau of the Mint UTR Department of Transportation UTV Tennessee Valley Authority UTX Treasury Department UVA Veterans Administration UXX Classified Band Usage: 30-50 MHz: 30.00 - 30.55 USA,UAR,USN,UCG,UAF 30.58 - 31.98 IS,IP,IB,LU,PO 32.00 - 32.99 USA,UAR,USN,UCG,UGX,UAF,UIR 33.02 - 33.98 PS,PH,IS,IB,IP,PF 34.01 - 34.99 UCG,UER,USA,UAR,UAF,USN,UGX,UIP,UIF 35.02 - 35.98 IB,IT,RC,RT,IS,PS 36.01 - 36.99 UIX,UER,USA,UAR,USN,UTR,UCO,IP,UHW,UGF,UGX,UAF 37.02 - 37.98 PP,PL,IW,PH,PS 38.27 - 38.99 USA,USN,UGX,UGF,UAR,UAF,UIX,UTV,UVA 39.02 - 39.98 PP,PL 40.01 - 41.99 UIA,UAR,UIP,UAF,USA,UVA,UER,USN,UIF,UIR,UTV,UIM,IP UIX,UEP,UCG,UIL,BIFC,UHW,UTX 42.02 - 42.94 PP 42.96 - 43.68 IB,IS,IT,RC,RT,PS 43.70 - 44.60 LU,LJ 44.62 - 46.58 PP,PO,PL,PH,PF,PS 46.61 - 46.99 USA,UIL,BIFC,UAF,UAR,UGX,UGF 47.02 - 49.58 PH,PS,IS,IW,IF,IP 49.61 - 49.99 UIL,UAR,UGC,UAF,UAR,UGX,UGF,USA 150-173 MHz: 150.775 - 151.985 PM,LA,IF,PH,PO,IS,IB 152.075 - 152.840 PM,RC,LX,IF,IB,RT 152.870 - 153.725 IM,IS,IP,IX,IF,IW 153.740 - 156.240 PL,PF,IS,IB,PP,PM,PH 156.255 - 157.450 IP,MC,MS,MG,MP,PM 157.470 - 158.700 LA,LX,IF,IS,IB,RT,IW,IP,IX,IT,RC 158.730 - 159.480 PP,PL,PH,PO,IP 159.495 - 161.565 LR,LJ 161.580 - 162.000 IP,MC,BA,MP 162.025 - 173.987 MISC GOVT AGENCIES 406-512 MHz: 406.125 - 419.975 MISC GOVT AGENCIES 450.050 - 450.925 BA 451.000 - 451.700 IW,IF,IP,IT,IX 451.725 - 452.175 IS,IF,IP,LX 452.200 - 452.950 LX,LJ,LR,LA 452.975 - 453.975 IY,PL,PH,PF,PO,PP 454.000 - 457.600 IPI,RC,RT,RA,BA,IB 458.025 - 467.925 PM,PP,IB,IX,IF,IP,IT,IW,GM 482.000 - 508.987 MISC PUBLIC SAFETY 800 MHz: Unlike lower bands, the 800 MHz band is allocated on a first-come first-serve basis. There are two categories for licensing: Public Safety and Industrial. Sytemsusing one to five channels are conventional. Five channel systems might use trunking, but all systems with more than five channels must use trunking. 851.0125 - 855.9875 Conventional Systems 856.0125 - 860.9875 Conventional or Trunked 861.0125 - 865.9875 Trunked Systems 866.0000 - 869.9999 Reserved-Satelite 870.0000 - 896.0000 Cellular Telephone _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - - - = Loops Explained = - - anonymous - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ - Loops occur in all area codes and consist of two phone numbers. These numbers are in the same exchange and the last four digits are usually similar. a typical loop pair might look like 212-555-9990 and 555-9993. There are usually at least twenty loops in an area code and often all of the loops in an area code will have identical suffix pairs. The basic thing about any loop is that the two numbers are connected together. If I were to call one number and you were to call the other we'd be connected. It's all a bit eerie at first because most loops do not ring; if you dial a loop and there is someone on the other end you will be instantly connected. What will you hear if you dial a loop number and there's no one on the other end? That depends upon which of the numbers you dial. If you dial the higher number of the pair you will hear only silence; if you dial the lower you will hear a 1000 Hz tone. On most loops you can talk to one caller after another on the other end, very much like any other phone connection. You may be asking so what? The answer to your question is that loops offer anonymity. People use this anonymity for many reasons. We are now to the point of wondering what telco uses loops for. There have been a number of theories advanced on this topic over the years but few people have bothered to ask telco. One common theory has been akin to the idea that the loops are somehow used to "tie up" unused phone lines at the central office to "keep them out of trouble." (I have always enjoyed the image of two lonely phone lines tied together to keep them company.) Loops are used to save time and manpower in testing long distance trunks; we're not talking about the phone line that connects your phone to the central office but the trunks that connect central offices and run in length from a few thousand feet to many miles. When you talk on the phone, your voice and the caller's voice go in different directions. Once the line gets to telco premises the signal is divided up into two circuits. One circuit carries your voice and the other carries your caller's voice. If the signals were kept on one circuit there would be problems with feedback and echoes. Trunks may consist of two pairs of two wire circuits or may be radio frequency carriers on a cable. Trunks have repeaters along the way which amplify the signal remove echoes and equalize frequencies. Repeaters occur about every two miles on an "old style" wire trunk line and about every 2000 feet on carrier trunks. Very short trunks may not have a repeater. Repeaters need to be tested and adjusted occasionally. In the old days a tech would test a trunk by arranging for someone to be at The other end. He would then send a 1000 Hz test tone to the other person who would read the volume on a meter. To complete the test the other tech sends a signal back on the other leg to the first tech as the phone system grew telco decided to cut down on manpower by tying two lines together. Thus the loop was born. Trunks are tied together via a thing called a "zero loss terminator" which connects lines so there is no change in volume. By the mid fifties, the entire phone system had been equipped with loops, so a tech at one end could test a trunk alone by dialing a loop. he dials the other half of the loop with a known good trunk. Then he reverses the signal path to complete the test. It wasn't long before some ordinary citizens discovered that loops could also pass voices, not just tones. Since the lines be longed to telco they weren't billed for the call. So a few people made free calls to friends but there was so little of this that its effect on the phone company's income was negligible. It wasn't until years later in the early seventies that bell was to put billing circuitry on loop numbers. To avoid giving away their location most bookies used a cheesebox a device that connects two phone lines together. Cheeseboxes were installed in a small business, often a small butcher shop or a grocery. The bookie arranged with the proprietor to have two phones installed in the shop and would pay a small monthly fee. He then tied the lines together with his cheesebox and gave one of the numbers to his clientel. Some bookies Either couldn't afford a cheesebox or couldn't locate one at any price, so they hit upon using loops. It was good while it lasted. Gradually however, more and more shady characters started using loops. The authorities weren't blind to this and started approaching the telco to do traces on these loops. Eventually the phone company was spending a lot of time and money on criminal traces and decided to do something about these loops. In the late 50's, the phone company started inserting a bandpass filter that passed only 1000 Hz in the terminator end of its' loops. With this change it successfully blocked voices. We're going to see that the solution was only temporary though. The old style four wire trunks could only handle one call at a time taking up a lot of wire and space. There had to be a way to cram calls into a smaller space. By the early 1960's bell had started switching to carrier trunks which put many calls on a cable. Each signal modulated an AM carrier on a different frequency. Because AM carriers use radio frequency transmitters and recievers, they could no longer pass a 1000 Hz tone through the bandpass filter. So a switch was added to switch it on and off. Normally the filter would be left on. When a tech wished to test a trunk he would turn the switch on, bypassing the filter. When he was done he was expected to turn off the switch. If he forgets a loop will continue to pass voice frequencies until it is switched off. Let's look at how loops are used nowadays. If a tech dials up the lower number he will immediately ge a 1000 Hz tone coming back to him which is injected at a specific volume known as "Zero db" level. Using his meter he can gauge if there are any problems on the line. If he needs to do a complete test at various frequencies he then turns the filter bypass switch on. Most of this work is done at night when repair people are free from normal chores. It turns out there are people using loops for more things than I had imagined. I have always wondered if spies use loops but i haven't encountered any yet. When i started looking into loops I was aware that some radio pirates use loops. Especially in the New York City area you'll often run into AM and FM pirates on loops late at night. Some local loop numbers are pretty well known and are passed around high schools and colleges. When students get bored at night or want to find a party they call a loop and wait there till someone else calls. It may be someone they know or a complete stranger, but it's someone to talk to. Then there are the loop habituates. They regulary meet with their circle of friends and aquaintances on loops and tend to resent strangers on THEIR loops. Representatives are quick to point out that loops belong to the phone company. Anyone else using them is a transgressor. Since Bell is the aggrieved party it needn't have any qualms about listening to loops nor about tracing callers. Bell wishes to discourage people from using them and periodically programs its billing computer to look for loop numbers. Any customer thus found is sent a card pointing out that these numbers belong to the telco. With the exception of those stealing services, Bell becomes aware that some one is calling a loop using a faked credit card number; or Sprint or MCI will ask for help tracing someone illegally stealing their services to call a loop. Then it's a matter of waiting for the person to try again and tracing the call. In these affairs the phone company is very aggressive and effective in tracking down offenders. Bell has some very well trained people who are most adept at keeping the offender on the line until a trace is complete. ========================== This article is the first of Informatik's T-File classics series, a group of text files which deserve special notice in the annals of the computer underground. These articles are among the most famous text files ever written on hacking, and it is our pleasure to reprint them for you now. ========================== +++++++++++++++++++++++++++++++++++++++++++++++++ | The LOD/H Presents | ++++++++++++++++ ++++++++++++++++ \ A Novice's Guide to Hacking- 1989 edition / \ ========================================= / \ by / \ The Mentor / \ Legion of Doom/Legion of Hackers / \ / \ December, 1988 / \ Merry Christmas Everyone! / \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ********************************************************************** | The author hereby grants permission to reproduce, redistribute, | | or include this file in your g-file section, electronic or print | | newletter, or any other form of transmission that you choose, as | | long as it is kept intact and whole, with no ommissions, delet- | | ions, or changes. (C) The Mentor- Phoenix Project Productions | | 1988,1989 512/441-3088 | ********************************************************************** Introduction: The State of the Hack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After surveying a rather large g-file collection, my attention was drawn to the fact that there hasn't been a good introductory file written for absolute beginners since back when Mark Tabas was cranking them out (and almost *everyone* was a beginner!) The Arts of Hacking and Phreaking have changed radically since that time, and as the 90's approach, the hack/phreak community has recovered from the Summer '87 busts (just like it recovered from the Fall '85 busts, and like it will always recover from attempts to shut it down), and the progressive media (from Reality Hackers magazine to William Gibson and Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice of us for the first time in recent years in a positive light. Unfortunately, it has also gotten more dangerous since the early 80's. Phone cops have more resources, more awareness, and more intelligence that they exhibited in the past. It is becoming more and more difficult to survive as a hacker long enough to become skilled in the art. To this end this file is dedicated. If it can help someone get started, and help them survive to discover new systems and new information, it will have served it's purpose, and served as a partial repayment to all the people who helped me out when I was a beginner. Contents ~~~~~~~ This file will be divided into four parts: Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it, Outdials, Network Servers, Private PADs Part 3: Identifying a Computer, How to Hack In, Operating System Defaults Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call, Acknowledgements Part One: The Basics ~~~~~~~~~~~~~~~~~~~ As long as there have been computers, there have been hackers. In the 50's at the Massachusets Institute of Technology (MIT), students devoted much time and energy to ingenious exploration of the computers. Rules and the law were disregarded in their pursuit for the 'hack'. Just as they were enthralled with their pursuit of information, so are we. The thrill of the hack is not in breaking the law, it's in the pursuit and capture of knowledge. To this end, let me contribute my suggestions for guidelines to follow to ensure that not only you stay out of trouble, but you pursue your craft without damaging the computers you hack into or the companies who own them. I. Do not intentionally damage *any* system. II. Do not alter any system files other than ones needed to ensure your escape from detection and your future access (Trojan Horses, Altering Logs, and the like are all necessary to your survival for as long as possible.) III. Do not leave your (or anyone else's) real name, real handle, or real phone number on any system that you access illegally. They *can* and will track you down from your handle! IV. Be careful who you share information with. Feds are getting trickier. Generally, if you don't know their voice phone number, name, and occupation or haven't spoken with them voice on non-info trading conversations, be wary. V. Do not leave your real phone number to anyone you don't know. This includes logging on boards, no matter how k-rad they seem. If you don't know the sysop, leave a note telling some trustworthy people that will validate you. VI. Do not hack government computers. Yes, there are government systems that are safe to hack, but they are few and far between. And the government has inifitely more time and resources to track you down than a company who has to make a profit and justify expenses. VII. Don't use codes unless there is *NO* way around it (you don't have a local telenet or tymnet outdial and can't connect to anything 800...) You use codes long enough, you will get caught. Period. VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. IX. Watch what you post on boards. Most of the really great hackers in the country post *nothing* about the system they're currently working except in the broadest sense (I'm working on a UNIX, or a COSMOS, or something generic. Not "I'm hacking into General Electric's Voice Mail System" or something inane and revealing like that.) X. Don't be afraid to ask questions. That's what more experienced hackers are for. Don't expect *everything* you ask to be answered, though. There are some things (LMOS, for instance) that a begining hacker shouldn't mess with. You'll either get caught, or screw it up for others, or both. XI. Finally, you have to actually hack. You can hang out on boards all you want, and you can read all the text files in the world, but until you actually start doing it, you'll never know what it's all about. There's no thrill quite the same as getting into your first system (well, ok, I can think of a couple of bigger thrills, but you get the picture.) One of the safest places to start your hacking career is on a computer system belonging to a college. University computers have notoriously lax security, and are more used to hackers, as every college computer depart- ment has one or two, so are less likely to press charges if you should be detected. But the odds of them detecting you and having the personel to committ to tracking you down are slim as long as you aren't destructive. If you are already a college student, this is ideal, as you can legally explore your computer system to your heart's desire, then go out and look for similar systems that you can penetrate with confidence, as you're already familar with them. So if you just want to get your feet wet, call your local college. Many of them will provide accounts for local residents at a nominal (under $20) charge. Finally, if you get caught, stay quiet until you get a lawyer. Don't vol- unteer any information, no matter what kind of 'deals' they offer you. Nothing is binding unless you make the deal through your lawyer, so you might as well shut up and wait. Part Two: Networks ~~~~~~~~~~~~~~~~~ The best place to begin hacking (other than a college) is on one of the bigger networks such as Telenet. Why? First, there is a wide variety of computers to choose from, from small Micro-Vaxen to huge Crays. Second, the networks are fairly well documented. It's easier to find someone who can help you with a problem off of Telenet than it is to find assistance concerning your local college computer or high school machine. Third, the networks are safer. Because of the enormous number of calls that are fielded every day by the big networks, it is not financially practical to keep track of where every call and connection are made from. It is also very easy to disguise your location using the network, which makes your hobby much more secure. Telenet has more computers hooked to it than any other system in the world once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET, DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of which you can connect to from your terminal. The first step that you need to take is to identify your local dialup port. This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will spout some garbage at you and then you'll get a prompt saying 'TERMINAL='. This is your terminal type. If you have vt100 emulation, type it in now. Or just hit return and it will default to dumb terminal mode. You'll now get a prompt that looks like a @. From here, type @c mail and then it will ask for a Username. Enter 'phones' for the username. When it asks for a password, enter 'phones' again. From this point, it is menu driven. Use this to locate your local dialup, and call it back locally. If you don't have a local dialup, then use whatever means you wish to connect to one long distance (more on this later.) When you call your local dialup, you will once again go through the TERMINAL= stuff, and once again you'll be presented with a @. This prompt lets you know you are connected to a Telenet PAD. PAD stands for either Packet Assembler/Disassembler (if you talk to an engineer), or Public Access Device (if you talk to Telenet's marketing people.) The first description is more correct. Telenet works by taking the data you enter in on the PAD you dialed into, bundling it into a 128 byte chunk (normally... this can be changed), and then transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who then takes the data and hands it down to whatever computer or system it's connected to. Basically, the PAD allows two computers that have different baud rates or communication protocols to communicate with each other over a long distance. Sometimes you'll notice a time lag in the remote machines response. This is called PAD Delay, and is to be expected when you're sending data through several different links. What do you do with this PAD? You use it to connect to remote computer systems by typing 'C' for connect and then the Network User Address (NUA) of the system you want to go to. An NUA takes the form of 031103130002520 \___/\___/\___/ | | | | | |____ network address | |_________ area prefix |______________ DNIC This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC) according to their country and network name. DNIC Network Name Country DNIC Network Name Country _______________________________________________________________________________ | 02041 Datanet 1 Netherlands | 03110 Telenet USA 02062 DCS Belgium | 03340 Telepac Mexico 02080 Transpac France | 03400 UDTS-Curacau Curacau 02284 Telepac Switzerland | 04251 Isranet Israel 02322 Datex-P Austria | 04401 DDX-P Japan 02329 Radaus Austria | 04408 Venus-P Japan 02342 PSS UK | 04501 Dacom-Net South Korea 02382 Datapak Denmark | 04542 Intelpak Singapore 02402 Datapak Sweden | 05052 Austpac Australia 02405 Telepak Sweden | 05053 Midas Australia 02442 Finpak Finland | 05252 Telepac Hong Kong 02624 Datex-P West Germany | 05301 Pacnet New Zealand 02704 Luxpac Luxembourg | 06550 Saponet South Africa 02724 Eirpak Ireland | 07240 Interdata Brazil 03020 Datapac Canada | 07241 Renpac Brazil 03028 Infogram Canada | 09000 Dialnet USA 03103 ITT/UDTS USA | 07421 Dompac French Guiana 03106 Tymnet USA | There are two ways to find interesting addresses to connect to. The first and easiest way is to obtain a copy of the LOD/H Telenet Directory from the LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will tell you the NUA, whether it will accept collect calls or not, what type of computer system it is (if known) and who it belongs to (also if known.) The second method of locating interesting addresses is to scan for them manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to look at, you could type @c 412 614 (0's can be ignored most of the time.) If this node allows collect billed connections, it will say 412 614 CONNECTED and then you'll possibly get an identifying header or just a Username: prompt. If it doesn't allow collect connections, it will give you a message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to the right, and return you to the @ prompt. There are two primary ways to get around the REFUSED COLLECT message. The first is to use a Network User Id (NUI) to connect. An NUI is a username/pw combination that acts like a charge account on Telenet. To collect to node 412 614 with NUI junk4248, password 525332, I'd type the following: @c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the screen. The problem with NUI's is that they're hard to come by unless you're a good social engineer with a thorough knowledge of Telenet (in which case you probably aren't reading this section), or you have someone who can provide you with them. The second way to connect is to use a private PAD, either through an X.25 PAD or through something like Netlink off of a Prime computer (more on these two below.) The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area Code that the computer is located in (i.e. 713 xxx would be a computer in Houston, Texas.) If there's a particular area you're interested in, (say, New York City 914), you could begin by typing @c 914 001 . If it connects, you make a note of it and go on to 914 002. You do this until you've found some interesting systems to play with. Not all systems are on a simple xxx yyy address. Some go out to four or five digits (914 2354), and some have decimal or numeric extensions (422 121A = 422 121.01). You have to play with them, and you never know what you're going to find. To fully scan out a prefix would take ten million attempts per prefix. For example, if I want to scan 512 completely, I'd have to start with 512 00000.00 and go through 512 00000.99, then increment the address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning. There are plenty of neat computers to play with in a 3-digit scan, however, so don't go berserk with the extensions. Sometimes you'll attempt to connect and it will just be sitting there after one or two minutes. In this case, you want to abort the connect attempt by sending a hard break (this varies with different term programs, on Procomm, it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect. If you connect to a computer and wish to disconnect, you can type @ and you it should say TELENET and then give you the @ prompt. From there, type D to disconnect or CONT to re-connect and continue your session uninterrupted. Outdials, Network Servers, and PADs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to computers, an NUA may connect you to several other things. One of the most useful is the outdial. An outdial is nothing more than a modem you can get to over telenet- similar to the PC Pursuit concept, except that these don't have passwords on them most of the time. When you connect, you will get a message like 'Hayes 1200 baud outdial, Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established on Modem 5588'. The best way to figure out the commands on these is to type ? or H or HELP- this will get you all the information that you need to use one. Safety tip here- when you are hacking *any* system through a phone dialup, always use an outdial or a diverter, especially if it is a local phone number to you. More people get popped hacking on local computers than you can imagine, Intra-LATA calls are the easiest things in the world to trace inexp- ensively. Another nice trick you can do with an outdial is use the redial or macro function that many of them have. First thing you do when you connect is to invoke the 'Redial Last Number' facility. This will dial the last number used, which will be the one the person using it before you typed. Write down the number, as no one would be calling a number without a computer on it. This is a good way to find new systems to hack. Also, on a VENTEL modem, type 'D' for Display and it will display the five numbers stored as macros in the modem's memory. There are also different types of servers for remote Local Area Networks (LAN) that have many machine all over the office or the nation connected to them. I'll discuss identifying these later in the computer ID section. And finally, you may connect to something that says 'X.25 Communication PAD' and then some more stuff, followed by a new @ prompt. This is a PAD just like the one you are on, except that all attempted connections are billed to the PAD, allowing you to connect to those nodes who earlier refused collect connections. This also has the added bonus of confusing where you are connecting from. When a packet is transmitted from PAD to PAD, it contains a header that has the location you're calling from. For instance, when you first connected to Telenet, it might have said 212 44A CONNECTED if you called from the 212 area code. This means you were calling PAD number 44A in the 212 area. That 21244A will be sent out in the header of all packets leaving the PAD. Once you connect to a private PAD, however, all the packets going out from *it* will have it's address on them, not yours. This can be a valuable buffer between yourself and detection. Phone Scanning ~~~~~~~~~~~~~ Finally, there's the time-honored method of computer hunting that was made famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie Wargames. You pick a three digit phone prefix in your area and dial every number from 0000 --> 9999 in that prefix, making a note of all the carriers you find. There is software available to do this for nearly every computer in the world, so you don't have to do it by hand. Part Three: I've Found a Computer, Now What? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This next section is applicable universally. It doesn't matter how you found this computer, it could be through a network, or it could be from carrier scanning your High School's phone prefix, you've got this prompt this prompt, what the hell is it? I'm *NOT* going to attempt to tell you what to do once you're inside of any of these operating systems. Each one is worth several G-files in its own right. I'm going to tell you how to identify and recognize certain OpSystems, how to approach hacking into them, and how to deal with something that you've never seen before and have know idea what it is. VMS- The VAX computer is made by Digital Equipment Corporation (DEC), and runs the VMS (Virtual Memory System) operating system. VMS is characterized by the 'Username:' prompt. It will not tell you if you've entered a valid username or not, and will disconnect you after three bad login attempts. It also keeps track of all failed login attempts and informs the owner of the account next time s/he logs in how many bad login attempts were made on the account. It is one of the most secure operating systems around from the outside, but once you're in there are many things that you can do to circumvent system security. The VAX also has the best set of help files in the world. Just type HELP and read to your heart's content. Common Accounts/Defaults: [username: password [[,password]] ] SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB OPERATOR: OPERATOR SYSTEST: UETP SYSMAINT: SYSMAINT or SERVICE or DIGITAL FIELD: FIELD or SERVICE GUEST: GUEST or unpassworded DEMO: DEMO or unpassworded DECNET: DECNET DEC-10- An earlier line of DEC computer equipment, running the TOPS-10 operating system. These machines are recognized by their '.' prompt. The DEC-10/20 series are remarkably hacker-friendly, allowing you to enter several important commands without ever logging into the system. Accounts are in the format [xxx,yyy] where xxx and yyy are integers. You can get a listing of the accounts and the process names of everyone on the system before logging in with the command .systat (for SYstem STATus). If you seen an account that reads [234,1001] BOB JONES, it might be wise to try BOB or JONES or both for a password on this account. To login, you type .login xxx,yyy and then type the password when prompted for it. The system will allow you unlimited tries at an account, and does not keep records of bad login attempts. It will also inform you if the UIC you're trying (UIC = User Identification Code, 1,2 for example) is bad. Common Accounts/Defaults: 1,2: SYSLIB or OPERATOR or MANAGER 2,7: MAINTAIN 5,30: GAMES UNIX- There are dozens of different machines out there that run UNIX. While some might argue it isn't the best operating system in the world, it is certainly the most widely used. A UNIX system will usually have a prompt like 'login:' in lower case. UNIX also will give you unlimited shots at logging in (in most cases), and there is usually no log kept of bad attempts. Common Accounts/Defaults: (note that some systems are case sensitive, so use lower case as a general rule. Also, many times the accounts will be unpassworded, you'll just drop right in!) root: root admin: admin sysadmin: sysadmin or admin unix: unix uucp: uucp rje: rje guest: guest demo: demo daemon: daemon sysbin: sysbin Prime- Prime computer company's mainframe running the Primos operating system. The are easy to spot, as the greet you with 'Primecon 18.23.05' or the like, depending on the version of the operating system you run into. There will usually be no prompt offered, it will just look like it's sitting there. At this point, type 'login '. If it is a pre-18.00.00 version of Primos, you can hit a bunch of ^C's for the password and you'll drop in. Unfortunately, most people are running versions 19+. Primos also comes with a good set of help files. One of the most useful features of a Prime on Telenet is a facility called NETLINK. Once you're inside, type NETLINK and follow the help files. This allows you to connect to NUA's all over the world using the 'nc' command. For example, to connect to NUA 026245890040004, you would type @nc :26245890040004 at the netlink prompt. Common Accounts/Defaults: PRIME PRIME or PRIMOS PRIMOS_CS PRIME or PRIMOS PRIMENET PRIMENET SYSTEM SYSTEM or PRIME NETLINK NETLINK TEST TEST GUEST GUEST GUEST1 GUEST HP-x000- This system is made by Hewlett-Packard. It is characterized by the ':' prompt. The HP has one of the more complicated login sequences around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'. Fortunately, some of these fields can be left blank in many cases. Since any and all of these fields can be passworded, this is not the easiest system to get into, except for the fact that there are usually some unpassworded accounts around. In general, if the defaults don't work, you'll have to brute force it using the common password list (see below.) The HP-x000 runs the MPE operat- ing system, the prompt for it will be a ':', just like the logon prompt. Common Accounts/Defaults: MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB MGR.HPOFFICE,PUB unpassworded MANAGER.ITF3000,PUB unpassworded FIELD.SUPPORT,PUB user: FLD, others unpassworded MAIL.TELESUP,PUB user: MAIL, others unpassworded MGR.RJE unpassworded FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded MGR.TELESUP,PUB,HPONLY,HP3 unpassworded IRIS- IRIS stands for Interactive Real Time Information System. It orig- inally ran on PDP-11's, but now runs on many other minis. You can spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner, and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking in, and keeps no logs of bad attempts. I don't know any default passwords, so just try the common ones from the password database below. Common Accounts: MANAGER BOSS SOFTWARE DEMO PDP8 PDP11 ACCOUNTING VM/CMS- The VM/CMS operating system runs in International Business Machines (IBM) mainframes. When you connect to one of these, you will get message similar to 'VM/370 ONLINE', and then give you a '.' prompt, just like TOPS-10 does. To login, you type 'LOGON '. Common Accounts/Defaults are: AUTOLOG1: AUTOLOG or AUTOLOG1 CMS: CMS CMSBATCH: CMS or CMSBATCH EREP: EREP MAINT: MAINT or MAINTAIN OPERATNS: OPERATNS or OPERATOR OPERATOR: OPERATOR RSCS: RSCS SMART: SMART SNA: SNA VMTEST: VMTEST VMUTIL: VMUTIL VTAM: VTAM NOS- NOS stands for Networking Operating System, and runs on the Cyber computer made by Control Data Corporation. NOS identifies itself quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE SYSTEM. COPYRIGHT CONTROL DATA 1978,1987'. The first prompt you will get will be FAMILY:. Just hit return here. Then you'll get a USER NAME: prompt. Usernames are typically 7 alpha-numerics characters long, and are *extremely* site dependent. Operator accounts begin with a digit, such as 7ETPDOC. Common Accounts/Defaults: $SYSTEM unknown SYSTEMV unknown Decserver- This is not truly a computer system, but is a network server that has many different machines available from it. A Decserver will say 'Enter Username>' when you first connect. This can be anything, it doesn't matter, it's just an identifier. Type 'c', as this is the least conspicuous thing to enter. It will then present you with a 'Local>' prompt. From here, you type 'c ' to connect to a system. To get a list of system names, type 'sh services' or 'sh nodes'. If you have any problems, online help is available with the 'help' command. Be sure and look for services named 'MODEM' or 'DIAL' or something similar, these are often outdial modems and can be useful! GS/1- Another type of network server. Unlike a Decserver, you can't predict what prompt a GS/1 gateway is going to give you. The default prompt it 'GS/1>', but this is redifinable by the system administrator. To test for a GS/1, do a 'sh d'. If that prints out a large list of defaults (terminal speed, prompt, parity, etc...), you are on a GS/1. You connect in the same manner as a Decserver, typing 'c '. To find out what systems are available, do a 'sh n' or a 'sh c'. Another trick is to do a 'sh m', which will sometimes show you a list of macros for logging onto a system. If there is a macro named VAX, for instance, type 'do VAX'. The above are the main system types in use today. There are hundreds of minor variants on the above, but this should be enough to get you started. Unresponsive Systems ~~~~~~~~~~~~~~~~~~~ Occasionally you will connect to a system that will do nothing but sit there. This is a frustrating feeling, but a methodical approach to the system will yield a response if you take your time. The following list will usually make *something* happen. 1) Change your parity, data length, and stop bits. A system that won't re- spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE, with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one. While having a good term program isn't absolutely necessary, it sure is helpful. 2) Change baud rates. Again, if your term program will let you choose odd baud rates such as 600 or 1100, you will occasionally be able to penetrate some very interesting systems, as most systems that depend on a strange baud rate seem to think that this is all the security they need... 3) Send a series of 's. 4) Send a hard break followed by a . 5) Type a series of .'s (periods). The Canadian network Datapac responds to this. 6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does a MultiLink II. 7) Begin sending control characters, starting with ^A --> ^Z. 8) Change terminal emulations. What your vt100 emulation thinks is garbage may all of a sudden become crystal clear using ADM-5 emulation. This also relates to how good your term program is. 9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO, JOIN, HELP, and anything else you can think of. 10) If it's a dialin, call the numbers around it and see if a company answers. If they do, try some social engineering. Brute Force Hacking ~~~~~~~~~~~~~~~~~~ There will also be many occasions when the default passwords will not work on an account. At this point, you can either go onto the next system on your list, or you can try to 'brute-force' your way in by trying a large database of passwords on that one account. Be careful, though! This works fine on systems that don't keep track of invalid logins, but on a system like a VMS, someone is going to have a heart attack if they come back and see '600 Bad Login Attempts Since Last Session' on their account. There are also some operating systems that disconnect after 'x' number of invalid login attempts and refuse to allow any more attempts for one hour, or ten minutes, or some- times until the next day. The following list is taken from my own password database plus the data- base of passwords that was used in the Internet UNIX Worm that was running around in November of 1988. For a shorter group, try first names, computer terms, and obvious things like 'secret', 'password', 'open', and the name of the account. Also try the name of the company that owns the computer system (if known), the company initials, and things relating to the products the company makes or deals with. Password List ============= aaa daniel jester rascal academia danny johnny really ada dave joseph rebecca adrian deb joshua remote aerobics debbie judith rick airplane deborah juggle reagan albany december julia robot albatross desperate kathleen robotics albert develop kermit rolex alex diet kernel ronald alexander digital knight rosebud algebra discovery lambda rosemary alias disney larry roses alpha dog lazarus ruben alphabet drought lee rules ama duncan leroy ruth amy easy lewis sal analog eatme light saxon anchor edges lisa scheme andy edwin louis scott andrea egghead lynne scotty animal eileen mac secret answer einstein macintosh sensor anything elephant mack serenity arrow elizabeth maggot sex arthur ellen magic shark asshole emerald malcolm sharon athena engine mark shit atmosphere engineer markus shiva bacchus enterprise marty shuttle badass enzyme marvin simon bailey euclid master simple banana evelyn maurice singer bandit extension merlin single banks fairway mets smile bass felicia michael smiles batman fender michelle smooch beauty fermat mike smother beaver finite minimum snatch beethoven flower minsky snoopy beloved foolproof mogul soap benz football moose socrates beowulf format mozart spit berkeley forsythe nancy spring berlin fourier napoleon subway beta fred network success beverly friend newton summer bob frighten next super brenda fun olivia support brian gabriel oracle surfer bridget garfield orca suzanne broadway gauss orwell tangerine bumbling george osiris tape cardinal gertrude outlaw target carmen gibson oxford taylor carolina ginger pacific telephone caroline gnu painless temptation castle golf pam tiger cat golfer paper toggle celtics gorgeous password tomato change graham pat toyota charles gryphon patricia trivial charming guest penguin unhappy charon guitar pete unicorn chester hacker peter unknown cigar harmony philip urchin classic harold phoenix utility coffee harvey pierre vicky coke heinlein pizza virginia collins hello plover warren comrade help polynomial water computer herbert praise weenie condo honey prelude whatnot condom horse prince whitney cookie imperial protect will cooper include pumpkin william create ingres puppet willie creation innocuous rabbit winston creator irishman rachmaninoff wizard cretin isis rainbow wombat daemon japan raindrop yosemite dancer jessica random zap /////////////////////////////////////// / / / * Summary of FBI Computer Systems * / / By Ralph Harvey / / / /////////////////////////////////////// This article is reprinted from Full Disclosure. Capitol Information Association. All rights reserved. Permission is hereby granted to reprint this article providing this message is included in its entirety. Full Disclosure, Box 8275, Ann Arbor, Michigan 48107. $15/yr. The FBI maintains several computer systems. The most common of which is call NCIC (National Crime Information Computer). NCIC maintains a database of information about such things as stolen cars, stolen boats, missing persons, wanted persons, arrest records. It provides quick access to these records by State, Local and Federal law enforcement agencies. NCIC is directly linked with the Treasury Department's TECS computer and many State computer systems. According to William H. Webster, Director of the FBI: When a police officer stops a car and is uncertain about who he's going to meet when he gets out, he can plug into this system [NCIC] and in a matter of a few seconds he can find out whether that person is a fugitive or the automobile is stolen. Incidentally, we receive almost 400,000 inquires of this nature each day in the NCIC system. When an agency determines that a subject is a fugitive, it supplies the FBI computer with as much of the following information as possible: 1) Name and case number; 2) Alias; 3) Race; 4) Sex; 5) Height; 6) Weight; 7) Color of hair; 8) Color of eyes; 9) Description of any identifying scars, marks and tattoos; 10) Date of birth; 11) Place of birth; 12) Social Security Number; 13) Passport Number; 14) Last known address; 15) Nationality; 16) If a naturalized U.S. Citizen, date, place, and certificate number; 17) Occupation; 18) The criminal violation with which subject is charged; 19) Date of warrant; 21) Type of warrant -- Bench, Magistrate, etc.; 22) Agency holding warrant; 23) Any information as to whether the subject is considered dangerous, is known to own or currently possess firearms, has suicidal tendencies, or has previously escaped custody; 24) Driver's license number, year of expiration and State issued; 25) License number of vehicle, aircraft or vessel subject owns or is known to use, include the year and State; 26) Description of vehicle, aircraft or vessel subject owns or is known to use; 27) Associates of the subject*1; 28) FBI number; 29) Name and telephone of the person to contact when subject is apprehended. One of the major problems with the system is that the agency that submits an entry is responsible for keeping it up to date. Once an entry has been made, there is little motivation for the originating agency to "waste" its time keeping it up to date, so many entries become incorrect with the passage of time. Another FBI computer system is their Investigative Support Information System (ISIS). This system is only used to provide support for major investigations that require the handling of a large volume of complex information. It is limited to handling a maximum of 20 cases at a time. The ISIS system was used during the investigation of the murder of Federal Judge John Wood in San Antonio, Texas. In this case, the FBI entered 300,000 pieces of information, including 6,000 interviews, hotel registration information from every hotel in the area, etc. The accused, while on trial, claimed he was several hundred miles away. The FBI cross referenced his name & known alias with the hotel registration database and got a match. Contact with the hotel employees resulted in a positive identification and conviction of the subject. The FBI has a system called the Organized Crime Information Systems (OCIS) of which director William Webster is "particularly proud." The system was started in 1980 in Detroit, Michigan and is one of their most sophisticated computers. The system is now functions in over 40 locations. The OCIS system allows agents in different field offices to share and analyze information collected in each other's areas. This system was used to identify some of the United States citizens who were released from Cuban prisons in 1984 that had criminal histories in the United States. An OCIS link was recently opened in Rome, where it's used to support drug investigations. :$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$: :$:/ / \ \:$: :$:/ Dictionary of Phreaker's Terms \:$: :$: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :$: :$: :$: :$: Taken from Various Sources :$: :$:\ with Special Thanks to Phortune 500 /:$: :$:\ \ / /:$: :$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$: 1XB - No.1 Crossbar system. See XBAR for more information. 2600 - A hack/phreak oriented newsletter that periodically was released and still is being released. See Phile 1.6 for more information on the magazine and ordering. 4XB - No.4 Crossbar system. See XBAR for more information. 5XB - No.5 Crossbar system. The primary end office switch of Bell since the 60's and still in limited use. See XBAR for more detail. 700 Services - These services are reserved as an advanced forwarding system, where the forwarding is advanced to a user-programed location which could be changed by the user. 800 Exceptional Calling Report - System set up by ESS that will log any caller that excessively dials 800 numbers or directory assistance. See ESS for more information. 800 Services - Also known as WATS. These services often contain WATS extenders which, when used with a code, may be used to call LD. Many LD companies use these services because they are toll-free to customers. Most 800 extenders are considered dangerous because most have the ability to trace. 900 Services - Numbers in the 900 SAC usually are used as special services, such as TV polls and such. These usually are $.50 for the first minute and $.35 for each additional minute. Dial (900)555-1212 to find out what the 900 services currently have to offer. 950 - A nationwide access exchange in most areas. Many LD companies have extenders located somewhere on this exchange; however, all services on this exchange are considered dangerous due to the fact that they ALL have the ability to trace. Most 950 services have crystal clear connections. ACCS - Automated Calling Card Service. The typical 0+NPA+Nxx+xxxx method of inputting calling cards and then you input the calling card via touch tones. This would not be possible without ACTS. ACD - Automatic Call Distributor. ACD Testing Mode - Automatic Call Distributor Test Mode. This level of phreaking can be obtained by pressing the "D" key down after calling DA. This can only be done in areas that have the ACD. The ACD Testing Mode is characterized by a pulsing dial tone. From here, you can get one side of a loop by dialing 6, the other side is 7. You may also be able to REMOB a line. All possibilities of the ACD Test have not been experimented with. See silver box for more details. ACTS - Automated Coin Toll Service. This is a computer system that automates phortress fone service by listening for red box tones and takes appropriate action. It is this service that is commonly heard saying, "Two dollars please. Please deposit two dollars for the next three minutes." Also, if you talk for more than three minutes and then hang up, ACTS will call back and demand your money. ACTS is also responsible for ACCS. Alliance - A teleconferencing system that is apart from AT&T which allows the general public to access and use its conferencing equipment. The equipment allows group conversations with members participating from throughout the United States. The fone number to Alliance generally follows the format of 0-700-456-x00x depending on the location the call originates from and is not accessible direct by all cities/states. AMA - Automated Message Accounting. Similar to the CAMA system; see CAMA for more info. analog - As used for a word or data transmission, a continuously varying electrical signal in the shape of a wave. ANI - Automatic Number Identification - This is the system you can call, usually a three digit number or one in the 99xx's of your exchange, and have the originating number you are calling from read to you by a computer. This is useful if you don't know the number you are calling from, for finding diverters, and when you are playing around with other fone equipment like cans or beige boxes. The ANI system is often incorporated into other fone companies such as Sprint and MCI in order to trace those big bad phreaks that abuze codez. ANIF - Automatic Number Identification Failure. When the ANI system of a particular office fails. APF - All PINs Fail. This is a security measure which is designed to frustrate attempts at discovering valid PINs by a hacking method. aqua box - A box designed to drain the voltage of the FBI lock-in- trace/trap-trace so you can hang up your fone in an emergency and phrustrate the Pheds some more. The apparatus is simple, just connect the two middle wires of a phone wire and plug, which would be the red and green wires if in the jack, to the cord of some electrical appliance; ie, light bulb or radio. KEEP THE APPLIANCE OFF. Then, get one of those line splitters that will let you hook two phone plugs into one jack. Plug the end of the modified cord into one jack and your fone into the other. THE APPLIANCE MUST BE OFF! Then, when the Pheds turn their lame tracer on and you find that you can't hang up, remove your fone from the jack and turn the appliance ON and keep it ON until you feel safe; it may be awhile. Then turn it off, plug your fone back in, and start phreaking again. Invented by: Captain Xerox and The Traveler. BAUDOT - 45.5 baud. Also known as the Apple Cat Can. BEF - Band Elimination Filter. A muting system that will mute the 2600 Hz tone which signals hang-up when you hang up. beige box - An apparatus that is a home-made lineman's handset. It is a regular fone that has clips where the red and green wires normally connect to in a fone jack. These clips will attach to the rings and tips found in many of MA's output devices. These are highly portable and VERY useful when messing around with cans and other output devices the fone company has around. Invented by: The Exterminator and The Terminal Man. BITNET - Nationwide system for colleges and schools which accesses a large base of education-oriented information. Access ports are always via mainframe. bit stream - Refers to a continuous series of bits, binary digits, being transmitted on a transmission line. black box - The infamous box that allows the calling party to not be billed for the call placed. We won't go in depth right now, most plans can be found on many phreak oriented BBS's. The telco can detect black boxes if they suspect one on the line. Also, these will not work under ESS. bleeper boxes - The United Kingdom's own version of the blue box, modified to work with the UK's fone system. Based on the same principles. However, they use two sets of frequencies, foreword and backwards. Blotto box - This box supposedly shorts every fone out in the immediate area, and I don't doubt it. It should kill every fone in the immediate area, until the voltage reaches the fone company, and the fone company filters it. I won't cover this one in this issue, cuz it is dangerous, and phreaks shouldn't destroy MA's equipment, just phuck it up. Look for this on your phavorite BBS or ask your phavorite phreak for info if you really are serious about seriously phucking some fones in some area. blue box - An old piece of equipment that emulated a true operator placing calls, and operators get calls for free. The blue box seizes an open trunk by blasting a 2600 Hz tone through the line after dialing a party that is local or in the 800 NPA so calls will be local or free for the blue boxer. Then, when the blue boxer has seized a trunk, the boxer may then, within the next 10-15 seconds, dial another fone number via MF tones. These MF tones must be preceded by a KP tone and followed with a ST tone. All of these tones are standardized by Bell. The tones as well as the inter- digit intervals are around 75ms. It may vary with the equipment used since ESS can handle higher speeds and doesn't need inter-digit intervals. There are many uses to a blue box, and we will not cover any more here. See your local phreak or phreak oriented BBS for in depth info concerning blue boxes and blue boxing. Incidentally, blue boxes are not considered safe anymore because ESS detects "foreign" tones, such as the 2600 Hz tone, but this detection may be delayed by mixing pink noise of above 3000 Hz with the 2600 Hz tone. To hang up, the 2600 Hz tone is played again. Also, all blue boxes are green boxes because MF "2" corresponds to the Coin Collect tone on the green box, and the "KP" tone corresponds to the Coin Return tone on the green box. See green box for more information. Blue boxing is IMPOSSIBLE under the new CCIS system slowly being integrated into the Bell system. blue box tones - The MF tones generated by the blue box in order to place calls, emulating a true operator. These dual tones must be entered during the 10-15 second period after you have seized a trunk with the 2600 Hz tone. 700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse Parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop 2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2 KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None (green box tones) 1500: ** : ** : ** : ** : ST : : 900:1100:1300:1500:1700: 75ms pulse/pause BLV - Busy Line Verification. Allows a TSPS operator to process a customer's request for a confirmation of a repeatedly busy line. This service is used in conjunction with emergency break-ins. BNS - Billed Number Screening. break period - Time when the circuit during pulse dialing is left open. In the US, this period is 40ms; foreign nations may use 33ms break periods. break ratio - The interval pulse dialing breaks and makes the loop when dialing. The US standard is 10 pulses per second. When the circuit is opened, it is called the break interval. When the circuit is closed, it is called the make interval. In the US, there is a 60ms make period and a 40ms break period. This is often referred to as a 60% make interval. Many foreign nations have a 67% make interval. bridge - I don't really understand this one, but these are important phreak toys. I'll cover them more in the next issue of TPH. British Post Office - The United Kingdom's equivalent to Ma Bell. busy box - Box that will cause the fone to be busy, without taking it OFF-HOOK. Just get a piece of fone wire with a plug on the end, cut it off so there is a plug and about two inches of fone line. Then, strip the wire so the two middle wires, the tip and the ring, are exposed. Then, wrap the ring and the tip together, tape with electrical tape, and plug into the fone jack. The fone will be busy until the box is removed. cans - Cans are those big silver boxes on top of or around the telephone poles. When opened, the lines can be manipulated with a beige box or whatever phun you have in mind. calling card - Another form of the LD service used by many major LD companies that composes of the customers fone number and a PIN number. The most important thing to know when questioned about calling cards are the area code and the city where the calling card customer originated from. CAMA - Centralized Automatic Message Accounting. System that records the numbers called by fones and other LD systems. The recording can be used as evidence in court. CC - Calling Card. CC - Credit Card. CCIS - Common Channel Inter-office Signaling. New method being incorporated under Bell that will send all the signaling information over separate data lines. Blue boxing is IMPOSSIBLE under this system. CCITT - The initials of the name in French of the International Telegraph and Telephone Consultative Committee. At CCITT representatives of telecommunications authorities, operators of public networks and other interested bodies meet to agree on standards needed for international intermarrying of telecommunications services. CCS - Calling Card Service. CCSS - Common Channel Signalling System. A system whereby all signalling for a number of voice paths are carried over one common channel, instead of within each individual channel. CDA - Coin Detection and Announcement. CF - Coin First. A type of fortress fone that wants your money before you receive a dial tone. Channel - A means of one-way transmission or a UCA path for electrical transmission between two or more points without common carrier, provided terminal equipment. Also called a circuit, line, link, path, or facility. cheese box - Another type of box which, when coupled with call forwarding services, will allow one to place free fone calls. The safety of this box is unknown. See references for information concerning text philes on this box. clear box - Piece of equipment that compromises of a telephone pickup coil and a small amp. This works on the principal that all receivers are also weak transmitters. So, you amplify your signal on PP fortress fones and spare yourself some change. CN/A - Customer Name And Address. Systems where authorized Bell employees can find out the name and address of any customer in the Bell System. All fone numbers are listed on file, including unlisted numbers. Some CN/A services ask for ID#'s when you make a request. To use, call the CN/A office during normal business hours, and say that you are so and so from a certain business or office, related to customers or something like that, and you need the customer's name and address at (NPA)Nxx-xxxx. That should work. The operators to these services usually know more than DA operators do and are also susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON PUB DA number and policy changes in the CN/A system. CO Code - Central Office code which is also the Nxx code. See Nxx for more details. Sometimes known as the local end office. conference calls - To have multiple lines inter-connected in order to have many people talking in the same conversation on the fone at once. See Alliance and switch crashing for more information. credit operator - Same as TSPS operator. The operator you get when you dial "0" on your fone and phortress fones. See TSPS for more information. CSDC - Circuit Switched Digital Capability. Another USDN service that has no ISDN counterpart. DA - Directory Assistance. See directory assistance. DAO - Directory Assistance Operator. See directory assistance. data communications - In telefone company terminology, data communications refers to an end-to-end transmission of any kind of information other than sound, including voice, or video. Data sources may be either digital or analog. data rate - The rate at which a channel carries data, measured in bits per second, bit/s, also known as "data signalling rate." data signalling rate - Same as "data rate." See data rate. DCO-CS - Digital Central Office-Carrier Switch. DDD - Direct Distance Dialed. Dial-It Services - See 900 Services. digital - A method to represent information to be discrete or individually distinct signals, such as bits, as opposed to a continuously variable analog signal. digital transmission - A mode of transmission in which all information to be transmitted is first converted to digital form and then transmitted as a serial stream of pulses. Any signal, voice, data, television, can be converted to digital form. Dimension 2000 - Another LD service located at (800)848-9000. directory assistance - Operator that you get when you call 411 or NPA-555-1212. This call will cost $.50 per call. These won't know where you are calling from, unless you annoy them, and do not have access to unlisted numbers. There are also directory assistance operators for the deaf that transfer BAUDOT. You can call these and have interesting conversations. The fone number is 800-855-1155, are free, and use standard Telex abbreviations such as GA for Go Ahead. These are nicer than normal operators, and are often subject to "social engineering" skills (bullshitting). Other operators also have access to their own directory assistance at KP+NPA+131+ST. diverter - This is a nice phreak tool. What a diverter is is a type of call forwarding system done externally, apart from the fone company, which is a piece of hardware that will foreword the call to somewhere else. These can be found on many 24 hour plumbers, doctors, etc. When you call, you will often hear a click and then ringing, or a ring, then a click, then another ring, the second ring often sounds different from the first. Then, the other side picks the fone up and you ask about their company or something stupid, but DO NOT ANNOY them. Then eventually, let them hang up, DO NOT HANG UP YOURSELF. Wait for the dial tone, then dial ANI. If the number ANI reads is different from the one you are calling from, then you have a diverter. Call anywhere you want, for all calls will be billed to the diverter. Also, if someone uses a tracer on you, then they trace the diverter and you are safe. Diverters can, however, hang up on you after a period of time; some companies make diverters that can be set to clear the line after a set period of time, or click every once in a while, which is super annoying, but it will still work. Diverters are usually safer than LD extenders, but there are no guarantees. Diverters can also be accessed via phortress fones. Dial the credit operator and ask for the AT&T CREDIT OPERATOR. They will put on some lame recording that is pretty long. Don't say anything and the recording will hang up. LET IT HANG UP, DO NOT HANG UP. Then the line will clear and you will get a dial tone. Place any call you want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls, just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call to make sure you have a diverter. DLS - Dial Line Service. DNR - Also known as pen register. See pen register. DOV - Data-Over-Voice. DSI - Data Subscriber Interface. Unit in the LADT system that will concentrate data from 123 subscribers to a 56k or a 9.6k bit-per-second trunk to a packet network. DT - Dial tone. DTF - Dial Tone First. This is a type of fortress fone that gives you a dial tone first. DTI - Digital Trunk Interface. DTMF - Dual-Tone-Multi-Frequency, the generic term for the touch tone. These include 0,1,2,3,4,5,6,7,8,9 as well as A,B,C,D. See silver box for more details. DVM - Data Voice Multiplexor. A system that squeezes more out of a transmission medium and allows a customer to transmit voice and data simultaneously to more than one receiver over the existing telefone line. emergency break-in - Name given to the art of "breaking" into a busy number which will usually result in becoming a third party in the call taking place. end office - Any class 5 switching office in North America. end-to-end signalling - A mode of network operation in which the originating central office, or station, retains control and signals directly to each successive central office, or PBX, as trunks are added to the connection. ESS - Electronic Switching System. "The phreak's nightmare come true." With ESS, EVERY SINGLE digit you dial is recorded, even mistakes. The system records who you call, when you call, how long you talked, and, in some cases, what you talked about. ESS is programed to make a list of people who make excessive 800 calls or directory assistance. This is called the "800 Exceptional Calling Report." ESS can be programed to print out logs of who called certain numbers, such as a bookie, a known communist, a BBS, etc. ESS is a series of programs working together; these programs can be very easily changed to do whatever the fone company wants ESS to do. With ESS, tracing is done in MILLISECONDS and will pick up any "foreign" tones on the line, such as 2600 Hz. Bell predicts the whole country will be on ESS by 1990! You can identify an ESS office by the functions, such as dialing 911 for help, fortress fones with DT first, special services such as call forwarding, speed dialing, call waiting, etc., and ANI on LD calls. Also, black boxes and Infinity transmitters will NOT work under ESS. extender - A fone line that serves as a middleman for a fone call, such as the 800 or 950 extenders. These systems usually require a multi- digit code and have some sort of ANI to trace suspicious calls with. facsimile - A system for the transmission of images. The image is scanned at the transmitter, reconstructed at the receiving station, and duplicated on some form of paper. Also known as a FAX. FAX - See facsimile for details. FiRM - A large cracking group who is slowly taking the place of PTL and the endangered cracking groups at the time of this writing. fortress phone - Today's modern, armor plated, pay fone. These may be the older, 3 coin/coin first fones or the newer, 1 coin/DT first fones. There are also others, see CF, DTF, and PP. Most phortresses can be found in the 9xxx or 98xx series of your local Nxx. gateway city - See ISC. Gestapo - The telefone company's security force. These nasties are the ones that stake out misused phortresses as well as go after those bad phreaks that might be phucking with the fone system. green base - A type of output device used by the fone company. Usually light green in color and stick up a few feet from the ground. See output device for more information. green box - Equipment that will emulate the Coin Collect, Coin Return, and Ringback tones. This means that if you call someone with a fortress fone and they have a green box, by activating it, your money will be returned. The tones are, in hertz, Coin Collect=700+1100, Coin Return=1100+1700, and Ringback=700+1700. However, before these tones are sent, the MF detectors at the CO must be alerted, this can be done by sending a 900+1500 Hz or single 2600 Hz wink of 90ms followed by a 60ms gap, and then the appropriate signal for at least 900ms. gold box - This box will trace calls, tell if the call is being traced, and can change a trace. grey box - Also known as a silver box. See silver box. group chief - The name of the highest ranking official in any fone office. Ask to speak to these if an operator is giving you trouble. high-speed data - A rate of data transfer ranging upward from 10,000 bits per second. H/M - Hotel/Motel. ICH - International Call Handling. Used for overseas calls. ICVT - InComing Verification Trunk. IDA - Integrated Digital Access. The United Kingdom's equivalent of ISDN. IDDD - International Direct Distance Dialing - The ability to place international calls direct without processing through a station. Usually, one would have to place the call through a 011, station, or a 01, operator assisted, type of setup. IDN - Integrated Digital Networks. Networks which provide digital access and transmission, in both circuit switched and packet modes. in-band - The method of sending signaling information along with the conversion using tones to represent digits. INS - Information Network System. Japan's equivalent of ISDN. Intercept - The intercept operator is the one you get connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. These usually ask what number you are calling and are the lowest form of the operator. intermediate point - Any class 4X switching office in North America. Also known as an RSU. international dialing - In order to call across country borders, one must use the format PREFIX + COUNTRY CODE + NATION #. The prefix in North America is usually 011 for station-to-station calls or 01 for operator- assisted calls. If you have IDDD, you don't need to place this prefix in. INTT - Incoming No Test Trunks. INWARD - An operator that assists your local TSPS '0' operator in connecting calls. These won't question you as long as the call is within their service area. The operator can ONLY be reached by other operators or a blue box. The blue box number is KP+NPA+121+ST for the INWARD operator that will help you connect to any calls in that area ONLY. INWATS - Inward Wide Area Telecommunications Service. These are the 800 numbers we are all familiar with. These are set up in bands; 6 total. Band 6 is the largest, and you can call band 6 INWATS from anywhere in the US except the state where the call is terminated. This is also why some companies have a separate 800 number for their state. Band 5 includes the 48 contiguous states. All the way down to band 1, which only includes the states contiguous to that one. Understand? That means more people can reach a band 6 INWATS as compared to the people that can access a band 1 INWATS. IOCC - International Overseas Completion Centre. A system which must be dialed in order to re-route fone calls to countries inaccessible via dialing direct. To route a call via IOCC with a blue box, pad the country code to the RIGHT with zeroes until it is 3 digits. Then KP+160 is dialed, plus the padded country code, plus ST. IPM - Interruptions Per Minute. The number of times a certain tone sounds during a minute. ISC - Inter-Nation Switching Centers. Most outgoing calls from a certain numbering system will be routed through these "gateway cities" in order to reach a foreign country. ISDN - Integrated Services Digital Network. ISDN is a planned hierarchy of digital switching and transmission systems. Synchronized so that all digital elements speak the same "language" at the same speed, the ISDN would provide voice, data, and video in a unified manner. ITT - This is another large LD service. The extenders owned by this company are usually considered dangerous. The format is ACC-ESS#,(NPA)Nxx-xxxx,1234567. KP - Key Pulse. Tone that must be generated before inputting a fone number using a blue box. This tone is, in hertz, 1100+1700. KP2 - Key Pulse 2. Tone that is used by the CCITT SYSTEM 5 for special international calling. This tone is, in hertz, 1300+1700. LADT - Local Area Data Transport. LADT is a method by which customers will send and receive digital data over existing customer loop wiring. Dial- Up LADT will let customers use their lines for occasional data services; direct access LADT will transmit simultaneous voice and data traffic on the same line. LAN - Local Area Network. LAPB - Link Access Protocol Balanced. LD - Long Distance Leave Word And Call Back - Another new type of operator. local loop - When a loop is connected between you and your CO. This occurs when you pick the fone up or have a fone OFF-HOOK. loop - A pair or group of fone lines. When people call these lines, they can talk to each other. Loops consist of two or more numbers, they usually are grouped close together somewhere in the Nxx-99xx portions of your exchange. The lower number in a loop is the tone side of the loop, or the singing switch. The higher number is always silent. The tone disappears on the lower # when someone dials the other side of the loop. If you are the higher #, you will have to listen to the clicks to see if someone dialed into the loop. There also are such things as Non-Supervised loops, where the call is toll-free to the caller. Most loops will be muted or have annoying clicks at connection, but otherwise, you might find these useful goodies scanning the 99xx's in your exchange. Some loops allow multi-user capability; thus, many people can talk to each other at the same time, a conference of sorts. Since loops are genuine test functions for the telco during the day, most phreaks scan and use them at night. MA - Ma Bell, the Bell Telesys Company. Telco, etc. See Ma Bell for more information. Ma Bell - The telephone company. The Bell Telesys Phone Company. The company you phreak and hack with. The company that doesn't like you too much. The company you often phuck with, and sometimes phuck up. The company that can phuck u up if u aren't careful. make period - The time when, during pulse dialing, the circuit is closed. In the US, this period is 60ms; however, foreign nations may use a 67ms make period. Make periods are also referred to in percentages, so a 60ms make period would be 60%, a 67ms as 67%. marine verify - Another type of operator. MCI - Yet another LD service that owns many dial-ups in most areas. However, the codes from various areas may not be interchangeable. Not much is known about MCI; however, MCI probably has some sophisticated anti- phreak equipment. The format is ACC-ESS#,12345,(NPA)Nxx-xxxx. MCI Execunet - The calling card equivalent of the regular MCI LD service, but the codes are longer and interchangeable. For the local access port near you, call (800)555-1212. The format for the port will be ACC-ESS#,1234567,(NPA)Nxx-xxxx. Metrofone - Owned by Western Union. A very popular system among fone phreaks. Call Metrofone's operator and ask for the local access number at (800)325-1403. The format is ACC-ESS#,CODE,(NPA)Nxx-xxxx. Metrofone is alleged to place trap codes on phreak BBS's. MF - Multi-Frequency. These are the operator and blue box tones. An MF tone consists of two tones from a set of six master tones which are combined to produce 12 separate tones. These are NOT the same as touch tones. See blue box tones for frequencies. mobile - A type of operator. NAP/PA - North American Pirate/Phreak Association. A large group of bbs boards which include a lot of pirates/phreakers. I'm not quite sure where the group will go from here. NON PUB DA - A reverse type of CN/A bureau. You tell the service the name and the locality, they will supply the fone number. However, they will ask for you name, supervisor's name, etc. Use your social engineering skills here (aka, bullshitting skills). You also can get detailed billing information from these bureaus. NPA - Numbering Plan Area. The area code of a certain city/state. For example, on the number (111)222-3333, the NPA would be 111. Area codes never cross state boundaries sans the 800, 700, 900, and special exchanges. Nxx - The exchange or prefix of the area to be dialed. For example of the number (111)222-3333, the Nxx would be 222. OGVT - OutGoing Verification Trunk. OFF-HOOK - To be on-line, to have the switchhook down. To have a closed connection. At this point, you also have a local loop. ON-HOOK - To be off-line, to have the switchhook up. To have an open connection. ONI - Operator Number Identification. Identifies calling numbers when an office is not equipped with CAMA, the calling number is not automatically recorded by CAMA, or has equipment failures, such as ANIF. OPCR - Operator Actions Program. Standard TBOC or equivalent "0" operator. OPEN - Northern Telecom's Open Protocol Enhanced Networks World Program. OSI - Open System Interconnection. Form of telecommunication architechture which will probobly fail to SNA. OST - Originating Station Treatment. OTC - Operating Telefone Company. out-of-band - Type of signaling which sends all of the signaling and supervisory informations, such as ON and OFF HOOK, over separate data links. output device - Any type of interface such as cans, terminal sets, remote switching centers, bridging heads, etc., where the fone lines of the immediate area are relayed to before going to the fone company. These often are those cases painted light green and stand up from the ground. Most of these can be opened with a 7/16 hex driver, turning the security bolt(s) 1/8 of an inch counter-clockwise, and opening. Terminals on the inside might be labeled "T" for tip and "R" for ring. Otherwise, the ring side is usually on the right and the tip side is on the left. OUTWATS - Outward Wide Area Telecommunications Service. These are WATS that are used to make outgoing calls ONLY. Paper Clip Method - This method of phreaking was illustrated in the movie War Games. What a phortress fone does to make sure money is in a fone is send an electrical pulse to notify the fone that a coin has been deposited, for the first coin only. However, by simply grounding the positive end of the microphone, enough current and voltage is deferred to the ground to simulate the first quarter in the coin box. An easy way to accomplish this is to connect the center of the mouthpiece to the coin box, touch tone pad, or anything that looks like metal with a piece of wire. A most convenient piece of wire is a bend out of a paper clip. Then you can send red box tones through the line and get free fone calls! Also, telco modified fones may require you to push the clip harder against the mouthpiece, or connect the mouthpiece to the earpiece. If pressing harder against the mouthpiece becomes a problem, pins may be an easier solution. PBX - Private Branch eXchange. A private switchboard used by some big companies that allow access to the OUTWATS line by dialing a 8 or a 9 after inputting a code. PCM - Pulse Code-Modulated trunks. PC Pursuit - A computer oriented LD system, comparable to Telenet, which offers low access rates to 2400 baud users. Hacking on this system is virtually impossible due to the new password format. pen register - A device that the fone company puts on your line if they suspect you are fraudulently using your fone. This will record EVERY SINGLE digit/rotary pulse you enter into the fone as well as other pertinent information, which may include a bit of tapping. Also known as DNR. Phortune 500 - An elite group of users currently paving the way for better quality in their trade. PHRACK - Another phreak/hack oriented newsletter. See reference section, phile 1.6 for more information. PHUN - Phreakers and Hackers Underground Network. They also release a newsletter that is up to #4 at the time of this writing. See phile 1.6 for more information on finding this phile. PIN - Personal Identification Number - The last four digits on a calling card that adds to the security of calling cards. plant tests - test numbers which include ANI, ringback, touch tone tests, and other tests the telco uses. Post Office Engineers - The United Kingdom's fone workers. PP - Dial Post-Pay Service. On phortress fones, you are prompted to pay for the call after the called party answers. You can use a clear box to get around this. PPS - Pulses Per Second. printmeter - The United Kingdom's equivalent of a pen register. See pen register for more info. PTE - Packet Transport Equipment. PTL - One of the bigger cracking groups of all time. However, the group has been dying off and only has a few nodes as of this writing. PTS - Position and Trunk Scanner. PTT - Postal Telephone Telegraph. pulse - See rotary phones. purple box - This one would be nice. Free calls to anywhere via blue boxing, become an operator via blue box, conference calling, disconnect fone line(s), tap fones, detect traces, intercept directory assistance calls. Has all red box tones. This one may not be available under ESS. rainbow box - An ultimate box. You can become an operator. You get free calls, blue box. You can set up conference calls. You can forcefully disconnect lines. You can tap lines. You can detect traces, change traces, and trace as well. All incoming calls are free. You can intercept directory assistance. You have a generator for all MF tones. You can mute and redial. You have all the red-box tones. This is an awesome box. However, it does not exist under ESS. RAO - Revenue Accounting Office. The three digit code that sometimes replaces the NPA of some calling cards. RBOC - Regional Bell Operating Company. red box - Equipment that will emulate the red box tone generated for coin recognition in all phortress fones. red box tones - Tones that tell the phortress fone how much money was inserted in the fone to make the required call. In one slot fones, these are beeps in pulses; the pulse is a 2200+1700 Hz tone. For quarters, 5 beep tones at 12-17 PPS, for dimes it is 2 beep tones at 5-8.5 PPS, and a nickel causes 1 beep tone at 5-8.5 PPS. For three slot fones, the tones are different. Instead of beeps, they are straight dual tones. For a nickel, it is one bell at 1050-1100 Hz, two bells for a dime, and one gong at 800 Hz for a quarter. When using red box tones, you must insert at least one nickel before playing the tones, cuz a ground test takes place to make sure some money has been inserted. The ground test may be fooled by the Paper Clip Method. Also, it has been known that TSPS can detect certain red box tones, and will record all data on AMA or CAMA of fraudulent activity. regional center - Any class 1 switching office in North America. REMOB - Method of tapping into lines by entering a code and the 7 digit number you want to monitor, from ACD Test Mode. A possibility of this may be mass conferencing. ring - The red wire found in fone jacks and most fone equipment. The ring also is less positive than the tip. When looking at a fone plug on the end of typical 4 wire fone line from the top, let's say the top is the side with the hook, the ring will be the middle-right wire. Remember, the ring is red, and to the right. The three "R's" revived! ring-around-the-rosy - 9 connections in tandem which would cause an endless loop connection and has never occurred in fone history. ringback - A testing number that the fone company uses to have your fone ring back after you hang up. You usually input the three digit ringback number and then the last four digits to the fone number you are calling from. ring trip - The CO process involved with stopping the AC ringing signal when a fone goes OFF-HOOK. rotary phone - The dial or pulse phone that works by hooking and un- hooking the fone rapidly in secession that is directly related to the number you dialed. These will not work if another phone with the same number is off-hook at the time of dialing. Rout & Rate - Yet another type of operator; assists your TSPS operator with rates and routings. This once can be reached at KP+800+141+1212+ST. RPE - Remote Peripheral Equipment. RQS - The Rate Quote System. This is the TSPS operator's rate/quote system. This is a method your '0' operator gets info without dialing the rate and route operator. The number is KP+009+ST. RSU - Remote Switching Unit. The class 4X office that can have an unattended exchange attached to it. RTA - Remote Trunk Arrangement. SAC - Special Area Code. Separate listing of area codes, usually for special services such as TWX's, WATS, or DIAL-IT services. SCC - Specialized Common Carriers. Common Nxx numbers that are specialized for a certain purpose. An example is the 950 exchange. sectional center - Any class 2 switching office in North America. service monitoring - This is the technical name of phone tapping. SF - Supervision Control Frequency. The 2600 Hz tone which seizes any open trunk, which can be blue boxed off of. short-haul - Also known as a local call. signalling - The process by which a caller or equipment on the transmitting end of a line in: forms a particular party or equipment at the receiving end that a message is to be communicated. Signalling is also the supervisory information which lets the caller know the called know the called party is ready to talk, the line is busy, or the called party has hung up. silver box - Equipment that will allow you to emulate the DTMF tones A,B,C,D. The MF tones are, in hertz, A=697+1633, B=770+1633, C=852+1633, D=941+1633. These allow special functions from regular fones, such as ACD Testing Mode. Skyline - Service owned by IBM, Comsat, and AEtna. It has a local access number in the 950 exchange. The fone number is 950-1088. The code is either a 6 or 8 digit number. This company is alleged to be VERY dangerous. SNA - System Network Architechture, by IBM. A possible future standard of architechture only competed by OSI. SOST - Special Operator Service Treatment. These include calls which must be transferred to a SOST switchboard before they can be processed; services such as conferences, appointments, mobile, etc. SPC - Stored Program Control. Form of switching the US has heavily invested in. Sprint - One of the first LD services, also known as SPC. Sprint owns many extender services and is not considered safe. It is common knowledge that Sprint has declared war on fone phreakers. SSAS - Station Signaling and Announcement System. System on most fortress fones that will prompt caller for money after the number, usually LD numbers, has been dialed, or the balance due before the call will be allowed to connect. stacking tandems - The art of busying out all trunks between two points. This one is very amusing. STart - Pulse that is transmitted after the KP+NPA+Nxx+xxxx through operator or blue boxed calls. This pulse is, in hertz, 1500+1700. station # - The last four digits in any seven digit fone number. STD - Subscriber Trunk Dialing. Mechanism in the United Kingdom which takes a call from the local lines and legimately elevates it to a trunk or international level. step crashing - Method of using a rotary fone to break into a busy line. Example, you use a rotary fone to dial Nxx-xxx8 and you get a busy signal. Hang up and dial Nxx-xxx7 and in between the last pulse of your rotary dial and before the fone would begin to ring, you can flash your switchhook extremely fast. If you do it right, you will hear an enormous "CLICK" and all of a sudden, you will cut into your party's conversation. STPS - Signal Transfer PointS. Associated with various switching machines and the new CCIS system. switchhook - The button on your fone that, when depressed, hangs the fone up. These can be used to emulate rotary dial fones if used correctly. SxS - Step-By-Step. Also known as the Strowger Switch or the two- motion switch. This is the switching equipment Bell began using in 1918. However, because of its limitations, such as no direct use of DTMF and maintenance problems, the fone company has been upgrading since. You can identify SxS switching offices by lack of DTMF or pulsing digits after dialing DTMF, if you go near the CO it will sound like a typewriter testing factory, lack of speed calling, lack of special services like call forwarding and call waiting, and fortress fones want your money first, before the dial tone. TAP - The "official" phone phreak's newsletter. Previously YIPL. T&C - Time and Charge. tapping - To listen in to a phone call taking place. The fone company calls this "service monitoring." TASI - Time Assignment Speech Interpolation. This is used on satellite trunks, and basically allows more than one person to use a trunk by putting them on while the other person isn't talking. Telenet - A computer-oriented system of relay stations which relay computer calls to LD numbers. Telenet has a vast array of access ports accessible at certain baud rates. Tel-Tec - Another LD company that usually give out a weak connection. The format is (800)323-3026,123456,(NPA)Nxx-xxxx. Tel-Tex - A subsidiary of Tel-Tec, but is only used in Texas. The number is *800)432-2071 and the format is the same as above. terminal - A point where information may enter or leave a communication network. Also, any device that is capable of sending and/or receiving data over a communication channel. tip - The green wire found in fone jacks and most fone equipment. The tip is the more positive wire compared to the ring. When looking at a fone plug from the top, lets say the hook side is the top, the tip will be the middle wire on the left. toll center - Any class 4 switching office located in North America. toll point - Any class 4P switching office in North America. Toll LIB - Reverse CN/A bureau. See NON PUB DA for more info. touch tone phone - A phone that uses the DTMF system to place calls. touch tone test - This is another test number the fone company uses. You dial the ringback number and have the fone ring back. Then, when you pick it up, you will hear a tone. Press your touch-tone digits 1-0. If they are correct, the fone will beep twice. trace - Something you don't want any fone company to do to you. This is when the fone company you are phucking with flips a switch and they find the number you are calling from. Sometimes the fone company will use ANI or trap and trace methods to locate you. Then the local Gestapo home in and terminate the caller if discovered. trap and trace - A method used by the FBI and some step offices that forces a voltage through the line and traces simultaneously, which mean that you can't hang up unless the Pheds do, and pray you aren't calling from your own house. Trap and trace is also known as the lock-in-trace. trap codes - Working codes owned by the LD company, not a customer, that, when used, will send a "trouble card" to Ma Bell, no matter what company the card is coming from, and ESS will immediately trace the call. Trap codes have been in use for some time now, and it is considered safer to self-hack codes opposed to leeching them off of BBS's, since some LD companies post these codes on phreak oriented BBS's. Travelnet - Service owned by GM that uses WATS as well as local access numbers. Travelnet also accepts voice validation for its LD codes. TSPS - Traffic Service Position System. Operator that usually is the one that obtains billing information for Calling Card or 3rd number calls, identifies called customer on person-to-person calls, obtains acceptance of charges on collect calls, or identifies calling numbers. These operators have an ANI board and are the most dangerous type of operator. TWX - Telex II consisting of 5 teletypewriter area codes. These are owned by Western Union. These may be reached via another TWX machine running at 110 baud. You can send TWX messages via Easylink (800)325-4122. USDN - United States Digital Network. The US's version of the ISDN network. videotext - Generic term for a class of two-way, interactive data distribution systems with output typically handled as in teletext systems and input typically accepted through the telephone or public data network. WATS - Wide Area Telecommunications Service. These can be IN or OUT, see the appropriate sections. WATS Extender - These are the LD companies everyone hacks and phreaks off of in the 800 NPA. Remember, INWATS + OUTWATS = WATS Extender. white box - This is a portable DTMF keypad. XBAR - Crossbar. Crossbar is another type of switching equipment the fone company uses in some areas. There are three major types of Crossbar systems called No.1 Crossbar (1XB), No.4 Crossbar (4XB), and No.5 Crossbar (5XB). 5XB has been the primary end office switch of MA since the 60's and is still in wide use. There is also Crossbar Tandem (XBT) used for toll- switching. XBT - Crossbar Tandem. Used for toll-switching. See XBAR. YIPL - The classic "official" phreak's magazine. Now TAP. /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ -/- -/- /-/ *> TID-BYTES <* /-/ -/- -/- /-/ by the Informatik Staff /-/ -/- -/- /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /* Unix Fake Mail */ Most good Unix hackers should already know this, but to the up and coming, we feel it important to include this simple, but powerful trick. Telnet to port 25 of the receiving site by 'telnet host.com 25' Once connected, it may or may not require you to type 'helo' [sic] If it doesn't don't. type 'mail from: ' and then your imaginary sender: ex. 'mail from: satan@hell.org' or 'mail from: root@white.house.gob', or some sort, depending of course on your purpose. after you get a sender OK, specify the user to receive the mail: type 'rcpt to: ' and then the appropriate username. next, type 'data' and hit enter. This will start entering the data field of your letter. Enter as follows: From: satan@hell.org (Lord of the Underworld) To: schmuck@anywhere.edu Subject: Your sinning Status: R Your terrible sinning has sparked my interests, we are currently accepting applications for head daemon, 5th level of hell. Please include a photo. Thanks... Satan . The '.' on a line by itself ends the input. Note, that the From, To, Subject, and Status lines should be included for the mail headers to make sense of it. Of course there is the obvious message of: From: root To: loser Subject: your account Status: R Your password is too old, please change it to 'hackme1'. Thanks /* Walgreen's Store Pricing Code */ Ever curious how much stores mark up their goods on you? Well it is quite easy to tell at Walgreen's. On each price tag, you will see a group of letters, in this example say, "ARB". These letters are the key to the stores purchase price. The letters correspond to the positions in the code "BRUSH CLEAN". Here is how it works: BRUSH CLEAN 12345 67890 Simply replace the letters with their appropriate digit, in our example (ARB) it would be 9-2-1, in other words, $9.21 Now if they want you to pay $60.00 for the item, you know you are getting ripped! /* Bar Swindles */ Here are a of fast-one that you can pull in a bar environment: Challenge someone to "Do as I do" wager. Each of you takes a drink. You make a gesture with the glass, as "toasting." Your opponent toasts also. You drink your drink. Your opponent drinks his drink. You salute with the glass again. Your opponent does likewise. You spit a mouthful back in your drink. Chances are your opponent has already swallowed. Take the money and run! /* Interesting Catalogs */ Send for these way-cool publications: Paladin Press PO Box 1307 Boulder, CO 80306 "Publishers of the Action Library." Books on lockpicking, wiretapping, smuggling, assassintaion, guerrilla warfare, and related subjects. Send $2.00 Loompanics PO Box 1197 Port Townsend, WA 98368 "The Greatest Book Catalog In the World"-outlaw publishers who also sell outlaw books... including some by our military. "No more secrets, no more excuses, no more limits." A few of their catagories: Underground economy. Tax avoidance. Fake IDs. Police science. Con games. Self defense. Revenge. Guns. Bombs. Guerrilla warfare. Self-sufficiency. Alternate Energy. Life extension. Drugs. Heresey. Forbidden philosophis. Human pleasure. Send $2 for a HUGE catalog that is a reading experience unto itself!! (%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%) )%( )%( (%) > Hot Flashes < (%) )%( )%( (%) The Underground News Report (%) )%( )%( (%) Edited by: the Informatik Staff (%) )%( )%( (%) October 1991 (%) )%( )%( (%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%)%(%) Teenage Hacker Emulates Hess ---------------------------- [Summary from Computer Weekly, 8th August 1991.] A 16 year old schoolboy named Jamie Moulding has been cautioned by plainclothed police after hacking into a military computer and trying to sell secrets to the USSR. He claims to have read the Ministry of Defense personnel and payroll files. One computer he entered held details of a British Army tank control system. Moulding first incorporated details of the system into his own simulation package, and then phoned the Soviet Union's London embassy to try to sell the information. Next day two policemen turned up at his home and spoke to his parents. Moulding's telephone bills were unwittingly paid by his school. He wrote an autodialer program and an automatic hack program which "planted a command which led to a display of passwords". DEC denied that its systems had been hacked. The police officers were unavailable for comment. Phone Card Scam Cheats Beaumont Residents ----------------------------------------- [Houston Chronicle, Sept. 28, 1991] Several residents have been cheated out of hundreds of dollars by con artists who call, posing as police or phone company employees, and ask for the residents' telephone credit card numbers. Most of the victims are elderly and are eager to cooperate, since they are promised that they will be reimbursed for any long-distance calls. About eight Beaumont residents received extremely high phone bills last month, including one that totaled $1,395, after giving their calling card numbers to the California based con artists, Southwestern Bell spokesman Frank Merriman said. Merriman said the caller identifies himself as a law enforcement officer or a telephone company employee who needs the resident's calling card number to catch a credit card theif or an employee suspected of misconduct. A Beaumont physician, who was not identified, told authorities he gave his number to a man who posed as an FBI agent. The physician later received long-distance bills totaling $1,395 that included calls to Iran, Puerto Rico, Hong Kong, Belgium, and China. The doctor said the man who called him said they had arrested a man in Atlanta who had 19 cards, including his. "He said he has to really arrest this guy, because he's ripping off the public, and that he needs my help." the doctor said. The calls have been traced to a pay phone in Los Angeles, he said. Customers should never give their calling card numbers to anyone over the phone, Merriman said. Southwestern Bell will adjust the charges if the company can prove the customer did not make the calls, he said, but such scams end up costing customers. "It's like shoplifting," he said. "It's a cost, and sombody has to incur it." Security Comes To The Free Software Foundation ---------------------------------------------- [Summary from an article in the Boston Globe, Aug 6, 1991.] The Free Software Foundation (FSF) has been forced to institute security (password) control because "vandals who were able to enter the foundation's system anonymously were not only deleting and trashing files there, but were also entering Internet ... and doing damage in other systems as well."... Michael Bushnell, a programmer at the Free Software Foundation, said the changes are making systems more inconvenient to use and creating an international network that cannot be used without an operator putting himself under surveillance. "There's not a big sharp impact because, over time, so many networks already created security barriers," Bushnell said. Extension of these restrictions..." is kind of like when the last critical-of-the-government newspaper is shut down. After it's gone a while, people notice a difference. An estimated 1,000 to 2,00 persons gained access ... and staff members say they will try to preserve this somehow." "I feel ashamed not having an open system," says [Richard] Stallman, "I feel ashamed having a system that treats everyone as vandals when in fact very few were... Every time I think about this I want to cry." Miser Held in Record Social Security Fraud ------------------------------------------ [Extracted from the article in from the ClariNet news service.] Robert L. Chesney is facing trial in the single biggest Social Security fraud case in U.S. history. He is accused of receiving retirement and disability checks under at least 29 names. Federal agents found 15 boxes and three steamer trunks full of birth certificates, bank statements, Social Security cards and over 200 CA DMV id cards, each with Chesney's picture and a different name. Chesney allegedly gleaned biographical date about public personalities from the library. Pretending to be those people, Chesney would write to their home counties, give their birth dates and other information and ask for copies of their birth certificates. He then took the documents to the DMV and obtained the ID cards with which he applied for the Social Security benefits. SWBT's Responds to the Supreme Court's White Pages Ruling --------------------------------------------------------- [By SWBT Media Relations staff] The following article discusses Southwestern Bell's response to the recent Supreme Court ruling that White Pages Directory Listings generally are not protected by Federal copyright law. Media Relations Report ---------------------- Subject: White Pages Listings Generally Not Protected By Copyright Law, Supreme Court Rules Contact: George Stenitzer White pages directory listings generally are not protected by federal copyright law, the Supreme Court ruled today. The court said that white pages listings are facts that lack the originality required to have copyright protection, although directories as compilations may be copyrighted. The Supreme Court ruled in the case of Feist Publications Inc. versus Rural Telephone Service Co. Feist publishes wide area directories in parts of Kansas, Oklahoma and Texas. When Rural, a small Kansas telephone cooperative refused to license its white pages directory to Feist, Feist extracted listings from Rural's directory without permission. The Supreme Court held that Rural's listings were not entitled to copyright protection, and that Feist did not violate copyright laws by using the listings. This ruling reversed earlier decisions by the District Court and Court of Appeals, and expressly rejected earlier cases holding that directory listings could be copyrighted. Today's ruling means that other firms may use published white pages listings without violating copyright laws. Southwestern Bell Telephone has licensed the use of its white pages listings to directory publishers in both paper and magnetic formats. SWBT's policy is not to license listings to direct marketing firms but today's ruling suggests that direct marketing companies may use published listings without a license. Southwestern Bell Yellow Pages does not license its yellow pages listings. SWBT's licensing of published white pages listings in a paper format represents about $250,000 in annual revenues; these revenues may be affected by the ruling. However, today's ruling does not give other firms free access to SWBT's yet-to-be-published listings, to listings in magnetic form, or to the white pages database itself. If queried, Southwestern Bell will respond as follows: "Of course, we don't think it's fair that other firms can copy our published listings without paying for them." "Most of our white pages listing customers, however, are seeking updated listings in magnetic tape form, not the right to copy listings from directories that have already been published. Our white pages databases are updated continuously, and the Supreme Court did not deal with the unpublished data contained in telephone company databases" Queries will be handled by SWBT's Sherry Smith. Returns for Senders: (US Postal Service handling of forwardings) ---------------------------------------------------------------- [From the July/August issue of the Common Cause Magazine] The U.S. Postal Service - the butt of so many complaints about inefficient service -- is on its toes in one way the average mail recipient might not appreciate. The same system that enables the Postal Service to forward your mail to a new address also alerts scads of direct marketers -- from the folks at your favorite mail-order company to those pesky tricksters who say they have a special gift waiting if only you'll call to your new whereabouts. The system seems to work for better and for worse. For better: You get the mail you want and the Postal Service saves time and money by not delivering mail to the wrong address. For worse: Junk mailers you never wanted to hear from discover your new address and waste no time making use of it. Postal officials insist that they share change-of-address information only with those who already have your old address. Thanks to the large-scale selling and renting of customer lists among direct mail marketers, some companies that never knew you existed will have your particulars. The Postal Service forwards about 2.3 billion pieces of mail a year for the 40 million Americans who move annually, at a cost of some $1 billion, says Bob Krause, director of the Postal Service's National Change of Address (NCOA) system. Meanwhile 19 companies, including some of the largest direct-marketing list management firms, pay the Postal Service an annual fee of roughly $48,000 to receive computerized NCOA updates every two weeks. These "licensees" then provide the updated information to their customers, who pay for address changes for consumers already on their mailing lists. The Post Office places great importance on keeping address-correction information secure, Krause says, and the licensees must follow strict guidelines on what they can do with it. They may not use the information to develop mailing lists. But direct marketers who properly obtain the information from the Post Office or its licensees can make it available to others with impunity. Ann Zeller, vice president for information and special projects of the Direct Marketing Association, concedes that firms can buy names from a direct mailer who has a consumer's new address. Evan Hendricks, editor of the Washington-based Privacy Times newsletter, is "very suspicious" of the system. Without realizing it, individuals who complete change-of-address cards are permanently giving away their addresses to anyone who asks for them," he says, and that should be clearly explained on the card. Of course a change-of-address card is only one of many methods direct mailers have for learning a person's new address. Those who would sell you their wares also mine motor vehicle records, voter rolls, magazine subscription bases, home purchase records and other sources. There is a way out. Individuals who want their names removed from various mailing lists can contact the New York-based Direct Marketing Association, which runs a name and address "suppression" service. But, Krause notes, "If you buy something at your new address from any direct marketer, your name will be on a number of lists within weeks." Inmate, working for TWA, steals credit card numbers --------------------------------------------------- [From September 8, 1991 `Los Angeles Times'] Carl Simmons, a 20-year-old California Youth Authority inmate, working as a TWA telephone reservation agent, stole dozens of customer credit card numbers and used them for thousands of dollars of personal charges. He is now serving two years in state prison for the thefts. TWA has used CYA inmates in a special program since 1986. The story says the program "has been touted as a way to help young criminals learn a trade and repay their debt to society. It has raised more than $500,000 for victims' restitution and the cost of incarceration. And the program's 213 graduates, many of whom now work at airlines and travel agencies, are one-tenth as likely to commit new crimes as nongraduates, CYA officials said." CYA has tightened security, including more frequent searching of rooms and occasional strip-searches. Inmates have always been forbidden from taking pen and paper into the computer room, and now not even instruction manuals can be taken out. But Simmons and another inmate said that won't stop inmates from stealing card numbers or illegally charging airline tickets. Fred Mills of the CYA says, "There's always going to be an exception, but 99.9 times out of a hundred in a program you're not going to get that. For every person we can keep out of the institution for a year, that's saving the state about $31,000. That's the thing we have to look at and balance." One victim, New Hampshire businessman Phillip Parker, said, "I don't want to begrudge someone a chance to make it back into a productive life, but giving them a chance where there's a significant amount of potential for financial fraud or risk -- maybe there's other things that would make more sense." TWA says it will now re-evaluate the program. Network Security Lacking at Major Stock Exchanges ------------------------------------------------- [From Network World, Sep. 16, 1991] "The General Accounting Office (GAO) found a total of 68 computer and network security and control problems at five of the nation's six major exchanges during reviews it conducted this past year for the Securities and Exchange Commissions. The lack of adequate controls at the five stock markets could impair their ability to maintain continuous service, protect critical computer equipment and operations, and process correct information." The worst three in terms of numbers of problems were the Midwest (24), Pacific (18), and Philadelphia (18) exchanges, which were all faulted for their inadequate risk analysis. The biggest problems were in the areas of contingency planning and disaster recovery. The NY and American stock exchanges came off relatively well. Computer Security Breach at Rocky Flats Nuclear Weapons Plant ------------------------------------------------------------- [Associated Press, 9/16/91] Security lapses at the Rocky Flats nuclear weapons plant included the storage of top-secret bomb designs for a week on a VAX accessible from the public phone network. In other instances, workers transferred classified working materials from secure computers to lower security ones, including PCs, because they were tired of constant changes in the secure systems and wanted to work on familiar systems. Head of DOE operations at Rocky Flats Bob Nelson said that the agency started last year a $37M program to correct security problems, following the recommendations of outside security experts. Nelson also said that the unclassified VAX was used by employees working from home, but that if someone tries to break in "bells and whistles go off" According to other documents obtained by the AP, other DOE computers had been found to be vulnerable to break-ins. Virus Halted Government Computers in South China ------------------------------------------------ HONG KONG, Sept 16 (AFP) - A spate of computer virus attacks put computers in more than 90 Chinese governmental departments out of order, prompting the authorities to have all software checked by police, a official Chinese news agency reported here Monday. More than 20 kinds of the rogue disruptive programs hit more than 75 percent of the offices' computers in southern China's Guangdong province, the Hong Kong China News Service said. The provincial public security bureau had ordered all government units not to use software from unknown origin or software which had not been inspected by the bureau. In addition, units or individuals were banned from engaging in the study of computer viruses, or to hold training courses on them. The new regulations forbid the sale of software capable of neutralizing the viruses. The report said the public security bureau had set up a testing department for all software against the computer viruses. AT&T Phone Failure Downs Three New York Airports For Four Hours --------------------------------------------------------------- [N.Y. Times, Sep 18, 1991.] Operations at all three New York airports ground to a standstill from 5pm until 9pm yesterday [Sep 17, 1991] when an AT&T internal power failure at a Manhattan 4-ESS switching center knocked out long distance calls in and out of the city. Neighboring commercial power was unaffected. The 4-ESS system is used to route calls between AT&T's long-distance network and the local companies. The air traffic control centers use a network of radio towers linked by phone lines. Although the precise origin of Tuesday's problems remained unclear, the extent of the difficulties provided yet another example of how dependent today's telephone networks are on a few pieces of equipment. In recent years, AT&T and other companies have gone to great lengths to emphasize the back-up capacity and redundancy of their systems. Yet the long-distance carrier was unable to reroute all traffic to other gateways for several hours after the problems first became apparent. Calls were redirected to the two remaining gateways, but those could not handle that much increased traffic. Midwest Stock Exchange Reaps Millions Due to Accounting Glitch -------------------------------------------------------------- [Summary from Chicago Tribune Business Section, 9-20-91] The Chicago Tribune reports that leaders of the Midwest Stock Exchange had discovered a 13-year-old accounting glitch which enabled a subsidiary to wrongfully reap millions of dollars in interest payments which should have gone to broker-dealers. While the exact amount of money received by the subsidiary due to the error was not disclosed, the chairman of the exchange said that he estimated that over the last twelve months, the firm received around 1.8 million dollars. The accounting error, due partly to human error and partly the fault of computers, apparently dates back to about 1978. At that time, the exchange and two of its subsidiaries, Midwest Clearing Corp. and Midwest Securities Trust Co., altered the way certain broker-dealer transactions were handled. Clearing Corp. instituted a change, largely computerized, ordering broker-dealers to wire money to it for the sale of securities before the securities were received by Securities Trust Company. By depositing these funds in short-term, government-backed securities, sometimes overnight but also for longer periods, Clearing Corp. generated for itself interest payments which should have gone to the broker-dealers. This is referred to as "playing the float." When the clearing system is working properly, the securities and proceeds are transmitted through the system simultaneously, thus eliminating such a float. The Midwest Stock Exchange insists that they are taking the situation very seriously, and plan to pay the money back. Some exchange members are concerned that the money used for the refund will come in the form of higher exchange rates, putting the exchange at a serious competitive disadvantage. SWBT sends off first 'cross-country' ISDN call ---------------------------------------------- [This Week, by Southwestern Bell Telephone] The nation's first "cross-country" public network ISDN was placed last week, courtesy of SWBT. The historic first call was the result of a two-year joint effort among SWBT, BellSouth Corp., US Sprint and Bellcore. SWBT's Advanced Technology Lab originated the call, which used US Sprint's digital facilities in Burlingame, Calif. The call terminated at a BellSouth switch in Atlanta, Ga. Using an ISDN video application, SWBT's trial director Ken Goodgold was able to see and talk to BellSouth's David Collins. "With this test, the geographic limits of ISDN-based services were stretched from a few miles to cross-country," Goodgold says. "We began with protocol testing and service verification, two key parts of the process," Goodgold says. "That required an extremely complex series of technical tests. The Advanced Technology Lab staff worked for months performing the tests leading up to the first successful call." Last week's test call was significant from a marketing perspective as well as a technical one. That's because it demonstrated the economic benifits of using ISDN for video information. "The cost of a long distance call is approximately the same, whether it's a voice transmission using a regular phone line or a video transmission using ISDN," Goodgold says. "That means a big reduction in cost to arrange a videoconference." US Sprint joined the test because ISDN has evolved beyond the local stage, says Terry Kero, the carrier's director of InfoCom Systems Development Labs. "After today, it will be technically possible to make an ISDN call across the country just as it is possible today to make a regular long distance call," Kero says. Computer Hacker Cited --------------------- [Houston Chronicle Sept. 25, 1991] WASHINGTON--A Colorado computer hacker has been charged with breaking into the National Aeronautics and Space Administration's computer system seven times last year, the Justice Department said. Richard Wittman, 24, of Aurora, Colo., allegedly "altered, damaged and destroyed information" in the space agency's computer system twice, the department said. He was charged with illegally gaining access to the NASA computer system and to its computers at the Marshall Space Flight Center in Huntsville, Ala., and the Goddard Space Flight Center in Greenbelt, Md. If convicted on all charges, he faces a maximum penalty of 15 years in prison and a $1 million fine. /* End; Volume I, Issue 001 */